A congressionally sponsored study conducted by the Center for Strategic and International Studies, made public on Monday, recommends everything from the creation of a the National Office for Cyberspace outside the authority of the Department of Homeland Security to maintaining “sufficient manufacturing capabilities” at home to supply components and software that is not dependent on a global supply chain.
The report also states that when it comes to regulating cyberspace, “voluntary action is not enough,” and calls on the U.S. — it did not identify what entity in the U.S. — to assess and prioritize risks in order to set minimum cyberspace security standards.
On the issue of the Department of Homeland Security and maintaining cybersecurity, the comprehensive 64-page report, titled Securing Cyberspace in the 44 th Presidency, was emphatic.
“Many felt that leaving any cyber function at DHS would doom that function to failure,” according to the report, which went on to state that a comprehensive approach to cybersecurity “falls outside the scope of DHS’s competencies.”
One of the more far-reaching conclusions of the committee that may have unexpected consequences is the inclusion of the private sector under the umbrella of national security. In going beyond anything stated in the past about our economic well-being and national security it is implying that private enterprise may have to comply with new security regulations.
Time and again the report references our economic well-being and calls for a “public-private partnership for cybersecurity.”
Under the heading “Rebuilding Partnership with the Private Sector,” the committee offers three recommendations to build trust between company executives and the government: a Presidential Advisory Committee; a town hall national stakeholders organization as a platform for discussion; and a Center for Cybersecurity Operations (CCSO) for public and private sector entities to collaborate and share information on critical cybersecurity in a trusted environment.
As the private sector continues to be used by the government for products and services ranging from data warehousing to building jet fighter planes, the relationship between national security and the private sector becomes more and more blurred, according to the report.
Tom Kellerman, chair of the commission’s Threats Working Group said that over 100 countries have been identified as using military-level cyber technology to aid their national companies in stealing intellectual property.
“Many of these countries endow [their] national corporations with cyber espionage capabilities so as to steal intellectual property for the sake of economic advantage.”
The report also calls on President-elect Obama to offer legislation that “eliminates the current legal distinction between the technical standards for national-security systems and civilian-agency systems.”
Committee members elaborated on their call for regulation by saying it should avoid “prescriptive mandates” but at the same time not have an “over reliance on market forces.”
While saying that regulations would fill the gap between what is currently being implemented and the requirements for national security, the report stated, “We also reject the oft-heard argument that ‘voluntary regulation’ provides the right solution.
With privacy and civil liberties in mind, the committee also called for strong authentication for access to infrastructure deemed critical. Strong security would be a “mandatory requirement for critical cyber infrastructures which include telecom, energy, finance, and government services.”
At the same time, the committee recommends regulations that protect consumers by preventing companies from “requiring strong government-issued or commercially-issued credentials for all online activities.”
However, if private enterprise is identified as part of our critical infrastructure this may become somewhat problematic.
The committee also calls on Congress to modernize the current statutes that deal with technology.
A couple of months ago, the government said it will revamp acquisition rules to guard against malicious code embedded in electronic products
What may face the most sustained criticism in the report is its call for a new cybersecurity superstructure with new departments and new chiefs.
Among the new organizations recommended are the National Office for Cyberspace under the Executive Office of the President, the appointment of an Assistant for Cyberspace, and the establishment of an NSC (National Security Council) Cybersecurity Directorate as well as a Presidential Advisory Committee under the Federal Advisory Committee Act and a Center for Cybersecurity Operations.
In what can only be called an unfortunate analogy in the introduction to the report, the writers of the report hearken back to England’s struggle during World War II to break the Germans’ secret, encrypted code and decrypt German communications. Using that struggle between two warring countries as an analogy, the introduction to the report on Securing Cyberspace states, “The United States is in a similar situation today, but we are not playing the role of the British.”
The commission was made up of both private sector and government security experts with the goal of creating a single, coherent strategy for cybersecurity that becomes an umbrella of standards to secure cyberspace whether those efforts are private or public.