A bipartisan think tank is calling on the incoming Obama administration to enact sweeping changes in U.S. cybersecurity policy — a move that aims to close holes in the nation’s and federal government’s Internet infrastructure.
But the changes could also enforce tough new requirements on agencies and U.S. businesses, according to the recommendations from the Washington-based Center for Strategic and International Studies (CSIS).
The group, a nonprofit think tank focusing on security policy, set up a special Commission on Cybersecurity for the 44th Presidency last year to examine the nation’s Internet defense strategies, in the wake of attacks on several U.S. government Web sites — including those of the State, Defense and Commerce departments, and NASA.
Since then, the commission has been working on hammering out recommendations for the next administration. The group is scheduled to present a report of its findings to the public during a press conference later today in Washington.
It’s a critical moment for national cybersecurity, following a renewed round of cyber attacks and data breaches at major U.S. and state government departments, while observers look to see how Obama plans to lay the groundwork in his administration to safeguard against to those threats.
The CSIS committee is hoping that Obama will follow its recommendations in beefing up the nation’s Internet security — suggestions that include creating and reorganizing national cybersecurity offices, new guidelines for agencies and contractors, and the potential for an overhaul of national information security regulations.
The group said its recommendations recognize that cybersecurity is a major national security problem. It also concluded that decisions and actions about cybersecurity must respect privacy and civil liberties, and that only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity can make America more secure.
It’s uncertain how much of the commission’s recommendations are likely to be adopted by the Obama administration. But it’s clear that the suggestions are certain to carry some weight, considering the source.
The commission’s leadership includes U.S. lawmakers like Rep. Jim Langevin (D-RI), chairman of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology; as well as corporate representatives like Scott Charney, Microsoft’s (NASDAQ: MSFT) corporate vice president for trustworthy computing. It’s also co-chaired by Harry Raduege, a retired lieutenant general with the U.S. Air Force and chairman of the Deloitte Center for Network Innovation. Raduege also earlier served as the Air Force’s director of the Defense Information Systems Agency.
James A. Lewis, project director for the commission, told InternetNews.com in an e-mail that the commission plans to eventually make its presentation to President-elect Obama’s transition team.
He added that the transition team has agreed to a briefing but has not yet set a date.
A cybersecurity reorganization
Chief among the suggestions from the CSIS’s commission is that incoming president overhaul the current structure by creating new offices and merging existing ones.
In part, that includes establishing the National Office for Cyberspace (NOC), which will be headed by an assistant to the president, covering cyberspace issues. The NOC will be formed in the Executive Office of the President by merging the existing National Cyber Security Center and the Joint Inter-Agency Cyber Task Force.
[cob:Special_Report]The commission also urged Obama to create a new National Security Council (NSC) Cybersecurity Directorate, which would absorb the current functions of the Homeland Security Council. The NOC would support both the NSC Cybersecurity Directorate and the assistant to the president for cyberspace.
According to the CSIS, the NOC, the NSC Cybersecurity Directorate and other relevant agencies should be given authority over various cybersecurity initiatives, including the Trusted Internet Connections initiative.
They should also have the authority to approve budget proposals relating to cyberspace before these are sent to the Office of Management and Budget for final approval.
The CSIS Commission also suggested that the president direct the new NSC and related agencies to create a comprehensive national security strategy for cyberspace, leveraging America’s diplomatic, intelligence, military and economic capabilities, and using law enforcement to bolster its efforts.
“Any successful effort to secure cyberspace will be marked by the ability of law enforcement to identify and prosecute cybercriminals,” the report said. It also suggested that U.S. law enforcement agencies should work more closely with their counterparts abroad to combat Internet threats.
It also recommended that the NOC and the NSC Cybersecurity Directorate manage a new federated regulatory approach for critical cyber infrastructures, and that they adopt a collaborative cybersecurity network across the federal government.
Page 2: New efforts, rules for private sector?
Page 2 of 2
The report also urged the new administration to work closely with experts and the private sector to discuss how best to secure cyberspace. This will involve creating three new public-private advisory groups that will focus on two key problems — how to build trust between the government and the private sector, and how to focus on truly critical efforts for cyberspace.
The three new groups will be a presidential advisory committee with senior representatives from the National Security and Telecommunications Advisory Committee and National Infrastructure Advisory Council, a town hall-style national stakeholders’ organization, and a new operational organization, the Center for Cybersecurity Operations. They will support the assistant for cyberspace and the NOC.
Securing the nation
The report also called for the Department of Justice to re-examine laws governing criminal investigations of online crimes.
In particular, CSIS urged that the president direct the DoJ to examine the laws with an eye to increasing clarity, speeding investigations and better protecting privacy.
Meanwhile, the group called for the U.S. attorney general to issue guidelines as to the circumstances and requirements for the use of law enforcement, military, or intelligence authorities in cyber incidents.
The report also recommended that the NOC work with the appropriate regulatory agencies and the National Institute of Standards and Technology (NIST) to develop regulations governing industrial control systems. Development of secure control systems could be made a condition of any economic stimulus package that invests in infrastructure projects, the CSIS suggested.
CSIS also said the incoming president should direct the NOC and the federal Chief Information Officers Council to work with industry in developing and implementing security guidelines for federal government IT product purchases — beginning with software.
Government agencies should only contract with telecommunications companies that use secure Internet protocols, and the U.S. should work with other countries and various international bodies to expand the use of secure protocols, the report added.
Enforcing online credentials — and privacy
Strong authentication of identity should also be mandatory for critical cyber infrastructures, such as the energy, finance and government services sectors, CSIS also said. According to the report, the incoming president should direct the NOC and appropriate agencies to implement critical infrastructure authentication in consultation with industry and the privacy and civil liberties communities.
The government also should enable consumers to use strong, government-issued credentials or commercially issued credentials based on these — consistent with protecting privacy and civil liberties, the report added.
The report suggests the president set a six-month timeline for taking the first steps on these initiatives.
Despite its insistence on authentication credentials, the CSIS report also highlighted instances where consumers’ privacy should be protected and enforced.
In particular, it said that regulations should be enacted to prevent businesses and other services from requiring strong credentials for every online activity.
Businesses should instead take a risk-based approach to credentialing, it said.
“Anonymity is important for the online expression of political views or for seeking information about disease treatment, for example,” the report said. “But weak online identification is inappropriate in circumstances where all legitimate parties to a transaction desire robust authentication of identity Such circumstances include online banking.”
The report also said that by the end of his first year in office, Obama should require every federal government agency to report on how many of its employees, contractors and grantees are using credentials that comply with HSPD-12, the policy for a common identification standard for federal employees and contractors.
It recommended that bonuses or awards should be restricted at agencies that are not in full compliance.