Software [In]security: Moving U.S. Cybersecurity Beyond Cyberplatitudes
In an announcement from the White House on the last business day of May, President Obama unveiled the results of a 60-day review of cybersecurity strategy conducted by acting White House cybersecurity chief Melissa Hathaway. The "Cyberspace Policy Review" defines the problem and outlines the beginnings of a way forward — especially important given how late the government is in addressing the cybersecurity problem. Is the Obama plan ready for prime time?
The 60-day Review in a Nutshell
The report calls for the appointment of a cybersecurity coordinator. The coordinator is to serve as an action officer during incident response as well as a point of contact for cyber-related issues arising in government departments and agencies. The coordinator as envisioned has no operational responsibilities or authority to set policy. Instead, the coordinator is to provide informed perspective to policymakers. This includes interacting with Congress and developing a legislative agenda for cyberspace.
In the broadest of terms, the strategy includes support for both operational and developmental approaches to securing cyberspace. On the operations side, the government is tasked with creating a threat-sharing plan and a centralized organization to execute the plan. This includes a capability for cybersecurity incident response, intrusion detection and situational awareness, and the creation of public breach notification laws. On the development side, the government is to institute purchasing strategies that put pressure on vendors to properly address security in commercial (private sector) products and services. Tools to be used towards this end include tax incentives, indemnification, and regulation. International cyber cooperation should aim to agree on policy around cybercrime, cyberwarfare, and law enforcement.
Civil liberties, authentication of users, and privacy also play an important role in the document. According to the report, the government should build a digital identity management system for the country to help safeguard and protect the public's private information. The core concept seems to be to provide some basis of trust between parties in a transaction through a centralized authentication system. The government should also leverage cryptography and assurance technologies developed in the intelligence community to secure cyberspace.
In announcing the report, President Obama said, "From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority.”
Getting Past Platitudes
John Pescatore from Gartner convened a virtual panel on the cybersecurity issue at the 2009 Gartner Information Security Summit. I provided a video for the panel answering two questions that John posed. The two questions get to the heart of the cybersecurity issue. The video is available on the Cigital website.
Question 1: What should the US government do to drive real improvements in the security level of internet use?
We must get past talking about talking about cybersecurity. We've seen a number of reviews and a number of blue ribbon panels (including the National Strategy to Secure Cyberspace and the President's Information Technology Advisory Committee (PITAC) report), but we have yet to see any sort of tangible movement in the government space outside of the intelligence community or the Department of Defense.
I am encouraged that there has been some talk in the government about building security in (see the DHS Build Security In website and about software security. In my view, getting ahead of the problem of computer security requires that we look carefully at the way we're building systems. We need to build our future systems to be secure from the very beginning. The notion that we can patch our way into a secure state or somehow miraculously solve the problem with Band-Aids is unlikely to work. I like the idea of focusing more attention on software security. The more emphasis we place on building security in, the better.
It's also important that the government pay attention to something that corporations have not been so good at — safeguarding privacy, liberty, and individual rights. I can think of nobody in a better position to focus on liberty and individual rights than the government. The government can cause these things to be an important part of the way that we approach cybersecurity from a technical perspective. I hope that the government pays much more attention to privacy and liberty than the commercial space has.
The last thing that is important is to avoid security scare tactics. It's too easy to posit security Boogeymen (either al-Qaeda or cyber terrorists) and use them as an excuse to incorrectly balance personal liberty and individual rights against security concerns. I would like to see a much more careful, deliberate approach. I have confidence that the Obama administration will be able to do that.
Question 2: What are things that you believe the US government should specifically not do in the name of increasing cybersecurity?
The number one thing the government should not do is to put the National Security Agency (or the rest of the Intelligence Community) in charge of cybersecurity. There are two reasons for this. The first reason has to do with separation of duties and de-conflicting offense and defense. Imagine you had to spy on your adversaries. Spycraft is made much easier by problems in software that can be exploited in order to turn computers and other software-driven devices into eavesdropping devices. If you're in charge of carrying out spycraft and at the same time you are also in charge of making sure that advanced systems are secure, that's a very difficult balance to strike. This reminds me of the balance that we struck during the Cold War when it came to building nuclear weapons versus delivering nuclear weapons. Some very clever people devised a scheme of separation of duties between the Department of Energy and the Department of Defense that persists to this day. The same kind of separation of concerns should be evident in the way the government approaches cybersecurity.
An additional reason the NSA should not be put in charge of cybersecurity is that important cultural differences exist between the NSA/DoD and the rest of civilian government/corporate America. There is a very clear command and control structure in the military flowing directly from the President all the way down through the ranks in the military. It is clear who has to do what, where the chain of command goes next, and how command and control works. That's one of the things that the NSA leverages to do a very good job with their own internal cybersecurity. But it is not at all clear that the same sort of clarity exists outside of the DoD.
Number two, the government should not devolve to cyberplatitudes. We've seen too many cyberplatitudes of late. The notion of a cyber coordinator is a big problem. The idea of a cyber coordinator may appeal at first blush, but it looks too much like a cheerleader role to me. There will be very little access to the President; it's not clear the position comes with any budget; and there is no staff associated with the position. We don't really need a cheerleader (although having a cheerleader may be better than having nothing at all). I would like to see a national cyber coordinator with actual authority, power, and responsibility — and with direct access to the President.
The series of reports that I alluded to above is worth another mention. The latest in this series of reports is the 60-day cyber review carried out my Melissa Hathaway and company. It looked awfully familiar if you have seen the National Strategy to Secure Cyberspace (which I worked on) or the PITAC report. There are plenty of parallels between these things. We've become adept at putting out these reasonable pieces of armchair thinking, but we're not very good at actualizing them.
I'm optimistic that we can make some progress on the cybersecurity front if we do get past talking about talking about cybersecurity, if we do focus on building security in to the systems that we're building (especially from a software perspective), and we keep our eye on the privacy, personal liberty, individual rights ball.
We have a chance to make some important progress on cybersecurity. That's encouraging.