Monday, 16 March 2009

12 changes that would give US cybersecurity a much needed kick in the pants

Potential cyber attacks against federal and private-sector networks loom larger every day and while the Department of Homeland Security (DHS) has made some important efforts, it has yet to fulfill many of the myriad responsibilities placed on it by the national cybersecurity plan.

Those were the main conclusions of a Government Accountability Office report out today on the status of US national cybersecurity efforts. The GAO report included input from a panel of cybersecurity experts including representatives from the Internet Corporation for Assigned Names and Numbers, Juniper, Verizon, the US Department of Justice and the Electronic Frontier Foundation.

The group came up with 12 cybersecurity improvements that DHS and others involved in the protection of national networked assets should employ. According to the GAO report these recommendations are as follows: :

1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.

2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy: Currently the DHS is the focal point for cybersecurity; however, according to panel members, DHS has not met expectations and has not provided the high-level leadership needed to raise cybersecurity to a national focus. Accordingly, panelists stated that to be successful and to send the message to the nation and cyber critical infrastructure owners that cybersecurity is a priority, this leadership role needs to be elevated to the White House. In addition, to be effective, the office must have, among other things, corresponding authority-for example, over budgets and resources-to implement and employ appropriate incentives to encourage action.

3. Establish a governance structure for strategy implementation. The strategy establishes a public/private partnership governance structure that includes 18 critical infrastructure sectors, corresponding government and sector coordinating councils, and cross-sector councils. However, according to panelists, this structure is government-centric and largely relies on personal relationships to instill trust to share information and take action.

4. Publicize and raise awareness about the seriousness of the cybersecurity problem. Experts suggested that an aggressive awareness campaign is needed to raise the level of knowledge of leaders and the general populace that our nation is constantly under cyber attack.

5. Create an accountable, operational cybersecurity organization. DHS established the National Cyber Security Division (within the Office of Cybersecurity and Communications) to be responsible for leading national day-today cybersecurity efforts; however, according to panelists, this has not enabled DHS to become the national focal point as envisioned. Panel members stated that currently, DOD and other organizations within the intelligence community that have significant resources and capabilities have come to dominate federal efforts. The group told the GAO there also needs to be an independent cybersecurity organization that leverages and integrates the capabilities of the private sector, civilian government, law enforcement, military, intelligence community, and the nation's international allies to address incidents against the nation's critical cyber systems and functions. However, there was not consensus among the panel regarding where this organization should reside.

6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.

7. Bolster public/private partnerships through an improved value proposition and use of incentives. Panelists stated that the federal government should provide valued services (such as offering useful threat or analysis and warning information) or incentives (such as grants or tax reductions) to encourage action by and effective partnerships with the private sector.

8. Focus greater attention on addressing the global aspects of cyberspace. Panel members stated that the US should pursue a more coordinated, aggressive approach so that there is a level playing field globally for US corporations and enhanced cooperation among government agencies, including law enforcement. In addition, a panelist stated that the

US should work towards building consensus on a global cyber strategy.

9. Improve law enforcement efforts to address malicious activities in cyberspace. Panel members stated that current domestic and international law enforcement efforts, including activities, procedures, methods, and laws are too outdated and outmoded to adequately address the speed, sophistication, and techniques of individuals and groups, such as criminals, terrorists, and adversarial foreign nations with malicious intent.

10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts. experts stated that the US is not adequately focusing and funding research and development efforts to address cybersecurity or to develop the next generation of cyberspace to include effective security capabilities. In addition, the research and development efforts currently underway are not being well coordinated between government and the private sector.

11. Increase the cadre of cybersecurity professionals. Experts stated that actions to increase the number of professionals with adequate cybersecurity skills should include (1) enhancing existing scholarships and (2) making the cybersecurity discipline a profession through testing and licensing.

12. Make the federal government a model for cybersecurity. Although the federal government has taken steps to improve the cybersecurity of agencies, panelists stated that it still is not a model for cybersecurity. Further, they said the federal government has not made changes in its acquisition function and the training of government officials in a manner that effectively improves the cybersecurity capabilities of products and services purchased and used by federal agencies.

No comments:

Post a Comment