Intelligence and National Security Industry Group Recommends Cyber Czar

By Matthew Harwood

With the release of President Barack Obama’s 60-day cybersecurity review imminent, another industry group has recommended that the White House appoint a cabinet-level cybersecurity official to lead the effort to secure the nation’s critical infrastructure from cyberattacks.

“The responsibilities of this individual shall include the development of the national cyber security plan and organizing our nation to effectively function through a cyber attack,” the report from the Intelligence and National Security Alliance (INSA) recommended. The position also should be imbued with the necessary power to get the job done, the report said.

The group is made up of such prominent corporate powerhouses in defense, communications, and IT products and services such as BAE Systems, Boeing, IBM, Microsoft, and L3 Communications.

“Our group, near unanimously, believes that leadership is the key issue to solve most, if not all, U.S. cyber security issues, problems, and challenges,” the report notes. “We believe that progress in any cyber security area cannot occur without proper leadership because roles, missions, and responsibilities overlap and are not sufficiently clear.”

The INSA believes that the Obama administration, by creating such a powerful position within the White House, will send an important message to not only the private sector, but to the entire federal government and U.S. adversaries now preying on our cyber weaknesses.

The INSA also said the government should swiftly share lessons learned, best practices, and threat information to the private sector as a “real value added,” while creating minimum cybersecurity standards for the private sector to protect critical infrastructure.

Eighty-five percent of all critical infrastructure in the United States is privately owned. The most important sectors to secure first, according to the report, are the communications, power, transportation, and financial critical infrastructures.

The INSA says the Obama administration should draw on the Capability Maturity Model Integration, a public-private partnership between the Air Force and the Carnegie Mellon Institute to address software development risk in the 1980s, as well as two private sectors efforts, the Consensus Audit Guidelines and Cyber Preparedness Levels, to establish common, minimum cybersecurity standards and build a working relationship with the private sector.

“The common standards should assist private sector organizations with understanding different cyber threats,” the report says, adding “These standards should also determine what level of cyber defense they may want to use for a particular system, organization, or network.”

As recent admissions have shown, U.S. networks have been under a withering array of cyberattacks, mainly from China and Russia, poking and prodding networks for weaknesses and information. To help prepare for the day a large-scale cyberattack occurs, the Obama administration should develop a National Cyber Recovery Plan and test it periodically to assure its effectiveness.

Another matter needing attention, according to the report, is the development of better analytics to discover the source of an attack.

“In order to deter, enforce, and defend, the government and private sector need to work together to fund technologic innovation in the ability to do advanced, real time analytics and processing to achieve attribution.”

A copy of the report, according to Reuters, will be sent to Melissa Hathaway, President Obama’s pick to lead the 60-day review of the government’s cybersecurity capabilities.



Intel on China's Growing Cyber Program

DoD stated the following.

“China has also identified 16 “major special items” for which it plans to develop or expand indigenous capabilities. These include core electronic components, high-end universal chips and operating system software, very large-scale integrated circuit manufacturing, next-generation broadband wireless mobile communications, high-grade numerically controlled machine tools, large aircraft, high-resolution satellites, manned spaceflight, and lunar exploration.”

The PLA is investing in electronic countermeasures, defenses against electronic attack (e.g., electronic and infrared decoys, angle reflectors, and false target generators), and Computer Network Operations (CNO). China’s CNO concepts include computer network attack (CNA), computer network exploitation (CNE), and computer network defense (CND). The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. In 2005, the PLA began to incorporate offensive CNO into its exercises, primarily in first strikes against enemy networks.”

The above was taken from the US DoD Annual Estimates of Information Warfare Capabilities and Commitment of the PRC


The information from a summary of China's trusted computing program TCP

They specifically talk about the "trust chain" and that includes "new OS component, OS, BIOS and CRTM. (PAGE 6)

Their extended trust chain model includes an "OS loader and the OS Cernal as well as Applications" (PAGE 8)

Their security architecture shows "strengthened bios and a strengthened OS TSS" (PAGE 9)

They also present a secure memory area on a microprocessor. (PAGE 10)

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.