The cyber security agenda of the new administration

During its last year in office, the Bush administration during its last year in office began a Comprehensive National Cybersecurity Initiative that eventually will spend more than $10 billion strengthening defenses of U.S. government networks. During the 2008 presidential campaign, both John McCain and Barack Obama noted the growing importance of information operations, and Obama also said that the U.S. government needed to build “the capacity to identify, isolate and respond to any cyberattack.”

The Lexington Institute’s Loren Thompson writes that all this means that U.S. national leaders do grasp the importance of network security and information assurance — but that seeing the problem is not the same thing as solving it. “Before that can occur, there are eight basic questions the incoming administration of President-elect Barack Obama needs to answer,” Thompson says.

• First, do current trends in cyber threats indicate the United States faces a real crisis of confidence in its networks, or are efforts like the comprehensive cybersecurity initiative sufficient to deal with the challenge?
• Second, given how important global connectivity is to information superiority, is it possible to secure essential U.S. government networks while still maintaining links to the anarchic and anonymous Internet?
• Third, will the Internet in its current form ever permit users to trace sophisticated attacks to their sources, so that abuses can be effectively deterred and/or defeated?
• Fourth, what legal authorities are required so that the U.S. government can overcome barriers to dealing with attacks on critical private-sector networks and establish consistent security standards?
• Fifth, what is the proper relationship within the U.S. government between network defense and offensive information operations in formulating an integrated cybersecurity posture?
• Sixth, how can the U.S. government encourage a holistic, enterprise-wide understanding of its network resources and challenges, so that solutions are developed in a truly comprehensive rather than piecemeal fashion?
• Seventh, is the U.S. Department of Homeland Security an appropriate vehicle for managing government-wide cybersecurity efforts, or is a more focused organization better suited to the task?
• Eighth, if the U.S. government is too slow or decentralized to keep up with the rapid proliferation of cyber threats, how can it tap more agile suppliers of network security in the marketplace?

“These questions need to be answered before the United States suffers the digital equivalent of a Sept. 11, 2001, attack that so many experts have been predicting,” Thompson writes. He adds:

Despite the growing list of problems associated with using and securing Internet-style networks, virtually nobody in the U.S. government thinks it is desirable to return to a pre-Internet way of doing business. So the real issue policymakers face in meeting the cybersecurity challenge is not whether they can live without digital networks, but how they prevent the enemies of the United States from using those networks against it.