U.S. Needs Comprehensive Cybersecurity Strategy, Recommends Commission

By Matthew Harwood

The United States needs a comprehensive strategy against cyberattacks and should create a cabinet-level position within the White House to reflect cybersecurity's importance, recommends a 96-page report from the Center for Strategic and International Studies (CSIS), a Washington think tank.

After a wave of damaging attacks against U.S. government networks in 2007, CSIS assembled a group of 60 experts with knowledge of both government and cybersecurity to make recommendations to the incoming president.

The resulting Commission on Cybersecurity for the 44th President says the United States and President-elect Barack Obama, must above all, create a comprehensive strategy to protect against cyberattacks.

"Comprehensive means using all the tools of U.S. power in a coordinated fashion—international engagement and diplomacy, military doctrine and action, economic policy tools, and the involvement of the intelligence and law enforcement communities," the report explains.

The commission states that President-elect Obama should make a public statement that the cyber infrastructure of the United States "is a vital asset for national security and the economy" and that the U.S. will use all its power to protect it.

The task of creating a comprehensive strategy would fall to the National Security Council (NSC) as well as the proposed cabinet-level National Office for Cyberspace (NOC). The effort would be led by the president's assistant for cyberspace who would run the NOC and work in coordinated fashion with a newly created Cybersecurity Directorate in the NSC, which would "absorb existing Homeland Security Council (HSC) functions."

The commission's recommendation to reorganize how the U.S. government handles cybersecurity came due to their lack of confidence in the Department of Homeland Security (DHS). Many members "felt that leaving any cyber function at DHS would doom that function to failure" reports

The effort, however, to protect U.S. networks is not the sole responsibility of the U.S. government.

The U.S. government, the report recommends, should begin building public-private partnerships through the creation of three new partnership groups.

The first group should be a presidential advisory committee represented by senior level personnel from key cyber infrastructures. The next group should have the look and feel of a town-hall meeting for national stakeholders for education and discussion. The final group would be the Center for Cybersecurity Operations, where private and public stakeholders can collaborate and share information to protect critical cyber infrastructure in a secure environment.

The commission also says that the incoming president should provide tough regulations regarding cybersecurity that will extend to the private sector.

"We believe that cyberspace cannot be secured without regulation," the report states. "The intent of such regulation is to increase transparency and improve resiliency and reliability in the delivery of services critical to cyberspace."

The commission says it rejects "voluntary regulation" and says it will craft regulations that will "fill the gap between what markets will naturally provide and what national security requires."

The commission's other recommendations include authenticating identities better, improving security through the government's acquisition policy, updating decades old cyberspace laws to reflect new technology, and investing in research and development to advance U.S. leadership and security in cyberspace.

The commission warns that protecting U.S. networks from cyberattacks is one of the most critical national security problems the country faces. The source of threats the United States faces in cyberspace range from criminals to foreign intelligence agencies to foreign militaries.

"It is ... a battle fought mainly in the shadows," the report says. "It is a battle we are losing."


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.