Obama Faces New Calls for Cybersecurity Revamp - Page 2

Page 2 of 2

The report also urged the new administration to work closely with experts and the private sector to discuss how best to secure cyberspace. This will involve creating three new public-private advisory groups that will focus on two key problems -- how to build trust between the government and the private sector, and how to focus on truly critical efforts for cyberspace.

The three new groups will be a presidential advisory committee with senior representatives from the National Security and Telecommunications Advisory Committee and National Infrastructure Advisory Council, a town hall-style national stakeholders' organization, and a new operational organization, the Center for Cybersecurity Operations. They will support the assistant for cyberspace and the NOC.

Securing the nation

The report also called for the Department of Justice to re-examine laws governing criminal investigations of online crimes.

In particular, CSIS urged that the president direct the DoJ to examine the laws with an eye to increasing clarity, speeding investigations and better protecting privacy.

Meanwhile, the group called for the U.S. attorney general to issue guidelines as to the circumstances and requirements for the use of law enforcement, military, or intelligence authorities in cyber incidents.

The report also recommended that the NOC work with the appropriate regulatory agencies and the National Institute of Standards and Technology (NIST) to develop regulations governing industrial control systems. Development of secure control systems could be made a condition of any economic stimulus package that invests in infrastructure projects, the CSIS suggested.

CSIS also said the incoming president should direct the NOC and the federal Chief Information Officers Council to work with industry in developing and implementing security guidelines for federal government IT product purchases -- beginning with software.

Government agencies should only contract with telecommunications companies that use secure Internet protocols, and the U.S. should work with other countries and various international bodies to expand the use of secure protocols, the report added.

Enforcing online credentials -- and privacy

Strong authentication of identity should also be mandatory for critical cyber infrastructures, such as the energy, finance and government services sectors, CSIS also said. According to the report, the incoming president should direct the NOC and appropriate agencies to implement critical infrastructure authentication in consultation with industry and the privacy and civil liberties communities.

The government also should enable consumers to use strong, government-issued credentials or commercially issued credentials based on these -- consistent with protecting privacy and civil liberties, the report added.

The report suggests the president set a six-month timeline for taking the first steps on these initiatives.

Despite its insistence on authentication credentials, the CSIS report also highlighted instances where consumers' privacy should be protected and enforced.

In particular, it said that regulations should be enacted to prevent businesses and other services from requiring strong credentials for every online activity.

Businesses should instead take a risk-based approach to credentialing, it said.

"Anonymity is important for the online expression of political views or for seeking information about disease treatment, for example," the report said. "But weak online identification is inappropriate in circumstances where all legitimate parties to a transaction desire robust authentication of identity Such circumstances include online banking."

The report also said that by the end of his first year in office, Obama should require every federal government agency to report on how many of its employees, contractors and grantees are using credentials that comply with HSPD-12, the policy for a common identification standard for federal employees and contractors.

It recommended that bonuses or awards should be restricted at agencies that are not in full compliance.