Government Must Step Up And Lead Cyberspace Homeland Security

February 2005
By Vice Adm. Herbert A. Browne, USN (Ret.)

The attacks of September 11, 2001, changed Free World society forever. The terrorist slaughter brought home the concept that no oceans, no mountains, no national borders will deter evildoers from attacking innocents around the globe.

Free World governments responded to the terror tactics employed that day by increasing emphasis on homeland security, and among the first measures were efforts to strengthen commercial aviation safety. Everyone has seen the effect that homeland security is having on air travel, and certainly that is an important and highly visible function.

But, the borderless nature of the war on terror requires that we consider the most borderless battlefield in the history of human endeavor: cyberspace. In addition to concerns about public transportation safety, we must continue to concentrate on protecting the network.

Virtually every element of our daily lives, from banking to transportation to health care to employment, in some way or another resides on the world’s information networks. It will do us no good if, for example, we protect the activity of transportation without protecting the networks that support it. In protecting travelers, it is important to focus just as much attention on transportation’s enabling networks as it is to safeguard passengers on a commercial airliner.

However, establishing effective cyberspace security will not be an easy task. Industry is so concerned about government regulations that, as the U.S. Department of Homeland Security attempts to place relatively simple standards on network security, industry is poised to push back. Industry prefers self-regulation in information security, and while that does work for some challenges, it does not work for cyberspace in the age of terrorism. The idea that industry can self-regulate cybersecurity is about as valid as suggesting that we can self-regulate missile defense security. Cyberspace security is just too comprehensive to be attained only through self-regulation, and the stakes are too high to risk that approach.

In this realm, there must be some government leadership and oversight on those in industry who are reticent to take on new regulations. This leadership will ensure that practical and effective steps are being taken across the board to secure cyberspace. With government leadership and direction in this arena, companies need not fear that their security measures will place them at a competitive disadvantage to rival firms. All companies will be undertaking the same efforts to achieve the same goals.

But, government must practice smart leadership in ensuring cybersecurity. The last thing we need is for government to issue stacks and stacks of regulations for securing the network. Companies fear having to fill out an encyclopedia of forms just to engage in business in cyberspace. That approach, if enacted, could leave the commercial sector literally buried under the sort of paperwork that the digital workplace is supposed to eliminate. Not only would that hamstring the competitiveness of the private sector, but also it likely would limit companies’ ability to implement the very security it would aim to establish.

Another concern is that over-securing the network will eliminate the flexibility needed for passing data files through cyberspace. Many companies are both achieving significant business efficiencies through cyberspace and offering new capabilities for customer service that were unthinkable just 15 years ago. Restricting the flexibility that enables those business gains could put the brakes on the entire economy of the Free World.

This is not just alarmist thinking. All of us who have implemented firewalls on networks have experienced losing information that, for some reason or other, did not make it through a firewall. No security measure is perfect, either in guarding its host or in keeping out only malevolent files. A widespread implementation of overkill security measures could relegate cyberspace to a special-interest business center instead of the global marketplace that defines it today.

Achieving true cyberspace security will require establishing a good government-industry partnership. This partnership must be structured to create logical and definable security requirements that will increase the security of the network without significantly reducing the speed and agility required to use that network. The model of the National Security Telecommunications Advisory Committee (NSTAC) could serve as a starting point for this partnership.

AFCEANs must continue to find ways to support the Department of Homeland Security’s goal of protecting the network. This service aligns directly with our association’s mission. My challenge to government and industry is to establish a think tank to develop near-term risk management boundaries that will increase network security without adversely affecting the way society uses cyberspace today.

But, above all, the key must be risk management. We don’t need quite as much security for moving some data as we need for other more important files. Cyberspace security should be flexible enough to take that into account. Yet, this security must be effective enough that it doesn’t leave a mansion full of back doors for hackers and terrorists to enter.

Government must take the lead on this, and I am convinced that industry will step up to the challenge. The flying public has accepted new security regulations at our airports across the globe, and the right cybersecurity policy should generate the same acceptance.