Cybersecurity Suggestions for the new Administration

President-elect Barack Obama faces many challenges after taking the oath of office next week, not the least of which is protecting the nation from an invisible menace. Attacks on the country’s information networks not only continue but also are increasing in cunning and effect. While experts in the corporate sector are predicting a new wave of threats with the growth of social networking, government experts are offering their recommendations for the next strategy to keep cybermarauders in check.

A report titled “Securing Cyberspace for the 44th Presidency” outlines several steps that should be taken to better organize the U.S. government to protect and defend cyberspace. The report was created by a commission led by Rep. James R. Langevin (D-RI); Rep. Michael T. McCaul (R-TX); Scott Charney, vice president for trustworthy computing, Microsoft Corporation; and Lt. Gen. Harry Raduege, USAF (Ret.), chairman, Center for Network Innovation, Deloitte and Touche. The report was created under the auspices of the Center for Strategic and International Studies (CSIS).

Gen. Raduege explains the evolution of the report: “As Deputy Secretary of Defense from 1997 through January 2000, Dr. John Hamre developed a great interest in the importance of cybersecurity. When he became the president and chief executive officer of the CSIS in January 2000, he ensured that CSIS had a focus on this issue.

“The United States is under severe attack through cyberspace, with national security being increasingly jeopardized on a daily basis. These attacks are global in nature and involve everything from cyberespionage to cybercrime to nuisance hacker attacks. As a result, the U.S. must have a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity and how to deal with them. This national security issue is so critical that the best efforts of a sophisticated public-private partnership are required,” Gen. Raduege states.

In 2007, after a series of damaging cyberattacks within the departments of Defense, State and Commerce, Hamre and Jim Lewis, director, technology and public policy program, CSIS, concluded that the United States was approaching a crisis. As a result, in July 2007, Lewis questioned whether it would be worthwhile to organize experts to create recommendations for the next administration. Lewis assumed that it would take a year to investigate and develop a comprehensive set of findings and recommendations, Gen. Raduege explains.

To move the project forward, Paul Kurtz, National Security Council, suggested that Lewis contact Jake Olcott and Kevin Gronberg, the cybersecurity staffers for congressmen Langevin and McCaul. The congressmen wholeheartedly agreed with the idea of creating recommendations for the next administration and immediately became two of the four commission co-chairs, he adds.

“Support from the U.S. House of Representatives has been very important for the critical nature of this undertaking. Working with the staff director for the House Homeland Security Committee and a few others, the early initiators came up with a list of approximately 30 people to invite to serve on a ‘CSIS Commission on Cybersecurity for the 44th Presidency.’ They also invited 14 administration officials to be ex-officio members,” Gen. Raduege relates. Commission membership was fairly well established in late 2007, and the “deep-dive” of activity began in early 2008, he adds.

Comprehensive national security for cyberspace should include involvement from many sectors, the group recommends. Referring to a military strategy, this includes diplomacy, intelligence, military doctrine and action, and economic policy tools. In addition, the commissioners advocate the addition of involvement from law enforcement.

Leadership at the White House level is crucial, the commissioners agree. To this end, the report proposes the creation of a new office for cyberspace in the Executive Office of the President. The National Office for Cyberspace would combine the National Cyber Security Center and the Joint Inter-Agency Cyber Task Force and work with the National Security Council (NSC) to manage U.S. networks. In addition, the president should appoint an assistant for cyberspace and establish a Cybersecurity Directorate within the NSC.

The commission also calls for reinventing the public-private partnership. This cooperative endeavor would include clearly defined responsibilities and would emphasize trust-building among partners.

Stating that voluntary action is not enough, the commissioners recommend that cyberspace be regulated. This management should include prioritizing risks and setting minimum standards for securing cyberspace. However, the group advocates a regulation approach that avoids prescriptive mandates and the overreliance on market forces. In addition, commissioners advise President-elect Obama and the U.S. Congress to update the decades-old laws that govern cyberspace.

Commissioners believe that security can and should be a priority from the start. Consequently, they advocate an acquisitions policy that states that the federal government will purchase only secure products and services. Standards and guidelines for these products should be developed in conjunction with industry, they agree.

To ensure security in the future, federal support for focused research and development programs is required, the report states. This is especially important because the research and interviews integral to creating the report revealed that the United States faces a long-term challenge in cyberspace from foreign intelligence agencies and militaries as well as criminals.

Despite some of their sweeping recommendations, the commissioners agree that the Bush administration took a major step toward improving federal cybersecurity with its Comprehensive National Cyberspace Initiative. However, this initiative is only the starting point for the many other actions that must be taken, they maintain.

“Our commission report involves 25 different but interrelated recommendations, covered in a 90-page report. In the interest of brevity, our report covers the strategic concepts behind our findings and recommendations but does not go into great detail. Our findings and recommendations can be further detailed but, in most cases, need to be further developed by the next administration. The work of cybersecurity must not be thought of as a program or destination; the work of cybersecurity must be thought of as a critical, long-term national campaign,” Gen. Raduege states.