U.S. falling far behind on cybersecurity

In the next few weeks President Barack Obama will be handed a report detailing the country’s cybersecurity defenses and laying out what’s needed to protect America’s technology resources from hostile nations and organized crime groups.

In the next few weeks President Barack Obama will be handed a report detailing the country’s cybersecurity defenses and laying out what’s needed to protect America’s technology resources from hostile nations and organized crime groups.

 It will not be a pretty picture.

Cybersecurity experts, former advisers to George W. Bush, and those involved with Obama’s security plans say that the U.S. has fallen dangerously behind the state of the art in information security. They conclude that it would take a major and immediate shift in thinking, funding and collaboration to reverse a nearly decade-long decay in cyber readiness.

As it stands, there is no one federal agency designated as the lead for cybersecurity and that has led to years of infighting, turf wars and ugly public and private arguments about who is in charge of what. The disorganization also has been a major contributor to the Department of Homeland Security’s inability to keep anyone in the top cybersecurity post for more than a year.

Things are so bad, in fact, that if a major national cybersecurity attack came tomorrow, there would be no real coordinated response, experts say. Each federal agency would react separately, scrambling to defend its own network without any central clearinghouse for data and information sharing.

“Who’s in charge? I don’t think we have an answer for that today, and that’s pretty scary,” said Paul Kurtz, a former top advisor on cybersecurity to Bush and an advisor to Obama during his transition. Kurtz, speaking at a security conference recently in Washington, said there have been proposals floated inside the Beltway for an online emergency management organization.

“Obama’s review should look at this,” Kurtz said. “There are reviews under way at DHS and the FCC. The bottom line is, Is there a need for an Internet FEMA? I don’t think there is.”

What is needed, Kurtz and others say, is true collaboration and information sharing, both within the government and between Washington and the private-sector organizations that own much of the country’s critical technology infrastructure. This is an old saw in federal security circles and it’s been the centerpiece of every comprehensive plan to improve cybersecurity, starting with the original National Strategy to Secure Cyber Space in 2003 on up through the recently released report from the Center for Strategic and International Studies, “Securing Cyberspace for the 44th President.”

Yet, strategy has never gotten any traction, experts lament. There are two key reasons for information sharing’s abject failure.

First, it’s is a one-way street. The government is great at receiving data and is more than happy to take whatever the private sector wants to give. But when it comes to returning the favor, there’s traditionally been silence. Federal officials deem attack and vulnerability data classified. That attitude created a schism between federal agencies such as DHS, FBI and CIA, and the network operators, security researchers and others who should be key parts of cyber-security equation.

Information sharing has also suffered because once the data is in the government’s hands, it gets classified and compartmentalized so much that most federal security experts have no idea what their counterparts at other agencies know or are working on. One former federal cybersecurity official said that it was commonplace in meetings for FBI officials to refuse to share information with CIA officers and vice versa.

“Information sharing is too reactive from my perspective. It’s too industry-specific,” says Tom Kellermann (right), vice president of security awareness at Core Security Technologies, and a former security manager at the World Bank. Kellermann also was on the committee that drafted the CSIS cybersecurity report. “Many of these issues are cross-cutting and the need for a horizontal approach is apparent.”

The weakness of the country’s defensive mechanisms and response capabilities is a serious problem. But perhaps even more concerning is that while U.S. officials have been throwing rocks at each other, serious threats have developed in the form of highly skilled, loosely organized online gangs of criminals that quietly have been penetrating government and private networks, including banks, NASA and the Department of Defense.

The cyber criminals are building massive networks of compromised PCs, known as botnets, which they can leverage for massive denial-of-service attacks against virtually any network, or use to poison legitimate Web sites with malicious software that then infects unsuspecting visitors. This all happened while the government and law enforcement were focused on the bogeyman of cyberterror, which has yet to materialize.

To close this gap and get the U.S. on an equal footing with its adversaries, Kurtz and others say the Obama administration needs to devote significant resources to two specific areas: offensive cyber weapons and the ability to trace attacks to their origins and take the offending servers down. The mention of offensive cyber weapons makes many in the security community very nervous, but Kurtz said it’s foolish to ignore the need for them.

“There’s a reluctance to have a public discourse on this. It’s like nuclear weapons were years ago,” he says. “It’s much the same today in cyberspace. We need to have a discourse on what this looks like. The long-term strategic vision for development of cyber weapons is to disable the enemy’s strategic military capabilities. How might we look at the enemy and see how we can engage in cyber war to suppress their capabilities? We haven’t had the discussion in that space. We don’t have the long term thinking in place.

“We need appropriate oversight from Congress. It can’t be developed in secret,” Kurtz said. “But we can’t sit back and not have the capability to defend ourselves. It’s too late. The enemy is already there,” he added.

As politically sensitive as the subject of offensive weapons is, the idea of being able to follow attacks back to their jumping off point and then black-hole those servers is perhaps even more touchy. It’s only in the last couple of years that national law enforcement agencies have begun to collaborate in a truly meaningful way on cybersecurity arrests and prosecutions. So the concept of allowing foreign governments to reach through the wire and take down a server in, say, Brazil or Malaysia, is not one that has received much of a favorable reception to date.

Most of these actions take place through back channels in the private sector, with one network administrator calling another and asking for a server to be taken offline.

“We must begin by addressing the issue of attribution. We need to be able to use intelligence with the private sector to determine where the attacks are coming from,” Kurtz said. “If you link what we know in the intelligence community with the private sector, we can come out with a declaratory policy that says we will look to connect the dots and fuse all the information through all the capabilities we have to see who’s attacking the network. That’s the beginning of a deterrent policy.”

All of the talk about information sharing and better defenses is fine, but for many in the security community, the hopes for a real change in the country’s cybersecurity posture rests squarely on the White House. The responsibility for cybersecurity was part of the White House for the first part of this decade, but after the creation of DHS, that function shifted to the new agency, with disastrous results.

A string of experts — beginning with Amit Yoran, a former technology executive, and ending with Rod Beckstrom, an security entrepreneur and author — has taken a shot at the top security job and found that there were too many obstacle and too little power. The job now sits vacant, and the hope among Washington insiders is that Obama will return authority for cybersecurity to Pennsylvania Avenue.

“The need for a cyber advisor is paramount,” said Kellermann. “It’s very much tied to that person. There’s a recognition that we’ve been losing and we need to assess our vulnerabilities as our enemies do. If [the cybersecurity czar position isn’t returned to the White House] I’ll be completely shocked. That would very much be a good sign, not only for eliminating turf battles, but providing one voice who can advise the president on these critical issues on a regular basis.”

This story originally appeared on Newsmax.com.

* Giant composite image from HaPe_Gera and Aaron Escobar‘s Flickr photostream

Suggested articles