The release of the International Strategy for Cyberspace late last month marked a major shift in the way that United States officials think about and treat information security, which now seems as if it will have a place at the table during diplomatic discussions. However, experts and U.S. officials say that there still is quite a lot of road ahead if security is to become one of the country’s top priorities.
The strategy is a declaration of the Obama administration’s thoughts on information security, especially as it relates to foreign relations and the way that the U.S. intends to handle attacks against its government-owned and corporate networks. The document states quites clearly that the administration will respond to such attacks in whatever manner it deems appropriate, no holds barred.
However, that isn’t to say that the U.S. is planning Predator strikes in response to DDoS attacks. Rather, the statement is just an extension of the military’s role in traditional operations, the administration’s top cybersecurity official said.
“When
we look at the military’s role, first the military, like any other large
entity, has a tremendous dependency on the Internet and technology just to do
its basic mission, and so when they look at their 21st century security
challenges and their role and their commitment to defend citizens, allies and
interests, that even is more extensible than anything else when it comes to the
Internet itself,” Howard Schmidt, the White House cybersecurity coordinator said in an exclusive interview with Threatpost.
“Now, when you start
looking at the full breadth of government activities that might take
place, whether it’s diplomatic, whether it’s military, whether it’s economic,
whether it’s some other sort of incentive, this is part of
an overall view, the way things take place. So, Department of Defense’s
role is only one of the many roles that we have across the government, and not
only our government, but other governments as well.”
The U.S. is planning to treat Internet-based attacks in much the same way that it handles other types of attacks: by assessing the damage, the actor involved and the consequences of a retaliation and then acting accordingly. Outside security experts say they are happy to see that the government is thinking critically about this issue and not simply falling back on old cliches about cyberwar.
“There are a lot of problems that have to be addressed with all of this, but it’s good that they’re not going down the military road with this,” said Gary McGraw, CTO at Cigital. “The executive branch is talking about the Internet as a commerce-enabler and a vector for spreading freedom. I like that. It sounds American to me. But when there are attacks, how do you figure out who did it? We have a big problem with attribution. There are really thorny issues that have to be dealt with.
“We’re all standing around in glass houses and some of the cyberwar guys want to build faster and more accurate rocks to throw. I wouldn’t want the evening-up of the balance to be countered by going after more offensive weapons. There’s a lot of work to be done.”
Much of that work needs to focus on bringing the government’s own networks and defense systems into the twenty-first century, McGraw said.
“There just isn’t a large group of people thinking about modern concepts in the government right now,” he said. “Part of the problem is that some of us have been standing at the edge of computer security for so long that there are things that we take granted and the government doesn’t. We have to tell them some things that are blindingly obvious. It’s still disconcerting as all hell.”
Schmidt said that the government is continuously working to improve the security of both its own networks and those of corporations, but there is still plenty of work to be done. The administration knows what the challenges are and has ideas on how to address them, he said.
“We
live in an environment where accessibility is key to success, whether it’s a
business or a government, so we have to take into account that people will try
to do things like [attacks]. People will scan for cross-site scripting, so setting your requirements
and making sure that they understand, build to a better secure specification
while keeping the same capabilities is gonna be key to it,” Schmidt said.
“The second piece is I think the businesses fully understand that while richness
and robustness of the products and stuff is also part of a business, and part
of a business in today’s environment is to be able to provide that, so they
have the business processes in place where they can go to a customer, be it a
government or private sector, and say, ‘Not only here’s the capabilities we
give you, but we, indeed, have done those things whether it’s based on
requirements from a customer or whether it’s the fact that here’s the best
practices that we now see.’ When you see major companies and even
small/medium-size companies using a more disciplined process in development of
applications and source code protection, the ability of the testing and the
robustness they have in there. And so,
that’s sort of the second piece. The third piece is sorta the combination of
the two. Even after there’s a
deployment, even after something’s built, there still had to be that constant
monitoring, the constant testing that we have.
And for the government, of course, with FISMA, the Federal Information
Security Management Act, and having the idea of constant monitoring, we’re able
to see things.”