Is America Building a Cyber Security Sand Castle?

William Crowell, former Deputy Director of the National Security Agency, helps explain how private sector efforts coupled with public sector policies can mitigate cyber threats

The Cybersecurity Act of 2009 (S.773), introduced April 1 by Senators John Rockefeller (D-WV), Evan Bayh (D-IN), Bill Nelson (D-FL) and Olympia Snowe (R-ME), calls for the National Institute of Standards and Technology (NIST) to create new, enforceable standards of cybersecurity for the federal government and critical infrastructure. It proposes a national licensing and certification program for cybersecurity professionals, and would make it unlawful for any individual to provide cybersecurity services to government or critical infrastructure without a valid license and certification under the new program. The Act would give the President the authority to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network.” It would designate the Department of Commerce as a clearinghouse of public and private-sector cybersecurity threat and vulnerability information, and it calls for the President to appoint an executive-level Cybersecurity Advisory Panel with both public- and private-sector members.

President Obama’s long-awaited “60-day” review of cybersecurity policy, the report on which was finally released May 29, also recommended the appointment of a presidential advisor on cybersecurity. The report outlines the severity of the need for better cybersecurity and presents a 10-point near-term action plan that also recommends the preparation of an updated national cybersecurity strategy; establishment of performance metrics; the clarification of roles, responsibilities and authority for cybersecurity-related activities across the federal government; the initiation of a national public awareness and education campaign to promote cybersecurity; development of U.S. government positions for an international cybersecurity policy framework; preparation of a cybersecurity incident response plan; development of R&D strategies that focus on game-changing technologies; and the building of a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties. Upon the release of the report, Obama stated his intention to appoint a Cybersecurity Coordinator with a seat on both the National Security Staff and the National Economic Council, although the individual to fill this role had not yet been chosen as of this writing.

Other bills pertaining to cybersecurity include the Critical Electric Infrastructure Protection Act and a set of bills put forth by Sen. Thomas Carper (D-DE) that intend to unify policies, procedures and guidelines for securing federal information systems by establishing new standards, creating a National Office for Cyberspace and reforming the federal government’s IT procurement processes. And between the writing of this article and its publication, this list of proposals will probably be still longer.

Two elements shared by nearly all of the initiatives now up for consideration are: 1) a call for cybersecurity to take its place as a publicly recognized top priority for government; and 2) a call for greater information sharing and public-private partnership.

Sharing is Key to Success

Louis Magnotti, CIO for the U.S. House of Representatives, is one of many who believe cybersecurity is not complete without coordinated protection across sectors. “An IP address does not care if you’re a government agency or a private-industry corporation,” he says. “Computers do not recognize those boundaries, so our mitigation strategies need to transcend those boundaries as well. All of the players in the public and the private sectors need to put a protection model into place that can do that.”

Without effective information sharing between the public and the private sectors, neither side has all the data it needs to provide the best possible protection, says William Crowell, former Deputy Director of the National Security Agency, current Chairman of the Senior Advisory Board to The Director of National Intelligence, and a member of the Security Executive Council’s Board of Advisors. “I think the private sector in general is way ahead of the public sector in understanding how to approach the threats and how to build systems that deal with them. The public-sector intelligence organizations are much more aware of the sophistication of the threats. The public sector is still focused on building its own technology instead of looking at what the private sector could bring to the party if it knew more about the threats. There are thousands of new approaches to security being developed all the time, but I think for the most part the government only knows about a few that are sometimes several years old.”

Why Today’s Options Do Not Work

There already exist several information-sharing forums that are intended to break down the communication barrier between public and private. This is one of the goals of US-CERT, which aims to facilitate collaboration with state and local government, industry and international partners. There are also other CERTs and multiple ISACs (Information Sharing and Analysis Centers) for individual industries that effectively share industry-specific information, and the National Infrastructure Protection Plan has created an information-sharing environment (ISE) for 18 critical infrastructure and key resources (CIKR) sectors.