Government Maps Cyberspace Security Program
A leaner version defines public-private partnership.
The newest U.S. government plan for cybersecurity proposes some short-term remedies while acknowledging that long-term security goals may take years to come to fruition. First published in draft form last fall, the new version establishes a list of priority programs but eschews detailed directives. This changes the thrust of the strategy from an operations manual to a list of guidelines.
This road map to information security is the National Strategy to Secure Cyberspace. Its guiding principle is a public-private partnership—done truly as partners—that makes each partner more secure while maintaining privacy and civil liberties, according to Howard A. Schmidt, acting chair of the President’s Critical Infrastructure Protection Board.
Since the first draft appeared, some aspects of cybersecurity have been turned over to the Homeland Security Department. This new department now has key elements such as the National Infrastructure Protection Center, the National Communications System, the Federal Computer Incident Response Center (General Services Administration), the Energy Department’s Information Assurance Division and the Critical Infrastructure Assurance Office. “Instead of going out to four or five different agencies, you now have a single point within a department to look at these issues across entire sectors,” Schmidt points out.
The new department is the lead agency for the information and telecommunications sectors in the critical infrastructure. The Office of Science and Technology Policy coordinates research and development to support critical infrastructure protection, while the Office of Management and Budget oversees the implementation of governmentwide computer security policies, principles, standards and guidelines.
Many private sector companies never have appreciated fully how and where they fit into national security, Schmidt offers. Companies such as network backbone providers tend to look through their straw and see how their particular network is affected. “Clearly, industry has to do a better job—as it has been doing—working more toward cross-coordination. Instead of looking through one straw, you get a bigger, more synoptic view of what is going on in the health of the Internet,” he says.
This strategy points out where companies are vitally important and how they can join forces to serve the national interest. In effect, it serves as a road map for instituting security in the critical infostructure. Next, Schmidt says, comes determining how to implement it. “Now the real work begins,” he states.
The key difference between the final version and the original draft is that the new document does not define as many actions. “It’s a lot more compact,” Schmidt explains. “We tried to fit everything in the world into the original draft—a combination of some tactical plans co-mingled with some strategic views on things. Clearly, we’ve been able to compact it.” Most of these tactical areas were implementation plans.
A second key change is that the new document is more focused than its progenitor. Schmidt again credits the reduced reliance on detail that helps it avoid the trap of becoming an all-encompassing document.
Originally, the draft identified 86 recommendations, discussion points or programs that were under consideration. This broad swath did not lend itself well to establishing straightforward recommendations that are manageable. “It’s much clearer now who does what and who has the responsibility and priority to do these things,” he emphasizes.
A third improvement is that the new strategy does a better job of establishing priorities, especially in its recommendations. The core of the strategy comprises five priorities: a national cyberspace security response system; a national cyberspace security threat and vulnerability reduction program; a national cyberspace security awareness and training program; securing governments’ cyberspace; and national security and international cyberspace security cooperation.
Schmidt believes that the government’s approach, as expressed in the new strategy, will prove more popular with industry. “The unpopular approach would be if government said, ‘Now we are going to start regulating, and you must do this; you must do that,’ in an environment where many of the companies are working hard just to meet salaries,” he explains. The incentive approach to the strategy appeals to companies’ enlightened self-interest, he notes. Firms recognize that, to continue as viable organizations, they must do more in security.
The role of industry is only half of the picture, however. Government can, and should, lead by example, Schmidt emphasizes. This has not always been the case.
“We have had less than stellar reports in the past, when it comes to IT [information technology] security within government agencies,” he declares. One solution is for government to mandate, through the Government Information Security Reform Act and the Federal Information Security Management Act, what agencies must do to ensure security. An agency without a security plan for new information technology spending does not receive its funds, which has been the approach taken by the Office of Management and Budget for two years (SIGNAL, August 2002, page 23). “I dread to think where we would be if we had not had it in place,” Schmidt says.
However, government also is a big consumer of information technology goods and services. So, it can use its procurement power to specify built-in security requirements in information technology-related purchases.
The first priority, creating a national cyberspace security response system, is likened to the strategy of the Cold War early warning system that guarded the United States against Soviet nuclear attack. The Homeland Security Department will be responsible for developing this public-private architecture, which will provide crisis management support during threats or attacks on critical systems as well as coordinate warning information to various levels of government and the public.
This response system will differ from existing mechanisms in that it will consolidate many activities that had limited applications. Not every information technology company belongs to the same security organizations, Schmidt observes. Not all of the Internet service providers (ISPs) have relationships with dedicated security groups. Different security problems are addressed by different groups.
A national cybersecurity response system will leverage the around-the-clock capabilities possessed by major corporations, ISPs and computer emergency response teams (CERTs), including the government-supported CERT at the Software Engineering Institute in Pennsylvania. This overarching approach is designed to help provide a more holistic view of network activities.
Schmidt notes that the recent Slammer virus attack illustrates the need for this type of approach. The virus nearly hit its maximum capacity within 10 minutes of its attack. “We can’t wait six hours to start analyzing what happens,” he declares. “The only way you can reduce that time is to have everybody on a system by which there is simultaneous alerting.
“[This involves] setting up better processes around how you actually identify when something is coming,” he adds.
No architecture yet exists for this national cyberspace security response system. Schmidt says that this is one of the key pieces of the public-private partnership. As the Homeland Security Department begins building up its capabilities, it will be examining both technical and business concerns. The costs that a company would incur will be one key factor, for example. The intent would be to provide the widest level of information dissemination possible while minimizing the financial effect on those involved, Schmidt offers.
The second priority is a national cyberspace security threat and vulnerability reduction program. Its components include federal programs and initiatives as well as government-recommended activities for individuals and organizations.
“A key issue in this program is that we can go a long way to protect ourselves better by reducing the number of vulnerabilities out there,” Schmidt states. He continues that this can be achieved in a number of ways.
For the short term, when a vulnerability is detected, patches can be installed as quickly as possible. A mid-term priority is to “reduce the attack surface” of a system during its architecture development and installation, even if it has a vulnerability. A long-term thrust is to ensure better quality control and engineering by software, hardware and services vendors. This long-term fix will not happen overnight, Schmidt emphasizes.
“Clearly we have a commitment from the vast majority of [companies] that says ‘security is job number one,’ but it is going to take anywhere from 18 to 24 months to see that implemented,” he says. “Depending on migration times for people to rebuild their infrastructures, we may be looking at three to five years out before we actually see the benefits of that.”
Schmidt emphasizes that the strategy does not minimize the importance of threat analysis. However, many attacks—especially widespread virus onslaughts—occur without warning. The damage done by these kinds of attacks can be minimized by being able to mitigate the effects of a threat when it is identified.
The success of this effort will depend on both technology and the human factor. “Clearly there is equal weight to be assigned to the people and the processes,” Schmidt points out. This may include ensuring that processes in place can recognize the most critical systems and determine how to mitigate damage to them.
The third priority is a national cyberspace security awareness and training program. Key aspects of this effort include promoting a comprehensive national awareness program; increasing the efficiency of existing federal cybersecurity training programs; fostering adequate training and education programs; and promoting private sector support for cybersecurity certification.
This training may encompass managers, engineers and technical personnel. The positions these diverse personnel hold can differ from organization to organization. Accordingly, the strategy will require establishing a basis for professional function that will define a person’s cyberspace role. Criteria may include an individual’s training certification and operating system experience, for example.
Schmidt notes that discussion already has taken place on establishing an overarching certification body, such as the one that exists for certified public accountants. Applicants must prove proficiency in core competencies to be certified. Schmidt relates that government and private sector officials are examining whether to establish a similar mechanism for the information technology community.
The fourth priority, securing governments’ cyberspace, will differ from the first two priorities in that it addresses government-specific actions. “If you look at the GAO [General Accounting Office] reports of the past few years, you see that government still has a lot of work to do,” Schmidt relates. “As long as we continue to have government agencies get grades in the ‘F’ category, we need to focus more on that.”
Schmidt continues that government has much more control over impelling security in its internal organizations. It can mandate specific actions to agencies, and it will not fund them if they do not have effective security plans and processes. Some of the programs that did find their funding cut off now are in much better shape, he adds.
“Remember, we built from an environment where security was just an afterthought in many cases,” Schmidt points out. “Over the past 10 to 12 years, the focus was on getting deployments out and incorporating features. Oftentimes security was part of the process but not the top priority.”
Another element that has changed is the threat against systems. As systems have become more complex, their secure status varies. “We’ve designed the IT infrastructure to be so ubiquitous and to become appliance-like, we in some cases tend to forget that we have to pay attention to this,” Schmidt says.
The hope is that government’s actions and results become a model for the private sector, he offers.
The fifth priority, which encompasses national security and international cyberspace security cooperation, addresses the lack of borders in cyberspace. The focal point is to provide rapid information exchange for alert and response to security threats, as well as to prevent attacks and enhance security.
The domestic side of this priority focuses on strengthening counterintelligence efforts in cyberspace, including improved attack attribution and prevention capabilities. This effort also would improve coordination within the U.S. national security community for responding to cyberattacks. And, the strategy states that “the United States reserves the right to respond in an appropriate manner” if attacked through cyberspace by a nation, terrorist group or other adversary. This response need not be limited to criminal prosecution.
On the international side, the U.S. State Department would lead efforts to work through international organizations, develop secure networks and foster national and international watch-and-warning networks. The United States will actively encourage other nations to accede to the Council of Europe Convention on Cybercrime, and it will work with Canada and Mexico to create a North American “safe cyber zone.”
Schmidt cites the “I love you” virus as an example of the need for coordinated international security activities. That virus began in the Philippines and began to infect a cascading number of businesses as the workday moved around the globe. Had information from its region of origin been shared more quickly, the effect of the virus might have been minimized. Couple this capability with an established response mechanism, and the virus might have been nipped in the bud. “We could have saved a whole lot of individuals, companies and government agencies the pains of having to rebuild their systems,” he maintains.
Detection and response is only half of this initiative, however. A proactive segment aims to analyze ways of constituting a more secure system. This can encompass unintended consequences such as security patches that break applications, for example. Where traditionally companies would deal with this type of problem internally, an international cooperation program would empower them to share this information with other companies and agencies.
This sharing also would involve government-to-government activities. These would include global harmonization of laws and assisting other countries in the investigation of cybercrime, which Schmidt points out is truly an international issue.
Additional information on the new National Strategy to Secure Cyberspace is available on the World Wide Web at http://www.whitehouse.gov/pcipb.