Securing Cyberspace for the 44th Presidency

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

Securing Cyberspace for the 44th Presidency

Full Citation

Center for Strategic and Int'l Studies, Securing Cyberspace for the 44th Presidency (2008). Web

BibTeX

Categorization

Key Words

National Cybersecurity Strategy (U.S.), E.U. Cybersecurity, Information/Intelligence Infrastructures, Outreach and Collaboration, Privacy Law, CERT

Synopsis

The Center for Strategic and International Studies began this project in August 2007, after the United States suffered a wave of damaging attacks in cyberspace. Guided by our congressional cochairs, we assembled a group of individuals with experience in both government and cybersecurity. The aim of the group was to identify recommendations that are critical to the nation's future cyber objectives. The Commission's three major findings are:

(1) cybersecurity is now a major national security problem for the United States,

(2) decisions and actions must respect privacy and civil liberties,

(3) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure.

Details the state of the nation's cybersecurity, and the informational losses that the United States has been subjected to. The report indicates that a primary point of confusion may be found in misinterpreting the threat of cybersecurity in an industrial era mindset, and over-relying on market based solutions arising to protect vital national interests. Also identified as a key source of vulnerability is a government organized for the industrial age, a giant hierarchical conglomerate with high costs associated with making decisions and obtaining information where crossing organizational boundaries is involved. The indicated result is a porosity that leaves information that grants the U.S. strategic advantages vulnerable and which has been penetrated.

The authors criticize CNCI as being good, but not sufficient. The initiative should not be scrapped, but should definitely be improved. Focusing only on defending government leaves abundant room for such security to be outflanked and bypassed. The core finding reported is that an attitude shift must take place with respect to cybersecurity; it must be treated as one of the dominant security challenges faced by the nation. However, such efforts must not come at the expense of American democratic traditions as they can and should offer the opportunity to reinforce these values. The authors present the successful adaptation of American policy towards Weapons of Mass Destruction and non-proliferation as a powerful paradigm for success in cybersecurity. By shifting non-proliferation to a position of primacy in international activities, the U.S. succeeded in encouraging non-proliferation to be normative in state interactions. Pushing cybersecurity to a position of prominence in present and future efforts is suggested as offering significant opportunities to improve national and global security. There are also multiple possible points of contribution identified for agencies ranging from the Department of State to the Department of the Treasury. The primary emphasis is on cultivating a norm supporting cybersecurity, rather than a specific set of regulations. The authors identify the Council of Europe Convention on Cybercrime (CECC) as one of the most important efforts in cultivating exactly the sort of norms that would help protect our vital national interests. The CECC is a multilateral treaty requiring signatory nations to create the basic legal infrastructure that fighting cybercrime requires and to assisting other nations in investigating and prosecuting cyber criminals.

Executive Summary

The Center for Strategic and International Studies began this project in August 2007, after the United States suffered a wave of damaging attacks in cyberspace. Guided by our congressional cochairs, we assembled a group of individuals with experience in both government and cybersecurity. The aim of the group was to identify recommendations that the next administration can implement quickly to make a noticeable improvement in the nation's cybersecurity as well as formulate longer-term recommendations that are critical to the nation's future cyber objectives:

Create a comprehensive national security strategy for cyberspace

Comprehensive means using all the tools of U.S. power in a coordinated fashion-international engagement and diplomacy, military doctrine and action, economic policy tools, and the involvement of the intelligence and law enforcement communities. The acronym DIME-diplomatic, intelligence, military, and economic (and with law enforcement a crucial addition) - points to the elements needed for a truly comprehensive solution. This strategy should be based on a public statement by the president that the cyber infrastructure of the United States is a vital asset for national security and the economy and that the United States will protect it, using all instruments of national power, in order to protect national security and public safety, ensure economic prosperity, and assure delivery of critical services to the American public.

Lead from the White House

We used the response to proliferation as a model for how to approach cybersecurity. No single agency is in charge of nonproliferation. Major agencies play key roles set by presidential directives and coordinated by the White House. This is how a comprehensive approach to cybersecurity must work. We propose creating a new office for cyberspace in the Executive Office of the President. This office would combine existing entities and also work with the National Security Council in managing the many aspects of securing our national networks while protecting privacy and civil liberties. This new office can help begin the work of building an information-age government based on the new, more collaborative organizational models found in business.

Reinvent the public-private partnership

Government must recast its relationship with the private sector as well as redesign the public-private partnership to promote better cybersecurity. A new partnership with more clearly defined responsibilities, an emphasis on building trust among the partners, and a focus on operational activities will result in more progress on cybersecurity.

Regulate cyberspace

Voluntary action is not enough. The United States must assess and prioritize risks and set minimum standards for securing cyberspace in order to ensure that the delivery of critical services in cyberspace continues if the United States is attacked. We advocate a new approach to regulation that avoids both prescriptive mandates, which could add unnecessary costs and stifle innovation, and overreliance on market forces, which are ill-equipped to meet national security and public safety requirements.

Authenticate digital identities

Better authentication significantly improves defensive capabilities. We spent much time constructing a recommendation that emphasized that if privacy and civil liberties are protected, the United States can mandate strong authentication for access to critical infrastructure .

Modernize authorities

U.S. laws for cyberspace are decades old, written for the technologies of a less-connected era. Working with Congress, the next administration should update these laws.

Use acquisitions policy to improve security

The federal government is the largest single customer of information technology products. We recommend that the United States buy only secure products and services; standards and guidelines for secure products should be developed in partnership with industry.

Build capabilities

Research, training, and education will help equip the United States for leadership and security in cyberspace. Because the United States is faced with a plethora of difficult cybersecurity issues, federal support for focused research and development programs will be a critical component of any successful strategy. These efforts will not produce results in the first year, but they will build the long-term capabilities we need for what has become a new domain for international conflict and competition.

Do not start over

The Bush administration took a major step toward improving federal cybersecurity with its Comprehensive National Cybersecurity Initiative. Although the CNCI is not comprehensive and unnecessary secrecy reduced its effect, we believe it is a good place to start. Our Commission shared initial findings with the Bush administration, adjusting them in light of the CNCI's progress, and we have seen them reflected in the CNCI's evolution since the White House announced the formation of the initiative.

In the 1990s, there was considerable discussion of what the international security environment would look like and what the threats to U.S. security would be in that environment. In the past decade, the shape of that new security environment has become clear. Our research and interviews for this report made it clear that we face a long-term challenge in cyberspace from foreign intelligence agencies and militaries, criminals, and others, and that losing this struggle will wreak serious damage on the economic health and national security of the United States. Finding ways to take better advantage of cyberspace will help give the United States a competitive edge in a world where we are currently running behind, and the ability to operate in cyberspace and to defend against the operations of others will be crucial for our nation to prosper. The United States has begun to take the steps needed to defend and to compete effectively in cyberspace, but there is much to do. The next administration has an opportunity to improve the situation; we hope these recommendations can contribute to that effort.

Additional Notes and Highlights

Expertise Required: Policy - Low