The lexicon in Washington around cybersecurity is changing. In the coming weeks, you're going to hear a lot about offense and defense for instance, and it will have nothing to do with the Redskins. It will have to do with militarizing cybersecurity, and making critical infrastructure, and federal and public networks strategic assets.
While previous administrations have treated cybersecurity with policies and toothless national strategies, indications are the Obama administration is going to elevate it beyond a paper exercise.
Beyond the nonsensical distractions of the Obama BlackBerry, the president and those around him seem to appreciate importance of connectivity and the need for security and assurance to national security and commerce. Just about halfway through his first 100 days, Obama has already ordered Melissa Hathaway, senior advisor for the Director of National Intelligence, to conduct a review of the government's cybersecurity policies and processes, including the top secret Comprehensive National Cybersecurity Initiative (CNCI), which she helped build under the Bush administration. There are also rumblings that cybersecurity oversight may move out of the Department of Homeland Security and into the White House, reporting to Obama.
Hathaway's name is on a short list for the top cybersecurity job, and many hope her review actually evolves into an agenda for the position. Others such as Paul Kurtz who led Obama's transition team on cybersecurity have already crafted ambitious agenda items that include the establishment of a national cyberadvisor, declaration of cyber-infrastructure as a strategic asset, calls for cooperation with the private sector on standards that will improve the resilience of infrastructure in case of attack, standards to protect proprietary information from cyberespionage, and a mandate for standards to secure personal data.
One thing that's painfully clear -- and has been for some time -- the status quo is broken. Influential people are being vocal about the need to bring the NSA and the intelligence community deeper into the conversation. Kurtz's exceptional keynote last month at Black Hat DC urged cooperation between intelligence collection authorities, law enforcement and the private sector to gain what he called a "synoptic" view of what was happening on critical networks.
"For more sophisticated and persistent attacks, we must be willing to fuse data so we can trace back the origin of attacks and warn critical sectors of economy," Kurtz said. "This does not mean the intelligence community is engaging in espionage on behalf of private sector, or will carry out these activities without oversight, whether from privacy organizations or Congress."
This is a big reason for the gap in the past: attack origins have never been understood. As it turns out the wrong people were writing the right policies, and agencies that understood attackers and attack methods were never consulted. For example, policies such as the National Strategy to Secure Cyberspace, written in 2003, was not only birthed when many attacks were hypothetical, but was so sanitized that it was impotent. FISMA, written by NIST, has been great at producing report cards and compliance reports, but has done very little to change behaviors and the insecure state of critical networks.
Little was being done to dissuade attacks on critical infrastructure, in particular from China. The Titan Rain attacks of 2003 may have shone a light on the situation, but little more. The turning point came in 2007 when attacks hit a dangerous peak -- what some have called an intelligence Pearl Harbor.
A series of government agency networks were toppled in '07. Those in the know say the networks were unclassified, yet a lot of data was downloaded and surely a few treasures were left behind. It got so bad that the Secretary of Defense's unclassified email was breached and a Commerce Department website had to be taken offline for nearly a month. The attacks haven't abated here--the United States Central Command (USCENTCOM) has been targeted--or abroad, where German chancellor Angela Merkel's email was read as well. Heck, even the campaign websites of both presidential candidates were attacked last year.
"It's a wake-up call when the departments of defense, commerce and state are hacked or forced offline," says Jim Lewis, director and senior fellow at the Center for Strategic and International Studies.
"You've gotta go to people who understand attacks, such as the Red Teams at NSA, and those who clean up, such as US CERT--forensics people," says Alan Paller, director of research for the SANS Institute. "There has to be a shift from those who write policy, to those who understand attacks. Offense must inform defense. From my perspective, the most critical thing to do is to make sure we stop the bleeding and get serious about international standards and change federal policies so agencies can't get away with just writing reports."
The 2007 attacks got President George Bush's attention. He earmarked $30 billion for cybersecurity and ordered what eventually became the top secret CNCI 12-point plan.
"I think they're finally moving away from that paper-based approach of a few years ago, which was so disconnected from real security," Lewis says. "Now the change has been to attack-based metrics and attention given to attack vectors. It's not enough, but it's progress."
How much progress? Well, that's Hathaway's job to determine. Her 60-day review is under criticism on some fronts, because part of her job is to look at CNCI, which she helped develop. But almost universally, she's praised as a person with considerable program management skills and someone who can coordinate efforts between government agencies.
"When you think about who in government could have done this, only two or three come to mind. She's a logical choice," Lewis says. "She's not a career (government) person. She has an outsider's perspective."
CNCI is a key element moving forward; problem is that most of it is classified, and Lewis, for one, thinks most of it could be declassified.
"It's incredibly dumb that CNCI is not transparent," Lewis says. "Overclassifying CNCI is one of its biggest problems. You could declassify 80 percent of it and not do any damage. The other side of the coin is that if our foreign enemies have penetrated unclassified networks, they probably have a fair idea of what is in CNCI."
Hathaway, or the next cybersecurity advisor, will also have to consider advising President Obama on the development of cyberweapons that can be used either as deterrents or as offensive weapons to disable strategic military capabilities, as Kurtz suggests, or to take out botnets on behalf of either critical infrastructure or private networks -- all with Congressional oversight.
The security industry should be encouraged because the Obama administration is willing to listen, and apparently, act on these fronts. Hopefully, Melissa Hathaway's findings will be made public, and hopefully she delivers a dynamic message, because it's going to have to be dynamic to be heard about the din caused by the depressed economy.
As Kurtz rightfully pointed out: "This is going to require a sustained effort in this economic environment, but that doesn't mean we shouldn't focus on this."
Michael S. Mimoso is Editor of Information Security. Send feedback on this column to firstname.lastname@example.org.
Dig Deeper on Information security policies, procedures and guidelines
US cybersecurity efforts hindered by poorly defined roles says GAO
RSA 2010: US declassifies Comprehensive National Cybersecurity Initiative
White House declassifies CNCI summary, lifts veil on security initiatives
RSA's Coviello declines cybersecurity coordinator post