RSSMr. Obama? Don't forget the cyberwar threat
By Angela Gunn | Published December 8, 2008, 7:39 PM
A 96-page report released Monday by the Center for Strategic and International Studies paints a gloomy picture of where America stands in the matter of infowar. (Hint: "Stands" may be too optimistic a verb.)
The report is blunt: We're in trouble, our laws are out of date, we need leadership from the White House, and money (public and private) must be applied to the problem. Only a plan that respects privacy and civil liberties will do, and only a comprehensive policy covering both domestic and international situations will work.
It's hard to turn the course of government on a DIME, but that strategy -- combining Diplomatic, Intelligence, Military, and Economic efforts -- is the commission's recommendation. (Law enforcement's mentioned too, but DIMELE just doesn't have the same change-redolent jingle, does it?)
Cyberwar isn't something out of "Strangelove." We've been drilling for it for years -- and some observers would suggest that we've been engaging in it, too. Over just the past year, the Departments of Defense, State, Homeland Security, and Commerce, along with NASA, and the National Defense University have all been targeted by hack attacks from outside our borders, and those are the ones we know about. As recently as last week, the Department of Defense was forced to scramble in response to a old-but-tweaked worm that made its way onto both NIPRNet and SIPRNet through, allegedly, USB drives left scattered in parking lots.
The report calls for a strong statement from the White House that our cyber-infrastructure is a vital asset, and that we'll protect the asset with "all instruments of national power" to assure our security, safety, prosperity, and ability to deliver critical services.
In fact, it's hard to imagine language much stronger landing on the desk of an incoming president in, well, any economy but the current one.
"The United States must treat cybersecurity as one of the most important national security challenges it faces," the report says. Calling the previous administration's Comprehensive National Cybersecurity Initiative "good but not sufficient," it describes cybersecurity as "a strategic issue on par with weapons of mass destruction and global jihad."
The report also calls for a new National Office for Cyberspace, to work with the National Security Council (NSC) -- and says that it needs to be based in the Executive Office of the President. In addition, the report suggests that there should be established a Cybersecurity Directorate in the NSC that absorbs the functions of the Homeland Security Council (HSC). The HSC was formed in the aftermath of 9/11 and has been heretofore separate from the NSC. Existing agencies would keep their current operational abilities; for instance, DHS would retain control of US-CERT.
Privacy watchdogs will be interested to see the report's thinking on identity management. The report advocates for the use of strong identity authentication for critical cyber-infrastructures, and fast -- the President should have a progress report within six months. But there's at least some serious thought about how to keep online entities, particularly businesses, from abusing new standards for credentials. The FTC, in its GLBA-enforcement aspect, would be in charge of riding herd on that.
The government's own standards for maintaining security also need an overhaul. The report calls for a rewrite of the Federal Information Security Management Act (FISMA) to introduce performance-based security measurements, which ought to unnerve those charged with passing those FISMA audits. And civilian agencies and national security programs are to move onto an equal legal footing when it comes to tech standards; risk-based standards covering all federal IT systems are to be developed.
The CSIS Commission on Cybersecurity for the 44th Presidency has been working on the report since August 2007; its work included dozens of meetings and briefings with government and private-sector officials as well as multiple congressional hearings and briefings. The commission's chairs were Rep. Jim Langevin (D - R.I.), Rep. Michael McCaul (R - Tex.), Air Force Lt. Gen. Harry Raduege (ret., currently with Deloitte), and Microsoft Corp. VP for Trustworthy Computing Scott Charney. CSIS is bipartisan and nonprofit.
More school for the Gov't contractors...........
Score: 0
|President Obama like myself uses a Mac so we could careless about a "cyberwar threat". I suggest the rest of you ditch Winblows and be TRULY secure for once.
Score: 0
|I figured he was trolling since the President needs to be concerned, no matter what computer he does or doesn't use.
Score: 0
|A new department huh?
Yup, we need more meetings discussing what we would be doing if we weren't in meetings.
If they simply fully implemented Info Assurance best practices (and NOT those of FISMA!!!) and managed to pass a security audit, they would do more than simply adding more layers of bureaucracy!!!!!!!!!!!
We DON'T need more symbolism over substance! And what needs to be done is already well known and defined in InfoSec best practices!
Score: 0
|Foxfyre, Foxfyre -- best practices are a beautiful dream, but you know what best gets a C-level exec's attention? Angry lawyers in suits. Companies (and the lobbyists that love them) just don't tend to see the business case for anything more than CYA-level standards, because the consumers have made it rather clear they don't care. Ask TJX how painful it was to go out of business after their big breach, when the customers demanded better protections -- oh WAIT! Didn't happen! Not even sort of!
I'd tend to agree with you re Info Assurance best practices, in theory. Who among us who understands these things can argue that FISMA and its ilk are anything more than lowest-bar stuff? But blowing up FISMA and starting over with performance-based measurements -- where they probably should have been based all along, methinks -- is a good start, precisely because for a lot of companies it's the only bar they'll clear. (As we read in yesterday's piece re the same -- you blew it off as old news in comments, but the devil really is in the details on that one. I went around all weekend, post-briefing, grumbling about "81 percent" and unwarrantedly high corporate self-esteem.)
Re the meetings, BTW -- I read the s*** to having the directorate at NSC as a hopeful sign of streamlining, actually. Always thought that having HSC separate had to slow things down, but in that White House, things were going to be the way they were going to be...
Score: 0
|Suing the government? Now who is talking a fruitless and futile effort?
I don't care about FISMA. There already exist real world performance based standards as COBiT and ISO17799(27001/2) - comprehensive crosslinked existing security policies and procedures. Best practices already exist.
And I defy you to tell me how creating a new layer of bureaucracy which has nothing to do with actually implementing them adds to their being done.
All that is required is the mandate to implement them - and a persistent priority to see their implementation is actually completed as opposed to their being a priority only for as long as the current focus is upon them and while folks are watching!
...And accountability for their successful completion.
A word that in regards to infosec in the government means even less then in private business.
The tools and standards already exist. The problem is NOT the lack of effective guidelines. The problem is a surplus of pamphlets outlining them and a shortage of those actually given the means and responsibility to implement them!
A classic example: One can have an MS or PhD in Information Assurance from a graduate center of excellence in IA and their qualifications are determined how? Oh, they aren't qualified unless they have taken the CISSP exam - for which a week long bootcamp will 'qualify'(sic) you! LOL! Yup, we've got our priorities straight!
In other words, we need a few more professions doing the job rather than political wonks authoring studies.
You don't need new layers of bureaucracy and departments to do this! What you need are the professionals who ALREADY exist, as well as those being turned out by the various Information Assurance Graduate Centers of Excellence to be used to do it - rather than their being ignored and expected instead to simply literally configure firewalls.
We need another layer of abstracted bureaucracy that has no direct impact upon implementation like we need radical growth in the size of the Department of Education and in the staff of the NEA to effect better education...NOT!
But then, despite their rigorous re-examination of teaching standards has resulted in thousands of overly qualified folks left under-employed by engineering and tech off-shoring with multiple graduate degrees in math and the sciences and who have years of implementing workable technology and perhaps even university teaching experienced still literally considered unqualified to teach 7th grade math and science without having to go back and earn 2-3 courses short of a full Masters in Ed to teach and assist in the "critical shortage of... math and science teachers" (per "no child left behind") in this country!. Yet some 22 year old who has only read about the subject is considered "highly qualified".
Sound familiar?
Score: 0
|So if I understand you correctly, what you're really saying is that if people really want to be secure they should just get a Mac?
It's about time we agree on something.
Score: 0
|Why do you even bother? Even as a joke that wasn't funny. Foxyfyre is completely correct and should have been taken seriously. However, the ones that will actually make the decision will not listen to anyone without lots of money and that's a truism. Once again, we'll have people without a clue making decisions that they are not qualified to make. Par for IT stuff.
Score: 0
|You know, even if I wanted to propose that, the IDIOTS a APPLE render such an option moot!
OSX is an EXCELLENT choice in this realm and for this purpose! Too bad the product AND the opportunity is utterly squandered.
TOO BAD APPLE DOESN"T OFFER THE SUPPORTING HARDWARE TO EFFECTIVELY MAKE USE OF IT! Let alone a suport structure capable of dealing with the enterprise! (and no, nitwit, that is not some Star Trek convention you and steve dress up for on the weekend and troll the restrooms claiming to be soliciting only autographs)
A standalone machine does not a secure distributed environment make.
And even if Apple got their collective heads out of Steve Jobs' @ss, they MIGHT come out with real low end and high end portables sufficient for more to effectivel do tasks - which they DO NOT have now!
Oh, and then, to move to the notion of deploying Macs in the enterprise - whatever happened to Apple certifying OSX for the open Unix capability allowing it it run any POSIX compliant UNIX application on OSX without having to have a specific OSX version available - in other words, it could run an AIX, HP-UX, Solaris, etc. app without modification in a completely supported form???????????
Oh, but yeah, Apple doesn't have a clue what the enterprise is and squanders yet another opportunity just begging for it. Just as Apple's lack of push email capabilities and secure communications with the iPhone renders it a fancy, but unwelcome guest as well in the enterprise compared to RIMs products.
So many opportunities, and so little where-with-all as APPLE instead chooses to focus their efforts on the race to capture the 14-21 year old wow market.
Score: 0
|Don't worry he will nationalize the Terrorists too..
Score: 0
|Zinnnnnnng...
Score: 0
|They have already been granted the rights of citizens...
Score: 0
|The Geneva Conventions don't apply here. We're making up the rules as we go along because there _are_ no rules when it comes to fighting non-nationalized guerrilla combatants.
We seem to be erring on the "Peace, Love, and Happiness" side of things. We all know how well that's worked for us in the past, but who needs history lessons in a tech forum, right?
Score: 0
|