Abstract
This article attempts to distill the some 80 odd pages of the full report compiled by the CSIS commission on Cybersecurity for the 44th Presidency. The method utilized is to extract the exact key sentences with no paraphrasing or rewording unless necessary for readability. The author or more aptly the editor has in his opinion accomplished this task in a mere 13 pages and he feels that a responsible representation of the key facts and strategies have been preserved. If you find this information to your liking the full 80 page report can be found here:
http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf
Takeaways from the Executive Summary
The Commission’s three major findings are: (1) cybersecurity is now a major national security problem for the United States, (2) decisions and actions must respect privacy and civil liberties, and (3) only a comprehensive national security strategy that embraces both domestic and international aspects of cybersecurity will make us more secure.
The acronym DIME – diplomatic, intelligence, military and economic (and law enforcement a crucial addition) – points to the elements needed for a truly comprehensive solution.
The commission proposes a new office for cyberspace in the Executive Office of the President.
Government must recast its relationship with the private sector as well as redesign the public-private partnership to promote better cybersecurity.
Summary of Recommendations: key aspects
1. Create a Comprehensive National Security Strategy for Cyberspace.
2. Organize for Cybersecurity
* Establish a Cybersecurity Directorate in the National Security Council
* A new National Office for Cyberspace (NOC) would support the work of the new assistant to the president for cyberspace and the new Cybersecurity Directorate of the NSC.
The NOC would:
-Assume expanded authorities including revised FISMA, TIC, FDCC and requiring agencies submit budget proposals relating to cyberspace for approval prior to submission to the OMB
-Manage both a new federated regulatory approach for critical cyber infrastructures and a collaborative cybersecurity network across the federal government
-Help develop the national strategy and oversee its day to day implementation and the performance of agency elements in securing cyberspace.
2. Partner with the private Sector
* Create a presidential advisory committee under FACA
* A town hall style national stakeholders organization
* The new Center for Cybersecurity Operations (CCSO).
3. Regulate for Cybersecurity.
4. Secure Industrial Control Systems and Supervisory Control and Data Acquisition.
5. Use Acquisition Rules to Improve Security.
6. Manage Identities.
7. Modernize Authorities.
8. Revise the Federal Information Systems Management Act.
9. End the Division between Civilian and National Security Systems.
10. Conduct Training for Cyber Education and Workforce Development.
11. Conduct Research and Development for Cybersecurity.
Introduction: The Hidden Battle
America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office on January 20th, 2009. It is, like Ultra and Enigma, a battle fought mainly in the shadows. It is a battle we are losing.
The immediate risk lies with the economy. Most companies’ business plans involve the use of cyberspace to deliver services, manage supply chains, or interact with customers. Equally important, intellectual property is now stored in digital form, easily accessible to rivals.
In the new global competition failing to secure cyberspace puts us at a disadvantage.
In 2007, the DoD, DoS, Homeland Security, Commerce, NASA and National Defense University all suffered major intrusions by unknown foreign entities. DoD officials told the commission that the department’s computers are probed hundreds of thousands of times each day.
Senior representatives of the intelligence community told the commission that they had conclusive evidence, covertly obtained from foreign sources, that U.S. companies have lost billions in intellectual property. The evidence is both compelling and overwhelming. Ineffective cybersecurity and attacks on our information infrastructure in an increasingly competitive international environment undercut U.S. strength and put the nation at risk.
America’s power, status, and security in the world depend in good measure upon its economic strength; our lack of cybersecurity is steadily eroding this advantage.
Create a Comprehensive National Security Strategy for Cyberspace
The reputation of the United States has been badly tarnished, and our failure to defend cyberspace, despite huge informational losses, has encouraged our opponents to increase their attacks.
We are not indispensible, a hegemon, or unchallenged, and the evolution of cyberspace clearly reflects this.
A comprehensive cybersecurity strategy must engage all elements of U.S. power – economic, diplomatic, and law enforcement as well as military and intelligence. The need for a coherent, coordinated approach helps explain the commission’s preference for placing ultimate responsibility for cybersecurity in the White House’s National Security Council.
International Engagement and Diplomacy
Cyberspace spans the globe. No single nation can secure it, and any strategy centered on domestic action will be inadequate to address a global challenge. Much of this task will fall on the Department of State and the White House will need to ensure that other agencies incorporate cybersecurity advocacy into their international activities.
Better cybersecurity should be part of the Department of the Treasury’s work on financial payments systems in developing economies. When the Department of Health and Human Services or the Centers for Disease Control and Prevention build health information systems with foreign partners, cybersecurity should be emphasized. There is an opportunity when the Federal Reserve Board works with the Bank for International Settlements and the Electronic Banking Group to secure electronic banking systems. When the U.S. Representative at the World Bank reviews a plan for cooperation with a developing nation, the representative should ensure that it contains commitments to improve that nation’s cybersecurity.
A normative approach to international cybersecurity focuses on how countries should behave. Today, norms for cybersecurity are weakly articulated and enlisting a group of like-minded nations to develop and propagate such norms would improve security.
Collective defense in cyberspace provides some increase to deterrent capabilities – for example, knowing that an intrusion or attack on one nation will trigger responses form its allies or partners may lead attackers to reconsider and can increase the resources available for response.
UN is politically incapable of enforcing a treaty. It is ironic that some of the countries that most vigorously advocate a UN treaty are known sanctuaries for cyber crime and are themselves suspected of launching cyber attacks.
Military Doctrine and Deterrence
The most important of these is the need for credible military presence in cyberspace to provide a deterrent against potential attackers. Although offensive cyber capabilities are not the only deterrent possessing an offensive capability has a deterrent effect and the absence of an offensive capability makes deterrence a hollow threat.
Military doctrine also needs to establish thresholds for response. If a country does not know who is attacking, it is difficult to create appropriate and proportionate responses in ways that reduce the chance of escalation. How do we signal to an adversary that we have detected an action that we consider threatening and are prepared to respond?
The commission’s recommendations are to refine and make public existing military doctrine and to create processes with a broad membership (beyond the DoD, the intelligence community, and the information technology community) that can work through the issues of deterrence and strategic exchange in cyberspace.
Economic Policy
Commitments to improve cybersecurity and to work against cyber crime should become a routine part of our international negotiations.
Intelligence and Law Enforcement
The intelligence community has been a leader in the efforts to improve cybersecurity. Its primary role in securing cyberspace will be to support diplomatic, military, and domestic elements of the strategy.
The intelligence community of course has other functions in cyberspace, including the clandestine collection of information and covert action against opponents. These are essential for improved cybersecurity, and a national strategy will need to consider how to integrate the classified elements into a larger defense.
The president should ensure that both the military and the intelligence community expand their offensive capabilities under an appropriate framework for the authorization of covert action.
Through U.S. leadership a points of contact network that allows investigators in more than 45 countries to reach each other day or night to collaborate on investigating network crimes. This operational network has had many successes in tracing the sources of crimes facilitated on global networks, but it is essentially an informal effort. The United States should work to expand, support, and formalize it by international agreement.
Establishing a fundamental national goal for cyberspace and creating a comprehensive national strategy to achieve it will vastly improve our performance in cybersecurity. Just as the National Security Act of 1947 created new entities and agency relationships to meet the security challenges of that era, the commission believes that it is time to reorganize for cyberspace.
Organizing for Cybersecurity
The central problems in the current federal organization for cybersecurity are lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility.
Improving cybersecurity will be difficult, as the problem cuts across agency responsibilities. The commission also recognized the importance of involving the private sector – the federal government cannot do this alone.
The commissions thinking on organization tracks with their finding that cybersecurity is now a central problem for national security. Their recommendation is to create a new “enterprise” government model for cyberspace using the National Security Council, a collaborative network among the key agencies, and a new cyberspace office in the Executive Office of the President. (Note: An “enterprise architecture” restructures a corporation to work as a single entity rather than a collection of different business units. An enterprise structure is flatter, with fewer layers between.)
Cybersecurity is no longer (if it ever was) a domestic issue. It is an issue of international security in which the primary actors are the intelligence and military forces of other nations. The Department of Homeland Security is not the agency to lead in a conflict with foreign intelligence agencies or militaries or even well-organized international cyber criminals.
A New Branch Structure
Create a new assistant to the president for cyberspace, who will direct staff within the Executive Office of the President. The incumbent will also serve as deputy national security advisor, participating in the National Security Council meetings when appropriate and supported by a new National Security Council Cybersecurity Directorate.
The National Security Council is the organization best able to coordinate a national security strategy and international, military, diplomatic, intelligence and law enforcement activities it entails.
National Office for Cyberspace
The assistant to the president for cyberspace would direct the National Office for Cyberspace; its functions would be to:
Provide strategic direction and coordination on cyber defense and offense;
Monitor and assess general agency priorities, programs, policies, and budgets for cybersecurity,
Develop new measures as necessary to improve the security and reliability of critical information infrastructure, including regulation and multilateral agreements;
Provide a focal point for the private sector to coordinate on cybersecurity and
Ensure all programs are consistent with U.S. law and respect privacy and civil liberties.
The commission was attracted to a division of labor between the National Security Council and a new managerial office in the Executive Office of the President. The National Security Council would develop strategy and ensure coordination among, Department of Defense, Department of State, the intelligence community, and other relevant agencies, this is the traditional National Security Council (NSC) role, but the NSC would not be operational in nature. The new National Office for Cybersecurity would manage implementation of the strategy and provide oversight and direction, particularly for the many cyberspace-related programs that cut across traditional agency responsibilities. Both the NSC Cybersecurity Directorate and the National Office for Cybersecurity would report to the assistant to the president for cyberspace.
The NOC should not seek to capture and own all federal efforts but should support them and ensure they progress to meet national needs. The NOC would map expertise across government and establish the collaborative tools (wikis and social networks, for instance) that will enable a new horizontal approach to addressing cyber problems.
Toward an Information-Age Government
In the federal government, the so called CIO is located in the Office of Management and Budget (OMB), several layers from the president. Incumbents in this position have performed well, but the commission wondered whether it was time to move the models derived from successful experiments in the corporate world.
The National Office for Cyberspace (NOC) can provide a test bed for the next president to experiment with how best to organize CIO functions in the federal government.
The commission believes that the next administration will achieve more lasting success by presenting a comprehensive package of cybersecurity improvements to the various committees; pragmatically, it is better that the next administration spend its time on achieving these goals rather than taking on jurisdictional battles in Congress.
Rebuilding Partnership with the Private Sector
The so-called public-private partnership as it now exits is marked by serious shortcomings. This includes a lack of agreements on roles and responsibilities, an obsession with information sharing of its own sake, and the creation of new public-private groups each time a problem arises without any effort to eliminate redundancy.
The commission found almost universal recognition that the status quo is not meeting the needs of either the government or the private sector with respect to trust and operational collaboration.
As the old military axiom has it: “He who defends everything defends nothing.” To focus the defense of cyberspace, the commission has identified four critical cyber infrastructures: energy, finance, the converging information technology and communications sectors, and government services (including state and municipal governments). These four sectors are all critical from a national security perspective, especially if that term correctly includes economic security. They form the backbone of cyberspace.
The commission recommends concentration on two key problems: how to build trust between the government and company executives and how to focus efforts on what is truly critical to cyberspace.
The primary goal of the new partnership organizations should be to build action oriented relationships rather than to share information that is either already available or that companies are reluctant to provide. This can be done by creating a simplified structure that has three parts: a new presidential advisory committee that connects the White House to the private sector entities most important for cyberspace; a national town hall organization that provides a dialogue for education and discussion, and a new operational organization (CCSO).
The President’s Committee for Secure Cyberspace would absorb both the National Security and Telecommunications Advisory Committee and the National Infrastructure Advisory Council and must be limited to C-level membership (not Washington representatives). What is needed is a group of executives from critical cyber infrastructure companies who will interact regularly with senior federal officials in order to create the trust relationships needed for real information exchange and for collaboration in a time of need.
The Information Sharing and Analysis Centers (ISACs) for sectors critical for cyberspace could become working groups attached to the new C-level body or the CCSO. These are the ISACs for the financial sector, the IT sector, the multistate governmental ISAC.
National Town Hall Group
The creation of a new town hall process provides a vehicle to involve a broad range of stakeholders. The town hall meetings held as part of the 2003 national cybersecurity strategy attracted large audiences and provided broad exposure to public concerns and government thinking.
Absent the creation of this group, we will continue to rely on ad-hoc and incomplete efforts to educate the public on how to operate more securely in cyberspace.
Center for Cybersecurity Operations
The Center for Cybersecurity Operations (CCSO), a new nonprofit organization where public a private sector entities can collaborate and share information on critical cybersecurity matters in a trusted environment.
The mission of the CCSO will be to address operational issues that affect critical cyber infrastructure.
The operations center would have a round-the-clock watch, which CCSO could bring to full strength during emergencies.
The CCSO could take a reported issue, identify affected entities, determine if there is a sizable community of interest, and then bring it together to help mitigate the issue or identify the right organization to do so.
The CCSO could manage the national stakeholder’s forum, recommended and provide a venue for international cooperation among private sector entities.
Regulate for Cybersecurity
National defense is a public good. We should not expect companies, which must earn a profit to survive, to supply this public good in adequate amounts.
The intent of regulation is to increase transparency and improve resiliency and reliability in the delivery of services critical to cyberspace.
The commission proposes four sets of regulations: (a) the development of shared standards and best practices for cybersecurity in the three critical cyber infrastructure sectors(ICT, finance and energy) to improve and increase transparency, (b) the creation of new regulations that apply to supervisory control and data acquisition and other industrial control systems, (c) changes to federal acquisition rules to drive security in products and services, (d) mandatory authentication of identity using robust credentials for critical infrastructure sectors.
The next administration should revisit the issue of regulation for cybersecurity and make two significant changes: industry and government should identify the level of security markets will naturally provide, and regulation would create processes to fill the gap between what markets will naturally provide and what national security requires.
Consistent with national security needs, the intent of any regulatory regime should be to improve security, transparency, reliability and resiliency.
A new approach would combine the flexibility of the private sector in identifying best practices with the enforcement strength of the government in ensuring compliance. The existing regulatory agencies for telecommunications finance and energy would oversee a consultative process during which their industries would establish best practices for cybersecurity suited for their field. Government should set goals, industry should determine how best to accomplish these goals. Government should then ensure compliance.
Regulation is not a panacea and, if improperly implemented, can actually make matters worse by creating a false sense of security and creating incentives for wrong behaviors (FISMA, for example, as currently drafted, creates incentives for document reviews rather than for improving network security).
The National Office for Cybersecurity should assume the Clinger-Cohen authorities currently exercised by OMB for “standards, guidelines, and associated methods and techniques for securing computer systems.”
The NOC should develop regulations immediately for critical cyber infrastructures.
Presidential directive establishing the NOC should include a requirement for the appropriate regulatory agencies to report to the NOC and for the NOC to report to the president annually on the status and adequacy of agencies cyber regulations.
Supervisory Control and Data Acquisition and Industrial Control Systems
Throughout our critical infrastructures, the command system rooted in cyberspace is at risk.
Changing this will require many actions, including education, standards setting, and research. The commission believes that some regulation will be necessary.
Use Acquisitions to Increase Cybersecurity
Federal government requires that the IT products it buys be securely configured when they are delivered.
Security is incorporated into products from the start of the design and development process.
Continuation and expansion of the FDCC (Federal Desktop Core Configuration) which is an OMB mandate that requires all federal agencies to standardize the configuration of settings on operating systems and for applications that run on those systems.
The NOC and OMB use Chief Information Officers Council to undertake the development of standard security guidelines, settings, or specifications and to coordinate incorporation of those guidelines, settings and specifications into government wide contracting strategies.
Continue with the reform of Common Criteria to ensure that security is, in fact part of the entire design and build process to allow cybersecurity improvements in the larger global network internationally.
Acquire Secure Internet Services
Current internet technologies and protocols were developed in the 60’s and 70’s and no longer adequately protect cyberspace. Adoption of improved and more secure protocols can be remedied by Federal acquisitions which will create the necessary incentives for widespread adoption.
Identity Management for Cybersecurity
Anonymity is important (for the online expression of free speech and research of information about disease treatment for example) but weak online identification is inappropriate in circumstances where all legitimate parties to a transaction desire robust authentication of identity.
Creating the ability to know reliably what person or device is sending a particular data stream in cyberspace must be part of the effective cybersecurity strategy.
The United States should adopt regulations that require robust authentication for transactions involving access to critical cyber infrastructures.
Privacy and confidentiality are central values that any government cybersecurity initiative must respect. For authentication systems to be widely adopted privacy concerns must be addressed.
The commission’s discussions made clear that government programs must provide security while also protecting privacy and civil liberties.
Modernize Authorities
Rules (including the Wiretap Act, The Stored Communications Act, and the Pen Register and Trap and Trace Statute) have been written and amended over the course of 40 years, resulting in complex interchange of definitions, prohibitions, and permissions. To the extent that the sheer weight of legal complexity deters or delays investigations or cooperation among the private sector and the government after a network attack or penetration, these current laws may damage the nation’s cybersecurity.
Increasingly, people are remotely storing their sensitive information on services such as Web mail and calendaring, and application of existing law to these new technologies is uncertain.
It may be time to consider creating rules for remote online execution of a data warrant. This may be especially useful in investigations of terrorism, espionage, cyber crime, organized crime, or any other where there is a risk of data destruction or danger to the officer.
Federal Information Systems Management Act
FISMA lacks effective guidance and standards for determining appropriate levels of risk; it lacks requirements for testing or measuring an agency’s vulnerabilities or its plans for mitigating such vulnerabilities; it fails to define agency responsibilities for effective controls over contractors or vendors; and it does not recognize the emergence of new technologies and network architectures.
A revised FISMA should require that agencies demonstrate that their systems are effectively protected against known vulnerabilities, attacks, and exploitations by using metrics informed by the U.S. offense capabilities and by actual performance.
A first step would be to reinforce the current FISMA compliance process at selected agencies with a periodic vulnerability scan and red-team attack assessment, perhaps conducted as training exercises by DoD cyber assets.
Assign to the NOC the ability to use continuous monitoring (perhaps based on the Einstein program) of security and performance rather than an annual review of paper processes.
Civilian and National Security Systems
A new approach would end the distinction between civilian and national security and instead assign responsibility to the sensitivity of the information. In this risk based approach, agencies would assess the sensitivity of the information they hold on their networks – information whose loss would adversely affect the privacy of citizens, the operation of the government, or U.S. economic interests. When agency activities involve sensitive information they would implement more extensive protection in compliance with a risk-based approach, mandated by OMB and based on technical advice from NSA and NIST.
Build for the Future
Commission interviews and research show that currently in cyberspace, the advantage lies with the attacker. These recommendations call for long term investment in the workforce and the new technology that will remove that advantage.
Cyber Education and Workforce Development
The cyber threat to the United States affects all aspects of society, business and government, but there is neither a broad cadre of cyber experts, nor an established cyber career field to build upon, particularly within the federal government.
The commission believes there at two remedies for these problems: the first is to increase the supply of skilled workers. This will benefit both government and the private sector. The second is to create a career path (including training and advancement) for cyberspace specialists in the federal government.
The simplest approach would be to expand the Scholarship for Service, a National Science Foundation scholarship program that provides tuition and stipends, and reinforce this by requiring accreditation of schools where scholarships are provided for computer security studies.
The Office of Personnel Management working with key agencies engaged in cyber defense and offense needs to establish rewarding career paths and advanced training.
The NOC creates an interagency body responsible for developing standards for skills and knowledge to meet cyber missions and functions.
The White House could work with Congress to introduce legislation that would allow the Office of Personnel Management to offer more flexibility in hiring and retaining the employees with specialized cyber skills.
Many Americans believe that our nation still leads in cyberspace, just and many Americans believed in 1957 that the United States led in the space race until a Soviet satellite appeared over their heads.
The importance of cybersecurity to all aspects of our national defense and economy coupled with the more sophisticated cyber threats we face indicates a meager $300 million dollar investment is inadequate. The CNCI recognized the shortfall in cybersecurity related R&D investment and made efforts to change this.
The longer term effort has two main goals: (1) constructing a national research and technology agenda that both identifies the most promising ideas and describes the strategy that brings those ideas to fruition, and (2) jump start multidisciplinary development efforts.
As part of an expanded cyber research agenda make the development of meaningful cybersecurity metrics and better assessment tools a priority in the national research agenda. Research efforts should focus on the creation of metrics and tools that will allow system owners to measure risks and determine how best to minimize those risks through informed investment.
Updating the core protocols of the Internet to be more resilient against attack could make cyberspace an environment of greater security and trust. Research on how to make the Internet fundamentally more secure would provide global benefits for security and commerce.
Conclusion: Winning the Hidden Battle
Cybersecurity is among the most serious economic and national security challenges we face in the twenty-first century.
This struggle does more real damage every day to the economic health and national security of the United States than any other threat. “In cyberspace the war has begun”.
We will never be fully secure in cyberspace, but much can be done to reduce risk, increase resiliency, and gain new strengths.
Our goal should not be the best defense, but a federal government that can securely take full advantage of cyberspace.
A holistic approach to cybersecurity, one that looked beyond security alone and asked how best to enable and assure essential services in cyberspace.
Our goal must be a government and nation attuned to the new environment technology has created and where the secure use of cyberspace creates new opportunities for collaboration, growth and national advantage.
No comments:
Post a Comment