Mr. Obama? Don't forget the cyberwar threat
A 96-page report released Monday by the Center for Strategic and International Studies paints a gloomy picture of where America stands in the matter of infowar. (Hint: "Stands" may be too optimistic a verb.)
The report is blunt: We're in trouble, our laws are out of date, we need leadership from the White House, and money (public and private) must be applied to the problem. Only a plan that respects privacy and civil liberties will do, and only a comprehensive policy covering both domestic and international situations will work.
It's hard to turn the course of government on a DIME, but that strategy -- combining Diplomatic, Intelligence, Military, and Economic efforts -- is the commission's recommendation. (Law enforcement's mentioned too, but DIMELE just doesn't have the same change-redolent jingle, does it?)
Cyberwar isn't something out of "Strangelove." We've been drilling for it for years -- and some observers would suggest that we've been engaging in it, too. Over just the past year, the Departments of Defense, State, Homeland Security, and Commerce, along with NASA, and the National Defense University have all been targeted by hack attacks from outside our borders, and those are the ones we know about. As recently as last week, the Department of Defense was forced to scramble in response to a old-but-tweaked worm that made its way onto both NIPRNet and SIPRNet through, allegedly, USB drives left scattered in parking lots.
The report calls for a strong statement from the White House that our cyber-infrastructure is a vital asset, and that we'll protect the asset with "all instruments of national power" to assure our security, safety, prosperity, and ability to deliver critical services.
In fact, it's hard to imagine language much stronger landing on the desk of an incoming president in, well, any economy but the current one.
"The United States must treat cybersecurity as one of the most important national security challenges it faces," the report says. Calling the previous administration's Comprehensive National Cybersecurity Initiative "good but not sufficient," it describes cybersecurity as "a strategic issue on par with weapons of mass destruction and global jihad."
The report also calls for a new National Office for Cyberspace, to work with the National Security Council (NSC) -- and says that it needs to be based in the Executive Office of the President. In addition, the report suggests that there should be established a Cybersecurity Directorate in the NSC that absorbs the functions of the Homeland Security Council (HSC). The HSC was formed in the aftermath of 9/11 and has been heretofore separate from the NSC. Existing agencies would keep their current operational abilities; for instance, DHS would retain control of US-CERT.
Privacy watchdogs will be interested to see the report's thinking on identity management. The report advocates for the use of strong identity authentication for critical cyber-infrastructures, and fast -- the President should have a progress report within six months. But there's at least some serious thought about how to keep online entities, particularly businesses, from abusing new standards for credentials. The FTC, in its GLBA-enforcement aspect, would be in charge of riding herd on that.
The government's own standards for maintaining security also need an overhaul. The report calls for a rewrite of the Federal Information Security Management Act (FISMA) to introduce performance-based security measurements, which ought to unnerve those charged with passing those FISMA audits. And civilian agencies and national security programs are to move onto an equal legal footing when it comes to tech standards; risk-based standards covering all federal IT systems are to be developed.
The CSIS Commission on Cybersecurity for the 44th Presidency has been working on the report since August 2007; its work included dozens of meetings and briefings with government and private-sector officials as well as multiple congressional hearings and briefings. The commission's chairs were Rep. Jim Langevin (D - R.I.), Rep. Michael McCaul (R - Tex.), Air Force Lt. Gen. Harry Raduege (ret., currently with Deloitte), and Microsoft Corp. VP for Trustworthy Computing Scott Charney. CSIS is bipartisan and nonprofit.