Cyberspace Policy Review
Full Title of Reference
National Cyber Defense Financial Services Workshop Report
Full Citation
Executive Office of the President of The U.S. Cyberspace Policy Review. Assuring a Trusted and Resilient Information and Communications Infrastructure (2009). Web
Categorization
- Resource by Type: US Government Reports and Documents
- Issues: Usability/Human Factors; Public-Private Cooperation; Identity Management
- Approaches : Regulation/Liability; Private Efforts/Organizations; Government Organizations; International Cooperation
Key Words
insert key words here
Synopsis
Selection from the Executive Summary:
The Nation is at a crossroads. The globally-interconnected digital information and communications infrastructure known as “cyberspace”underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century. The digital infrastructure’s architecture was driven more by considerations of interoperability and efficiency than of security. Consequently, a growing array of state and non-state actors are compromising, stealing, changing, or destroying information and could cause critical disruptions to U.S. systems. At the same time, traditional telecommunications and Internet networks continue to converge, and other infrastructure sectors are adopting the Internet as a primary means of interconnectivity. The United States faces the dual challenge of maintaining an environment that promotes efficiency, innovation, economic prosperity, and free trade while also promoting safety, security, civil liberties, and privacy rights. It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and ensure that the United States and the world realize the full potential of the information technology revolution.
Synopsis from Ascension Risk Management [1], a risk management consulting firm specializing in Infosec:
“The nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity related issues, policies, and activities seriously. This requires White House leadership that draws upon the strength, advice, and ideas of the entire Nation.” ~ A quote from the Executive Summary
The report declares that cybersecurity risks rank up there with the most important economic and national security challenges of the 21st Century. In order to meet this challenge the report declares that: “It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and ensure that the United States and the world realize the full potential of the information technology revolution” (from the Executive Summary).
To support this declaration the report mentions a few malicious activities have already disrupted critical infrastructure elements in other countries (the disruption of electric power grids); the exploited financial services (any number of data breaches and fraud cases); and the systematic loss of US intellectual property (estimated to have a loss of economic value as high as $1 trillion dollars). In order to address these issues the report breaks down its findings and recommendations into five areas:
- Leading from the top;
- Building the capacity of a digital nation;
- Sharing responsibility for cybersecurity;
- Improving information sharing and incident response; and
- Building the architecture of the future.
The report calls for the US to be a world leader in addressing the challenges of cyberspace. In order to realize this goal, leadership must come directly from the White House. The rationale for this is the fact that within the US government, only the White House has the authority to coordinate the wide array of capabilities and authorities required to respond to cyber incidents. In order to support and facilitate this authority the report recommends that a cybersecurity policy official be appointed to coordinate the nation's cybersecurity related policies and activities. This individual would be part of the National Security Council (NSC). Additionally it is suggested that this new official should participate in economic, counterterrorism, and science and technology policy discussion in order to provide the cybersecurity perspective; a move that would go a long way to integrate cybersecurity concerns into all sorts of decision making processes. At a high level, the duties of the cybersecurity policy official would revolve around reviewing laws and policies, proposing new legislation, strengthening federal leadership and accountability for cybersecurity, and increasing the interaction between the federal government and state, local, and tribal leadership with regard to cybersecurity.
"Building Capacity for a Digital Nation"
In this section, the report likens the cybersecurity challenge to the space race after the Sputnik launch in 1957. The report calls for an emphasis on math and science skills in order to develop a workforce of US citizens to compete on a global level and sustain the leadership role of the United States. In order to meet these challenges the report calls for the need to build public awareness into the nature and risks involved in the use of cyberspace. In this vein, the report suggests an effort to enhance our education system by integrating cybersecurity into the education curriculum and by promoting scientific, engineering, and market leadership in the IT sector. The report also calls for the need to expand and train the federal information technology workforce. The language here seems to indicate a desire to recapture many of the IT positions that have been lost through outsourcing to the private sector.
"Sharing Responsibility for Cybersecurity"
In this section, the report acknowledges the fact that the federal government cannot succeed without engaging the private sector. A national dialogue is needed between the concerns of the private sector and the needs of the public sector. Input from the private sector is sorely needed to craft legislation and regulations to support businesses that prioritize security.
International Cooperation
The report recognizes that international norms are critical to supporting cyberspace and therefore any national cybersecurity strategy needs to foster international cooperation and collaboration. Some of the items mentioned were the development of uniform technical standards and a standardization of legal practices.
"Creating Effective Information Sharing and Incident Response"
The report calls for a nationwide incident response capability to include Federal, State, local and tribal governments working together with the private sector and international allies, given that cyber incidents are likely to affect networks and systems across both the public and private sector. This section also leverages the Cybersecurity Coordinator named in the "Leadership from the Top" section of the report and calls for the development of a national incident response framework. This framework would go a long way to avoid the confusion surrounding roles, responsibilities and authority that always comes up when multiple departments and agencies respond to an incident.
"Encouraging Innovation"
The report acknowledges that there has been a convergence of technologies where data, voice, and video are now sharing a common infrastructure. This decentralizes the nature of the technology and allows for innovation. It also presents a common vulnerability -- namely the susceptibility of the common infrastructure to disruption. Understandably there are huge national security implications surrounding the vulnerability of this common infrastructure. The report calls for the government to find ways to incentivize the market to innovate and make more secure products. It even hints that legal changes in the form of liability considerations could be in the works for companies that come on board. Conversely increased liability consequences would exist for those who have poor security.
The report then calls for an increase in the research and development efforts of the federal government that would focus on “game-changing” technologies in the effort to enhance the United States’ competitiveness. These efforts would be in conjunction with industry and academia in order to avoid duplication and leverage complementary capabilities.
Another suggestion put forth is the establishment of some sort of federal level identity management system. There are many pros and cons to this option. The report acknowledges that people may be uncomfortable with this idea and in what I read to be a preemptive move calls for cooperation with the civil liberties and privacy communities.
The report concludes with two forms of action plans, a near-term plan and a mid-term plan.
The Near-Term Plan:
- 1 Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.
- 2 Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.
- 3 Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.
- 4 Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
- 5 Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
- 6 Initiate a national public awareness and education campaign to promote cybersecurity.
- 7 Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
- 8 Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement
- 9 In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
- 10 Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
The Mid-Term Plan
- 1 Improve the process for resolution of interagency disagreements regarding interpretations of law and application of policy and authorities for cyber operations.
- 2 Use the OMB program assessment framework to ensure departments and agencies use performance-based budgeting in pursuing cybersecurity goals.
- 3 Expand support for key education programs and research and development to ensure the Nation’s continued ability to compete in the information age economy.
- 4 Develop a strategy to expand and train the workforce, including attracting and retaining cybersecurity expertise in the Federal government.
- 5 Determine the most efficient and effective mechanism to obtain strategic warning, maintain situational awareness, and inform incident response capabilities.
- 6 Develop a set of threat scenarios and metrics that can be used for risk management decisions, recovery planning, and prioritization of R&D.
- 7 Develop a process between the government and the private sector to assist in preventing, detecting, and responding to cyber incidents.
- 8 Develop mechanisms for cybersecurity-related information sharing that address concerns about privacy and proprietary information and make information sharing mutually beneficial.
- 9 Develop solutions for emergency communications capabilities during a time of natural disaster, crisis, or conflict while ensuring network neutrality.
- 10 Expand sharing of information about network incidents and vulnerabilities with key allies and seek bilateral and multilateral arrangements that will improve economic and security interests while protecting civil liberties and privacy rights.
- 11 Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology development innovations.
- 12 Use the infrastructure objectives and the research and development framework to define goals for national and international standards bodies.
- 13 Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.
- 14 Refine government procurement strategies and improve the market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services.
Additional Notes and Highlights
Expertise Required: None