Progress Crawls in Securing Critical Infrastructure

The US government is progressing at a snail’s pace in
securing critical American infrastructure according to a Center for Strategic
and International Studies (CSIS) commission
on cybersecurity
examining the first two years of the 44th presidency.

The US government is progressing at a snail’s pace in
securing critical American infrastructure according to a Center for Strategic
and International Studies (CSIS) commission
on cybersecurity
examining the first two years of the 44th presidency.

Two years ago the CSIS published Securing
Cyberspace for the 44th Presidency
, recommending 25 areas to
promote positive change. At the time, cybersecurity took a back seat to the
seemingly more pressing issues of the wars in Iraq and Afghanistan and the
increasingly dire economic situation. However, that report helped to spark new
attitudes in the government and a dialogue promising that securing cyberspace,
despite being understood as a monumental undertaking, had become a priority. Unfortunately,
their new report indicates that the rubber has yet to hit the road.

With the advent of Stuxnet, Aurora, Wikileaks and the
ensuing slew of DDoS attacks, and high profile government and private sector
data breaches, it seems as though 2010 was the year that finally made
cybersecurity an unavoidable topic, and perhaps proved that the US is reliant
upon yet incapable of securing certain networks that make up our digital infrastructure.

The hurdles that stand between the US and a competent security
strategy are many, the necessity of a free and open Internet, the anonymous
nature of the Web, various privacy concerns, and even the commercial interests
of Internet companies to name a few.

More alarming still is the deepening pool of Web-based
threats. There is the somewhat traditional threat of opposing nations with
advanced and offensive, military-funded cyberspace capabilities for which the
US has very little defense. There are terrorists, who haven’t yet begun to
really explore the limitless realm of cyberterrorism, but inevitably will. Then
there is cybercrime, with a flourishing black market to support it, where nefarious
users can buy the latest and best malware, bulk credit card and personal
information, and rent botnets. This leaves us with the most threatening of all,
cyber-espionage, chiseling away at American innovations. Estimated losses from
high-end security blunders are in the billions, and it all stems from weak
internet security.

To this point, most solutions have been based on the smaller,
predominantly Western Internet of ten years ago and the 2003 initiative, the
National Strategy to Secure Cyberspace. These security measures operated largely
under the assumption that private companies would share information with each
other and with the government to combat threats, but this has proven difficult.

Since the 2008 report, the government has made some
important first steps, like creating a cybersecurity coordinator at the White House.
However, the 2010 report highlights ten areas in critical need of more rapid progress:

  • Coherent organization and leadership for federal
    efforts for cybersecurity and recognition of cybersecurity as a national
    priority
  • Clear authority to mandate better cybersecurity
    in critical infrastructure and develop new ways to work with the private sector
  • A foreign policy that uses all tools of U.S.
    power to create norms, new approaches to governance, and consequences for
    malicious actions in cyberspace. The new policy should lay out a vision for the
    future of the global Internet
  • An expanded ability to use intelligence and
    military capabilities for defense against advanced foreign threats
  • Strengthened oversight for privacy and civil
    liberties, with clear rules and processes adapted to digital technologies
  • Improve authentication of identity for critical
    infrastructure
  • Build an expanded workforce with adequate
    cybersecurity skill
  • Change federal acquisition policy to drive the
    market toward more secure products and Services
  • A revised policy and legal framework to guide
    government cybersecurity action
  • Research and development (R&D) focused on
    the hard problems of cybersecurity and a process to identify these problems and
    allocate funding in a coordinated manner

The report isn’t an altogether negative one. It points to the
steamboat explosions, plane crashes, and automobile accidents that plagued those
industries immediately following their inception into the mainstream to illustrate
that the Internet is more or less in its infancy, and that it will take decades
for the necessary legislative adjustments to be made to secure our networks.

However,
the report is adamant in its insistence that these changes need to start now,
and that the US can’t sit on its hands and wait for a disaster to react. The commission closes with an ultimatum, we can either continue
to pursue outdated strategies to combat internet security until some
catastrophe occurs, or we can take action now with measurable and effective
policies.

Suggested articles