As the transition period leading to the new presidency is almost coming to an end, everyone will probably have multiple requests to the president, and of those is to increase cyber defence. In this optic, a new report created by the “CSIS Commission on Cybersecurity for the 44th Presidency” has release its recommendations on how to secure cyberspace. They consist of:
- Create a Comprehensive National Security Strategy for Cyberspace
- Organizing for Cybersecurity
- Rebuilding Partnership with the Private Sector
- Regulate for Cybersecurity
- Identity Management for Cybersecurity
- Modernize Authorities
- Build for the Future
This report comes 5 years after the “National Strategy to Secure Cyberspace” document released in 2003 by the National Advisory board which goal was to “engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact“. The CSIS’ document doesn’t mention the previous efforts by the National Advisory Board but declares the previous efforts of the Bush administration as “good but not sufficient“.
As usual, it remains difficult to see how much of this report is based on real facts or just a way to secure funds from the new president by linking potential damage to the cyberspace infrastructure to the economy . It states that “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009“. It uses the cyber attack that occurred on various American networks in 2007 as an example.
While they may be some part of fear mongering in this report, we should not completely put aside threats mentioned in this report. As cyber warfare is mostly a war happening without much fanfare and therefore happens in the shadows, it is hard to really determine what’s going on. Since there is no open war between modern countries, we won’t see any cyber warfare for the time being. For the moment, cyberspace will be used for spying mostly and this is what this document mostly addresses.
“The unclassified e-mail of the secretary of defense was hacked … A senior official at the Department of State told us the department had lost “terabytes” of information,” declares the report, also: “Senior representatives from the intelligence community told us that they had conclusive evidence, covertly obtained from foreign sources, that U.S. companies have lost billions in intellectual properties.“
Unfortunately, “senior representatives“, “conclusive evidence” and “foreign sources” are so vague that it’s impossible to validate the scope of the problem…or even believe it. Another document though, mentioned in the present reading give some examples of the uses of terrorists for cyberspace. It mentions among others the “Muslim Hackers Club” website and the information posted to it, and the use of stolen credit cards and bank account information to finance the Bali attack in 2002.
The authors are putting a lot of emphasis on treating cybersecurity as a priority on the same levels as WMD and any other subject that requires national attention therefore requiring that the federal government take charge of the national cybersecurity instead of IT departments. It proposes that:
1) Standards for computer security be enforce for to the industry such as manufacturing plants and power plants.
2) Cyberspace security be overlook by a cybersecurity chief and that security agencies such as the National Cyber Security Center (NCSC) and the Joint Inter-Agency Cyber Task Force (JIACTF) be merged into one.
A central office in charge of enforcing computer security standards will have to be formed later or sooner. Fortunately this will be sooner. Information Technology departments should not only have a national reference on the standards to achieve, but also have the opportunity to know how to implements those standards by having government-accredited security companies implementing those standards to networks of various industries. I also believe this new agency should periodically test the security of those networks, as I presume, should already be done. The reports propose that instead of a new agency, the Whitehouse be in charge of the national cybersecurity with an assistant to the president.
The difficulty in this resides in the fact that only one weak link is sufficient to be able to attack the entire system. Therefore, it is necessary to screen the entire critical infrastructure in order to be efficiently secured. And since this implies that systems are often connected internationally for large industries, it means an international consensus.
One thing is for sure, is that all the existing computer-security related need to be consolidated in order to focus on a common goal, and that is the protection of cyberspace. As the report states, it also need to be working hand-to-hand with the private sector in order to have a quick reaction to emergencies. Unfortunately this is only another report amongst other. Maybe a more tech-savvy president such as Barack Obama will catch on quicker to this threat. Until then, the battle still rages on in the shadows of the Internet…
“Obama urged to create White House cybersecurity chief “, Dan Goodin, The Register, December 8, 2008, http://www.theregister.co.uk/2008/12/08/cyber_security_report/ (accessed on December 10, 2008)
“Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008, http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157/
(accessed on December 10, 2008)
“The National Strategy to Secure Cyberspace”, National Advisory Board, February 2003, p. VII
 “Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008, p.15
 Ibid. p.11
 “Pentagon shuts down systems after cyberattack’, Robert McMillan, InfoWorld, June 21, 2007, http://www.infoworld.com/article/07/06/21/Pentagon-shuts-down-systems-after-cyberattack_1.html(accessed on December 10, 2008)
 “Threats Posed by the Internet”, CSIS Commission on Cybersecurity for the 44th Presidency, October 2, 2008, http://www.csis.org/component/option,com_csis_pubs/task,view/id,5146/type,1/ (accessed on December 10, 2008)
 “Bali death toll set at 202”, BBC News, February 19, 2002, http://news.bbc.co.uk/2/hi/asia-pacific/2778923.stm (accessed on December 10, 2008)