A Washington-based security think tank is planning to establish a commission comprising information security experts from the private sector and policy organizations to create a series of recommendations on cyber security for the next president.
The Commission on Cyber Security for the 44th President, to be announced on Tuesday in Washington, will be tasked with exploring the existing federal security policies and infrastructure and then building a set of practical recommendations for ways that the next president can improve the status quo. The group will be co-chaired by a Congressional leader and an official from the private sector.
The new commission, which is the work of the Center for Strategic and International Studies, likely will be following up on the National Strategy to Secure Cyberspace , the long-range plan developed during George Bush's first term. That document was the work of government officials working with experts in academia and the private sector. But shortly after its release in 2003, experts, including some who participated in the report's creation, began criticizing it for being too vague and lacking specific, near-term actions that could be taken. Richard Clarke, the president's advisor on cyber security issues and the man who led the effort to create the national strategy, stepped down a few months after its release and a series of successors had little success implementing the measures recommended in the plan.
Among the members of the new commission are Mary Ann Davidson of Oracle Corp., Ed Felten of Princeton University, Shannon Kellogg of EMC Corp., Paul Kurtz, former head of the Cyber Security Industry Alliance, Marcus Sachs of The SANS Institute and Michael Vatis, former head of the FBI's National Infrastructure Protection Center. On the government side, Margie Gilbert of the National Security Agency and Jessica Herrera-Flanigan, the staff director of the House Homeland Security Committee and former federal cyber crime prosecutor, will be ex-officio members.
Some of the recommendations in the original plan, such as better information sharing between the federal government and private sector, have been put in place. But for the most part, the national strategy is regarded as a missed opportunity and overall failure by most in the security community.
"I think there is a lot of dialog, to give credit where it's due. But I'm not sure about the quality of the dialog. It varies from group to group," said Amit Yoran, CEO of NetWitness Corp., and a member of the CSIS commission. Yoran is the former head of the Nation Cyber Security Division at DHS, as well. "I think what we need is some better guidelines on that interaction. There isn't a whole lot of specificity in the national strategy on that."
Now, the question is whether an effort from the private sector can succeed where one with the full backing of the federal government couldn't.
"I think it will be easier this time around because we've realized that the enemy is already inside of us," said Tom Kellerman, vice president of security awareness at Boston-based Core Security, and a former security official at the World Bank who helped develop the original national strategy. "People have seen that our worst-case scenarios have already happened. Now the question is how do we galvanize the public to protect this soft underbelly? Our enemies have realized that our over-reliance on technology is our soft spot and they can compromise these systems at will. We no longer have the monopoly on being the big brother. This technology can be used against us."
The Bush administration has been roundly criticized by security experts for what they perceive as a lack of attention to the problem of computer security. The top security job at the Department of Homeland Security has changed hands several times in the last few years and at one point was vacant for more than a year. The CSIS-supported commission plans to hold several plenary sessions on the issues relating to improving cyber security, including the current threats and public policies and whether new legislation or regulations are needed. Ultimately, the commission intends to release a report and a set of recommendations to the president for concrete ways in which the government can work to improve security.
Kellerman, who is also on the new commission, said that one key to ensuring the success of the commission's efforts is to work with other organizations to find practical solutions that can be implemented in the near term to address specific problems.
"We can't take this as a unilateral effort," he said. "We need to work with some of these other multinational organizations. Why aren't groups like the World Bank and the IMF [International Monetary Fund] being forced by the Treasury to give loans to some of these hackistan-type countries so they can harden their infrastructures against this stuff?"
The commission will meet for the first time on Nov. 7 and is due to complete its work by the end of 2008.