On May 29, the Obama Administration released its Cyberspace Policy Review (the Review) of the nation's cybersecurity readiness. The Review, the product of a 60-day comprehensive assessment of the nation's cyberreadiness, concluded that critical Internet infrastructure—designed to give priority to interoperability and efficiency rather than security—is at risk, and major public and private efforts are required to maintain the security of the "information systems that underlie our economic and national security interests."
Cyber Czar Needed
The Review, a joint effort of the National Security Council and the Homeland Security Council, found that the federal government currently is not well organized to address threats to cybersecurity. As President Obama summarized the findings: "No single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge." To address this, the Review recommended appointment of a Cybersecurity Coordinator—under the direction of the National Security Council but also reporting to the National Economic Council—to coordinate interagency development of cybersecurity-related strategy and policy. That individual, expected to be appointed soon by President Obama, will have the challenge of trying to encourage multiple federal agencies with overlapping missions to work more closely together to address cybersecurity.
That individual—the "Cyber Czar"—also will be tasked with preparing an updated national strategy to secure the information and communications infrastructure. This effort will build upon several previous efforts, beginning with Presidential Decision Directive 63 in May 1998, followed by the National Strategy to Secure Cyberspace in 2003 and the Comprehensive National Cybersecurity Initiative in 2007. The goal is to coordinate "historically separate cyber defense missions with law enforcement, intelligence, counterintelligence, and military capabilities to address the full spectrum of cyber threats from remote network intrusions and insider operations to supply chain vulnerabilities."
Private Sector Implications
In addition to recommending improved leadership at the federal level, the Review went beyond these previous federal pronouncements by recognizing that cybersecurity is also a priority for the private sector, which operates much of the nation's communications infrastructure governing financial systems, utilities, transportation and other vital services. The Review touched on the need to improve cybersecurity education, enhance the federal cybersecurity workforce, improve partnerships between the private and public sectors for cybersecurity, improve information sharing and response and build an improved architecture for the future.
The Review recognized obstacles to improved private/public cooperation, including private entities' concerns that their proprietary data might be disclosed pursuant to the Freedom of Information Act, and that coordinated private activities might be viewed as violative of statutes prohibiting collusion. Academics, civil libertarians and privacy advocates also have worries about potentially overreaching cybersecurity initiatives.
One reason for greater involvement by the private sector is pragmatic. Much of the nation's vital infrastructure—especially the communications and energy sectors—is privately owned. This reliance on the private sector will only increase as the nation makes greater use of information technology in health care and invests in "smart grid" technology. Consequently, American cybersecurity depends upon the active and skilled involvement of the private sector.
The Review highlighted areas in which much work remains to be done. It recommends creation of a federal research and development strategy targeted to meeting infrastructure needs. It noted a need to integrate supply chain security concerns with global information and communications services.
In addition, in order for information systems better to identify the persons interacting with them, the Review urged the creation of a cybersecurity-based identity management strategy to improve the ability of Internet businesses and governments to authenticate persons and ensure that "online transactions use only trustworthy data, hardware, and software for networks and devices." The Review also noted the importance of doing so in a manner that recognizes and appropriately protects civil liberties and privacy interests.
Review Well Received
The Review was endorsed by Sen. John D. Rockefeller (D-WV), chairman of the Senate Commerce, Science, and Transportation Committee, who has introduced legislation to create a cybersecurity advisor position within the White House. A second Rockefeller bill would establish cybersecurity standards applicable to both government and the private sector, by requiring the National Institute of Standards and Technology to develop "measurable and auditable cybersecurity standards for all federal government, government contractor, or grantee critical infrastructure information systems and networks." In addition, numerous other cybersecurity bills are presently under consideration in Congress.
The Review was generally well received. Commentators welcomed the Review's comprehensive approach and consideration of many viewpoints. However, some expressed concern that the Cyber Czar will be too low in the governmental hierarchy to have sufficient clout to accomplish all that is required. Others worry that the National Security Council will take a predominant role in cybersecurity to the detriment of economic and private interests.
Lastly, the Review addressed only structural issues and outlined objectives. The Review did not promulgate a cybersecurity strategy; that task was assigned to the yet-to-be-named Cybersecurity Coordinator. Therefore, major substantive work lies ahead.
Cybersecurity professionals know, however, not to sit idly until the next step occurs. Cyber attacks are a constant phenomenon. Cybersecurity experts have their hands full with emerging smart grid, health IT and other systems. The President's recent comprehensive Review recognizes that the federal government has much to do as the nation seeks a more secure cyberfuture.