Recent proposals aim to secure nation’s cyber infrastructure.
From the White House, to the Defense Department, and from corporate boardrooms to computer rooms across the country, the issue of protecting the networks of government and industry is increasingly leading to the development of new strategies and plans.
The Defense Information Systems Agency (DISA) recently released its 2011-2012 Campaign Plan, outlining requirements and opportunities to strengthen the defense of the Defense Department’s computer networks and to facilitate the use of a new generation of mobile devices and other information technology resources.
On Capitol Hill, Ari Schwartz, Internet policy adviser at the National Institute of Standards and Technology, testified before the Senate Judiciary Committee in late June that interagency groups are exploring the creation of a .secure Internet domain. The move would allow the creation of Internet addresses to help secure, protect and monitor private critical cyber infrastructure. It has been suggested that electric transmission, pipeline and other Internet-based systems carrying such a domain also would be subject to close scrutiny by the government for possible cyberattacks.
The release of the White House’s International Strategy for Cyberspace this past spring marked a distinct policy shift for the Obama administration. The new policy builds on last summer’s White House announcement that it would work with other nations to secure computer networks.
James A. Lewis, a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS) in Washington, believes that the president’s approach to international cybersecurity is almost a complete reversal from the policies of previous administrations.
“The cornerstone of the new policy is engagement,” Lewis says. “The United States will engage with other nations to build a secure cyberspace. In the past, we had said that this wasn’t necessary, that the market would do it, or that it really wasn’t a problem.” Lewis believes that the shift to engagement, particularly the drafting of norms of engagement, will define the current administration’s approach to developing international cybersecurity policies. Norms of engagement, as defined by the White House cybersecurity strategy, include global interoperability, network stablity, reliable access, multistakeholder governance, and cybersecurity due diligence.
Asked to detail how the Obama administration approach to global cybersecurity policy compares and contrasts with previous administrations, Lewis explained that the Clinton administration view of the Internet was that of a “self-governing community,” where nations did not have a very large role to play. “Maybe that was a good approach for 1994, but it doesn’t make any sense for now,” he concludes.
Lewis, a former Foreign Service officer and project director for the CSIS Commission on Cybersecurity for the 44th Presidency, says that by comparison, the Bush administration preferred a more unilateral approach and a reliance on military force. In doing so, Lewis says, that administration believed such a strategy by itself would deter cyberattacks from other nations, and it would minimize the need to work with the United Nations.
Lewis believes that just as there are “rules and structures for finance, and rules and structures for trade,” it is time to say that cyberspace has grown up, and it needs rules and structures as well.
Inevitably, all of the president’s cybersecurity initiatives will have to pass the oversight and scrutiny—and in some cases, the fiscal rigor—of lawmakers on Capitol Hill.
Rep. James R. Langevin (D-RI), founder and co-chair of the Congressional Cybersecurity Caucus, says the administration’s newly announced policy of engagement is “absolutely the right thing to do.
“This is not just a U.S. problem,” he says, “but a global, and international problem. In many ways, the attacks we are seeing are coming from overseas, particularly from countries where Internet usage is increasing rapidly.”
Rep. Langevin explains that current laws and investigative tools have simply not kept up with Internet use by criminals.
The new White House cybersecurity policy made headlines when officials stated that they would treat cyberattacks, “as we would to any other threat to our country.”
Rep. Langevin believes that such a policy acknowledges the grim reality of the Internet: that while it is a marvelous and open resource, those same characteristics create very serious vulnerabilities that others exploit, with very serious consequences.
“It’s a growing problem and a national security threat. What could only be accomplished with kinetic weapons, such as an attack on critical infrastructure, real damage can now be done with a few keystrokes.”
When it comes to protecting the nation’s cyber infrastructure from such attacks, the Rhode Island Democrat believes, “We need to move aggressively, to be better organized and to defend ourselves, and we’re not there yet.”
Rep. Langevin, who also serves on the House Armed Services Committee and the House Permanent Select Committee on Intelligence, believes that the Defense Department’s recently opened Cyber Command is doing a good job of protecting the .mil armed forces network. But he’s concerned that the .gov civilian federal agency networks, “is not where it needs to be to protect itself.”
And the congressman has special concerns about protecting the .com civilian business networks from cyberattacks. That’s because the systems that help manage privately owned utilities and other critical infrastructure are made vulnerable by sharing the same .com networks as other businesses.
“We should think about another designation or Internet domain, perhaps .criticalinfrastructure,” which he says would allow government to work with the private sector to close important vulnerabilities.
Prior to releasing its new international cybersecurity policy, the White House also unveiled a new domestic cybersecurity initiative.
That new policy designated the Department of Homeland Security (DHS) as the lead federal agency with the authority to protect government and domestic critical infrastructure. It also increases and clarifies penalties for computer and information technology-related crime and requires independent auditors to assess a company’s cybersecurity protection policies.
Rep. Langevin says the White House plan does not address a leadership deficiency within the administration when it comes to cybersecurity.
“I would like to have seen stronger authorities in the Executive Office of the President,” he relates. Several years ago, President Obama named Howard Schmidt to be the cybersecurity coordinator for the White House. Langevin says he complained at the time, and he continues to maintain that, “I would have liked to have seen that be a director’s position, a cybersecurity office, with a strong director’s position that would have policy and budgetary authority.”
Commenting on the domestic cybersecurity plan, CSIS’ Lewis believes that the White House plan is designed to give DHS the resources it needs, including broader authorities, for its proposed role as cybersecurity protector.
One of the issues is whether DHS’ authority will extend beyond the federal government to critical infrastructure, he explains. That topic will be the focus of many of the legislative battles on Capitol Hill.
Lewis also notes that last April, the White House released a proposal for a National Strategy for Trusted Identities in Cyberspace. The effort would create a government-sponsored, private-sector-operated digital identity ecosystem. The idea, which currently is in the early discussion stage, is to create an environment beyond passwords. NIST, which is coordinating a governmentwide notice of inquiry on the subject, envisions creation of an “identity ecosystem” in which users would acquire unique digital credentials. Those credentials, in turn, would be used to access everything from email to banking and other activities in which people must prove their identity.
In a similar vein, DHS in March published a white paper endorsing the creation of a so-called “Cyber Center for Disease Control and Prevention.” Just as its health-related counterpart in Atlanta does on behalf of public health, a Cyber-CDC would monitor networks for threats, offer useful information and coordinate preventive actions.
Perhaps anticipating the release of the White House domestic cybersecurity initiative, Homeland Security Secretary Janet Napolitano tried to define a role for her agency. In an April speech delivered to the University of California Berkeley College of Engineering, Napolitano also called for a balanced approach to cybersecurity. “We believe that any government rules for cyberspace should identify where we want to be, not proscribe exactly how to get there, and should allow ample space for innovation. They should also be clear, fair and broadly supported, and respect and reflect the diversity of the society in which we live,” she stated.
White House: International Strategy for Cyberspace:
Senate Judiciary Crime and Terrorism Subcommittee - Cybersecurity hearing: http://judiciary.senate.gov/hearings/hearing.cfm?id=e655f9e2809e5476862f735da16e1bbe
Secretary Napolitano’s speech: http://www.dhs.gov/ynews/speeches/sp_1303766068994.shtm
DHS Cybersecurity white paper: http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
NIST National Strategy for Trusted Identities in Cyberspace: http://www.nist.gov/nstic/