Industry group urges creation of cyber czar post

With the release of President Barack Obama’s 60-day cybersecurity review imminent, another industry group has recommended that the White House appoint a cabinet-level cybersecurity official to lead the effort to secure the nation’s critical infrastructure from cyberattacks. “The responsibilities of this individual shall include the development of the national cyber security plan and organizing our nation to effectively function through a cyber attack,” the report from the Intelligence and National Security Alliance (INSA) recommended. The position also should be imbued with the necessary power to get the job done, the report said.

The group is made up of such prominent corporate powerhouses in defense, communications, and IT products and services such as BAE Systems, Boeing, IBM, Microsoft, and L3 Communications. “Our group, near unanimously, believes that leadership is the key issue to solve most, if not all, U.S. cyber security issues, problems, and challenges,” the report notes. “We believe that progress in any cyber security area cannot occur without proper leadership because roles, missions, and responsibilities overlap and are not sufficiently clear.”

INSA believes that the Obama administration, by creating such a powerful position within the White House, will send an important message to not only the private sector, but to the entire federal government and U.S. adversaries now preying on our cyber weaknesses. INSA also said the government should swiftly share lessons learned, best practices, and threat information to the private sector as a “real value added,” while creating minimum cybersecurity standards for the private sector to protect critical infrastructure.

About 85 percent of all critical infrastructure in the United States is privately owned. The most important sectors to secure first, according to the report, are the communications, power, transportation, and financial critical infrastructures.

The INSA says the Obama administration should draw on the Capability Maturity Model Integration, a public-private partnership between the Air Force and the Carnegie Mellon Institute to address software development risk in the 1980s, as well as two private sectors efforts, the Consensus Audit Guidelines and Cyber Preparedness Levels, to establish common, minimum cybersecurity standards and build a working relationship with the private sector. “The common standards should assist private sector organizations with understanding different cyber threats,” the report says, adding “These standards should also determine what level of cyber defense they may want to use for a particular system, organization, or network.”

U.S. networks have been under sustained cyberattacks, mainly from China and Russia, poking and prodding networks for weaknesses and information. To help prepare for the day a large-scale cyberattack occurs, the Obama administration should develop a National Cyber Recovery Plan and test it periodically to assure its effectiveness.

Another matter needing attention, according to the report, is the development of better analytics to discover the source of an attack. “In order to deter, enforce, and defend, the government and private sector need to work together to fund technological innovation in the ability to do advanced, real time analytics and processing to achieve attribution.”