In an election season dominated by concerns over the economy and the war in Iraq, cybersecurity hasn’t exactly been a top issue for the candidates or voters.
But it’s a topic the next administration will need to focus on — and as a high priority, according to several tech industry representatives, including two former officials at the U.S. Department of Homeland Security (DHS) and a former White House cybersecurity czar.
Driving that urgency: the growing danger of cyberattacks against critical networks and systems that run the financial services and energy sectors, as well as those used by the government and the military. Those attacks could come from opportunistic nation-states as well as from criminal adversaries, they said.
“There is not a doubt in my mind that the time for action, and dramatic action, is now,” said Amit Yoran , former director of the National Cyber Security Division (NCSD) of the DHS and now CEO of NetWitness Corp. “Without a comprehensive national cybersecurity initiative, things are going to end up in a very bad way.”
Among the areas needing immediate attention, according to Yoran and others are a greater focus on public/private sector collaboration; more transparency around an unfolding multi-billion cyber-security initiative announced earlier this year by President Bush ; greater security R&D investments; and more direct involvement by the White House.
The task of protecting critical infrastructure targets against attacks was spelled out earlier this year by DHS Secretary Michael Chertoff as an issue with national security implications . It’s a topic that has been the focus of attention since the terrorist attacks of Sept. 11, 2001 and has resulted in enormous investments to — and changes in — the nation’s cyberdefenses.
The biggest of these was the decision to tap the DHS to lead the nation’s cybersecurity efforts and the launching of the mostly-classified Comprehensive National Cybersecurity Initiative by President Bush in January. How successful those efforts have been remains in doubt; Chertoff himself admitted that five years after the DHS was created the nation remained dangerously vulnerable to electronic attacks from those looking to wreak the same kind of havoc on networks as the 9/11 attacks did in New York and Washington, D.C.
As a result, it is critical for the next administration “to continue the efforts that this government has already started,” said Ken Silva, chief technology officer at Verisign Inc. “This is one of the few times that we are here, this close to an election, when we know the current administration is going to change, and yet none of the cyber initiatives have been scaled back” or dropped Silva said.
One area most in need of immediate attention is private and public sector collaboration. By most accounts, the private sector owns and operates between 85% and 90% of the critical infrastructure that needs protection, and there should be a way to ensure that the it has a more active role in protecting that infrastructure, said Andy Purdy, co-director of the International Cyber Center at George Mason University and former White House cyber czar.
Most public/private partnerships today are little more than vulnerability-information sharing exercises that have done little to bolster security. But it is vital that the private sector and the government work as equal partners to build better situation awareness and recovery capabilities, Purdy said. “We need to try and encourage the government to make the private sector a true partner in the assessment and mitigation of risk. The dependence and inter-dependence of government and private sector companies” makes better collaboration a must.
An effort needs to be made to encourage “talent from the industry” to act on cyber-risk assessment and mitigation efforts, said Jerry Dixon, former director of the NCSD and vice president of government relations with the InfraGard National Members Alliance.
In the past, when the government shared information about infrastructure vulnerabilities with the private sector, not everyone has taken advantage of it, Dixon said. He pointed to a dangerous vulnerability in the nation’s power infrastructure that was discovered by the Energy Department’s Idaho National Laboratories. Despite efforts to correct problems by the governmen, only the nuclear sector applied the fix. The response from the rest of energy sector was “abysmal,” he said.
The next president would do well to make Bush’s cyber-initiative more transparent, Yoran said.
The multi-billion dollar presidential directive calls on multiple agencies, including the National Security Agency (NSA), to work together to improve the security of federal systems, which have routinely been criticized in congressional report cards and in reports issued by the Government Accountability Office . Since the effort was disclosed in January, few specifics have been released — except that it involves a massive network consolidation effort called Trusted Internet Connections as well as plans to revamp a network monitoring technology called Einstein . That lack of information has spooked some politicians and privacy advocates, especially because of the NSA’s involvement.
“A vast amount of this initiative would have to be done at an unclassified level,” Yoran said. For the effort to be truly effective, “the people in the trenches” need to be able to share and use information as much as possible without secrecy limitations.
In addition, a commission established last November by the Center for Strategic and International Studies (CSIS) suggests that the White House take more responsibility for leading national cybersecurity efforts. The commission, of which Yoran is a member, is working on a set of cybersecurity recommendations for the 44th Presidency.
One of the most significant is that the next administration should consider taking a direct role in coordinating cyberdefenses because the DHS has so far failed in that role. The commission said it is arguing for a more direct White House role because it believes that only the president’s office has the authority and the oversight needed to pull the effort together.
Meanwhile, both presidential candidates themselves have said they would make information security a top priority.
In a position paper released in July, Sen. Barack Obama, D-Ill. , noted that as president he would declare cyber infrastructure a strategic asset “vital to national security and the global economy.” The paper noted that an Obama administration would strengthen federal oversight on cyber issues and create a national cyber advisor reporting directly to the president. In addition, Obama would push for more research and development for secure systems and networking technologies capable of withstanding cyberattacks.
In a similar position paper expressing his views on various Homeland Security challenges, Arizona Republican Sen. John McCain ‘s campaign noted that a McCain administration would give cybersecurity “priority attention.” It noted that the candidate would offer “full support” for the U.S. Computer Emergency Readiness Team (U.S.-CERT) and the National Cyber Response Coordination Group for coordinating all defenses against and responses to a cyber attack.