White House: cybersecurity facing a Sputnik moment
May 30, 2009
The Obama administration has sent a number of signals that it takes the information infrastructure of the nation seriously, having approved stimulus money for broadband and established a post for a national CTO. In parallel with these actions, the administration authorized a review of the national cybersecurity policy, and that review is now complete. Depending on how you read the resulting report, it concluded either that we don’t have a cybersecurity policy, or that we have too many of them; in either case, its authors have made a number of very specific suggestions as to how to improve the situation.
The report is fairly blunt, stating early on that "the architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient." As our network infrastructure has developed, the focus has been on things like performance, ease-of-use, and compatibility, and security consciousness was pretty low for much of its history. So, it’s not a surprise that both government and private computer systems have been victimized, and evidence suggests that both private parties and foreign governments have been behind these attacks.
Meanwhile, as the authors of the report put it, "the Federal government is not organized to address this growing problem effectively now or in the future." Responsibilities are spread across a variety of different agencies and, although past administrations have made progress in bringing the policies of different groups into alignment, there is still no overarching policy direction, nor a single authority to coordinate it.
Obviously, the report recommends that we fix all of that. It suggests that the nation should have a single cybersecurity coordinator, operating within the National Security Council. The position should be considered high priority, as indicated by the recommendation that this officer should be based within the White House proper, in order to be accessible. The cybersecurity office should include staff dedicated to both privacy concerns and civil liberties, which will be welcome news to anyone worried that this might lead to NSA-style monitoring programs.
Among the tasks assigned to this office will be developing a coherent security strategy and establishing metrics by which progress can be measured. The office will work with private industry and other interested parties to develop an incident response plan. This last item will require some coordination with the diplomatic corps, as the report calls for bringing together "like-minded nations" to formulate standards on "acceptable legal norms regarding territorial jurisdiction, sovereign responsibility, and use of force."
Relevant to the use of force, it appears that, in a less public effort, the administration is apparently pursuing a parallel effort within the Pentagon, which will see the Department of Defense set up an equivalent branch. Well, partially parallel—the Pentagon version will not only develop defensive tactics and tools, but will focus on providing offensive weaponry as well.
Perhaps the most striking thing about the report, however, is that it suggests that the US may be facing the prospect of being left as a technological backwater when it comes to security, and a national effort will be required to avoid that fate. The authors suggest a historic analog: "similar to the period after the launch of the Sputnik satellite in October, 1957, the United States is in a global race that depends on mathematics and science skills." In response, it suggests that the new office develop a research and development framework, and accompany it with a public information campaign that will stress the importance of security considerations. If necessary, the government should incentivize the use of secure practices and equipment by private industry through programs like targeted tax breaks.
Whether we’ll ultimately see the sorts of leaps in science and technology education that occurred following the Sputnik launch won’t be clear for years. But there is some urgency to acting now. After several years of decline, the number of students that intend to major in computer science is beginning to rise again, and integrating security into their education could provide cybersecurity the sort of boost that the authors of the report say is required.
This post has been written by John Timmer on May 29, 2009 3:10 PM couresy of arstechnica.com.