Progress Crawls in Securing Critical Infrastructure

The US government is progressing at a snail’s pace in securing critical American infrastructure according to a Center for Strategic and International Studies (CSIS) commission on cybersecurity examining the first two years of the 44^th presidency.

Two years ago the CSIS published Securing Cyberspace for the 44^th Presidency, recommending 25 areas to promote positive change. At the time, cybersecurity took a back seat to the seemingly more pressing issues of the wars in Iraq and Afghanistan and the increasingly dire economic situation. However, that report helped to spark new attitudes in the government and a dialogue promising that securing cyberspace, despite being understood as a monumental undertaking, had become a priority. Unfortunately, their new report indicates that the rubber has yet to hit the road.

With the advent of Stuxnet, Aurora, Wikileaks and the ensuing slew of DDoS attacks, and high profile government and private sector data breaches, it seems as though 2010 was the year that finally made cybersecurity an unavoidable topic, and perhaps proved that the US is reliant upon yet incapable of securing certain networks that make up our digital infrastructure.

The hurdles that stand between the US and a competent security strategy are many, the necessity of a free and open Internet, the anonymous nature of the Web, various privacy concerns, and even the commercial interests of Internet companies to name a few.

More alarming still is the deepening pool of Web-based threats. There is the somewhat traditional threat of opposing nations with advanced and offensive, military-funded cyberspace capabilities for which the US has very little defense. There are terrorists, who haven’t yet begun to really explore the limitless realm of cyberterrorism, but inevitably will. Then there is cybercrime, with a flourishing black market to support it, where nefarious users can buy the latest and best malware, bulk credit card and personal information, and rent botnets. This leaves us with the most threatening of all, cyber-espionage, chiseling away at American innovations. Estimated losses from high-end security blunders are in the billions, and it all stems from weak internet security.

To this point, most solutions have been based on the smaller, predominantly Western Internet of ten years ago and the 2003 initiative, the National Strategy to Secure Cyberspace. These security measures operated largely under the assumption that private companies would share information with each other and with the government to combat threats, but this has proven difficult.

Since the 2008 report, the government has made some important first steps, like creating a cybersecurity coordinator at the White House. However, the 2010 report highlights ten areas in critical need of more rapid progress:

• Coherent organization and leadership for federal efforts for cybersecurity and recognition of cybersecurity as a national priority
• Clear authority to mandate better cybersecurity in critical infrastructure and develop new ways to work with the private sector
• A foreign policy that uses all tools of U.S. power to create norms, new approaches to governance, and consequences for malicious actions in cyberspace. The new policy should lay out a vision for the future of the global Internet
• An expanded ability to use intelligence and military capabilities for defense against advanced foreign threats
• Strengthened oversight for privacy and civil liberties, with clear rules and processes adapted to digital technologies
• Improve authentication of identity for critical infrastructure
• Build an expanded workforce with adequate cybersecurity skill
• Change federal acquisition policy to drive the market toward more secure products and Services
• A revised policy and legal framework to guide government cybersecurity action
• Research and development (R&D) focused on the hard problems of cybersecurity and a process to identify these problems and allocate funding in a coordinated manner

The report isn’t an altogether negative one. It points to the steamboat explosions, plane crashes, and automobile accidents that plagued those industries immediately following their inception into the mainstream to illustrate that the Internet is more or less in its infancy, and that it will take decades for the necessary legislative adjustments to be made to secure our networks.

However, the report is adamant in its insistence that these changes need to start now, and that the US can’t sit on its hands and wait for a disaster to react. The commission closes with an ultimatum, we can either continue to pursue outdated strategies to combat internet security until some catastrophe occurs, or we can take action now with measurable and effective policies.

Commenting on this Article is closed.