Tuesday, December 09, 2008

Securing Cyberspace in the 44th Presidency: Part Two

Yesterday I provided some context for the Center for Strategic and International Studies report which was published yesterday:

Security Cyberspace for the 44th Presidency

The co-chairs of the committee, which was directed by James Lewis, were:
Representative James R. Langevin
Representative Michael T. McCaul
Scott Charney, Microsoft
Lt. General Harry Raduege, USAF (Ret)

I'll leave the interested reader to read the full list of committee members from Appendix A, but I was pleased to see many active voices for Cybersecurity and Information Sharing among them, including many that I met through InfraGard! Just to name a few, Peter Allor (who was presenting at an InfraGard National Conference when I met him, the day ISS became IBM ISS), Jerry Dixon, former NCSD for DHS and now the VP of Government Relations for InfraGard, Greg Rattray, who was the Director for Cyber Security on the White House National Security Council staff before there even was a DHS (and an advisor to InfraGard's National Board), Tom Kellerman (a New York InfraGard member) who worked closely with the World Bank, Paul Kurtz, Marcus Sachs of SANS Internet Storm Center (and Verizon), Phyllis Schneck who has been active in InfraGard for more than my own seven years, Michael Vatis, who led the NIPC back when InfraGard was partnered with their National Infrastructure Protection Center efforts, Amit Yoran, who was the original NCSD, and spoke at the June 2004 InfraGard National Conference.

The report consists of seven major chapters, which are bookended by the concept that we are in a Hidden War, and that we need to WIN the Hidden War.

The Introduction compares our current status to "the invisible struggle" between Britain and Germany over Ultra and Enigma.

The United States is in a similar situation today, but we are not playing the role of the British. Foreign opponents, through a combination of skill, luck, and perseverance, have been able to penetrate poorly protected U.S. computer networks and collect immense quantities of valuable information. Although the most sensitive U.S. military communications remain safe, economic competitors and potential military opponents have easy access to military technology, intellectual property of leading companies, and government data. These potential opponents have not hesitated to avail themselves of the opportunities presented by poor cybersecurity.

America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009. It is, like Ultra and Enigma, a battle fought mainly in the shadows. It is a battle we are losing.

Summary of Recommendations

  • Create a Comprehensive National Security Strategy for Cyberspace
    • Presidential statement that cyberspace is a vital asset and that the United States will protect it
    • Create a National Office for Cyberspace (NOC) within the Executive Office of the President
    • Open discussion on how best to secure cyberspace

  • Organizing for Cybersecurity
    • Establish a Cybersecurity Directorate in the National Security Council
    • Support same from the new NOC, which should absort the National Cyber Security Center and Joint Inter-Agency Cyber Task Force
    • NOC assumes additional responsibilities, including FISMA
    • Three new Public-private advisory groups
    • Continue DHS US-CERT relationships with all federal agencies

  • Rebuilding Partnership with the Private Sector
    • creation of three new public-private agencies

  • Regulate for Cybersecurity
    • Task the NOC to work with appropriate regulatory agencies to secure critical cyber infrastructures

  • Secure Industrial Control Systems and SCADA
    • NOC should work with NIST to develop Industrial Control System standards
    • NOC should continue to to determine the extent of government-owned infrastructures security from cyber attack

  • Use Acquisitions Rules to Improve Security
    • NOC and CIO Council development and implement security guidelines for IT procurement
    • NSA and NIST should reform National Information Assurance Partnership
    • Secure Internet protocol use should be increased.

  • Manage Identities
    • US should make strong authentication, including "robust in-person proofing" mandatory for critical cyber infrastructures
    • US should allow use of strong goverment-issued credentials for online activities
    • FTC should protect consumers by requiring businesses to use strong credentials for online activities
    • government agencies not using HSPD-12 compliant credentials after one year should have bonuses or awards restricted

  • Modernize Authorities
    • DOJ should reexamine statutes governing online crime and investigations to increase clarity, speed investigations, and better protect privacy
    • the Attorney General should issue guidelines for cyber incident response by law enforcement, military, or intelligence authorities.

  • Revise FISMA
    • Congress should rewrite FISMA to use performance-based measurements of security

  • End the Division Between Civilian and National Security Systems
    • legislation should be proposed that adopts risk-based approach to all federal computer security

  • Conduct Training for Cyber Education and Workforce Development
    • NOC and OPM should create training programs and career paths to enhance the federal cyber workforce and work with NSF to develop national education programs

  • Conduct Research and Development for Cybersecurity
    • NOC and Office of Science and Technology Policy should provide overall consideration of cybersecurity R&D. The US should increase its investment in longer-term R&D designed to create a more secure cyber ecosystem.

A summary at the beginning of the report gives 25 recommendations.

One of the recommendations is DO NOT START OVER.

"Let us be clear on the Bush administration's Comprehensive National Cybersecurity Initiative (CNCI): It is good but not sufficient. The next administration should not start over; it should adopt the initial efforts of the initiative, but it should not consider it adequate."

Regarding DHS, the report states:

We had a long and impassioned debate within the Commission over DHS's roles and responsibilities. Many felt that leaving any cyber function at DHS would doom that function to failure. ... The nature of our opponents, the attacks we face in cyberspace, and the growing risk to national and economic security mean that comprehensive cybersecurity falls outside the scope of DHS's competencies. DHS is not the agency to lead in a conflict with foreign intelligence agencies or militaries or even well-organized international cyber criminals.

Security cyberspace is no longer an issue defined by homeland security or critical infrastructure protection. This is far too narrow a scope.

As a Computer Forensics Researcher, of course I appreciated the call in the section "Expand and Focus Research and Development for Cybersecurity"
The federal government plans to spend about $143 billion in 2009 on R&D. We estimate that two-tenths of 1 percent of that will go to cybersecurity. To put this in context, the president's fiscal year 2009 budget requests $29.3 billion for life science research, $4.4 billion for earth and space science, $3.2 billion for the Advanced Energy Initiative, $2.0 billion for the Climate Change Science Program, and $1.5 billion for nanotechnology. The National Information Technology R&D (NITRD) programs will receive $3.5 billion. Cybersecurity R&D will receive about $300 million.

The report recognizes that many others, including the new Comprehensive National Cyber Initiative, have called for an increase in Cyber Security Research funding, but points out that much of what we have at NITRD "exists largely as a passive compilation of R&D activities by the NSF and various funding agencies rather than a driver of an agreesive research agenda."

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.