5 Must-Do Cyber Security Steps for Obama

As President-Elect Barack Obama looks for ways to deal with a shattered economy and an ongoing war on terrorism, security experts are urging him to pay attention to something that has a big impact on both: The nation’s growing — and fragile — cyber infrastructure.

Potential adversaries have increasingly turned to cyber espionage as a way to find weaknesses in networks run by the U.S. government and the nation’s critical infrastructure providers.

Meanwhile, retailers increasingly dependent on the Web for commerce have launched online transaction portals that rely on Web applications that are easily targeted by digital miscreants. Many of those features are increasingly accessible via popular social networking sites like Facebook.

Realistically, most of the necessary improvements must be devised and deployed from within private companies and government agencies. But Obama is in a unique position to lead on this issue and inspire others to fix the security holes, experts say.

With that in mind, CSOonline has compiled a five-point list of areas Obama should focus on, based on feedback from security pros.

1. Secure the Web apps

With more and more people doing their shopping online, attackers will continue to ramp up attacks against the Web applications customers use to make purchases. Companies that allow sensitive customer data to fall into sinister hands face a world of hurt in terms of reputation and future business, and so Obama should use his bully pulpit to demand better security.

“Obama [and his IT security advisors] needs to focus on securing Web applications that have largely been ignored by previous administrations,” says Mandeep Khera, chief marketing officer for security vendor Cenzic. “With millions of hacking attempts on our government infrastructure every day and thousands of successful attacks against corporations through the Web site, government needs to step in and create stronger regulations to enforce the security of our Web sites.”

2. Wipe the dust off of older regs

That a security vendor would favor more regulation is of little surprise. But security regulations are very much on the minds of those polled — and not the potential new regulations, either. Instead, some experts would prefer Obama put pressure on subordinates to revisit longer-standing regulations that are in need of a makeover.

Former Cisco/WebEx CSO Randolph Barr, now working in the security division of Redwood City, Calif.-based financial application provider Yodlee Inc., is among those who believe the Federal Information Security Management Act (FISMA) is outdated, for example.

“The regulatory requirements for DIACAP/FISMA 805, etc., are catered more towards systems and software and not updated to reflect the innovation of other companies when it comes to selling software as a service and cloud computing, making it very difficult for an organization to be successful in partnering with the government,” Barr says. “Some time should be taken to revisit these regulatory requirements.”

Sharing Barr’s concern about FISMA is Krag Brotby, a security architect who has worked for Xerox, TransactPlus Inc. (a JP Morgan subsidiary) and the Singapore government. He says FISMA compliance is in a dismal state of affairs in critical agencies, and a lack of training is part of the problem.

“FISMA compliance remains poor in some of the critical agencies and, coupled with substandard personnel proficiency, would seem to pose an unreasonable level of risk to the country,” he says. “Pushing ahead with training and certification of government security personnel should take priority as well as mandating FISMA compliance.”

3. Demand better security training

Brotby’s concerns highlight another weakness on the minds of many security professionals — training, or the lack of it. Brotby has encountered what he calls a “significant percentage of IA (information assurance) practitioners and managers in the government and armed forces” that haven’t been adequately trained to provide a reasonable level of security.

Barr listed education as one of his big concerns, and hopes the Obama Administration will push for security to be emphasized from middle school to college and beyond.

“From the perspective of what is taught in college to what is taught down at the middle school to high school level, in my opinion we don’t have a lot of programs that teach individuals the history of security and what we should be doing to better protect ourselves,” he says.

Since kids are increasingly learning via computers and the Internet, an education on the dangers of cyberspace and ways to secure oneself should be a natural part of the lesson plan, he says.

4. Build a great cyber wall (against China and others)cyber espionage between companies and countries — most notably activity from China. Barr wants the Obama Administration to revisit requirements for restricting U.S. companies with a presence in China and other countries.

Another item of concern for security pros is the increased level of

“The concern cited in most cases [of cyber espionage] is stolen intellectual property and malware embedded in source code,” he says. “This is a danger regardless of where the code is developed, and cyber security should focus less on the geographic location of developed code and more on the controls in place to reduce the likelihood of a successful attack.”

In other words, focus on building a stronger wall around the sensitive data so that protection is assured regardless of where the bad guys are attacking from.

5. Give someone control (and make them accountable)

The final — and arguably most important — item Obama should focus on is giving government security officials some real power and a tougher code of accountability to go with it.

Security industry veteran Richard Stiennon made the point in a letter to Obama that ran in Network World, a sister publication of CSOonline.

The first of his 10 suggestions is to issue and executive order establishing responsibility for cyber security with “real negative repercussions for those who fail to prevent breaches.” For civilians this means being fired; for the military this means court marshal, demotion, and expulsion for serious security breaches, Stiennon wrote.

“Do not allow the blame to be foisted off on contractors. The only way that security gets implemented is if someone’s job is on the line,” he continued. “This goes all the way to the top, of course. Whoever you appoint to replace the current assistant secretary for cyber security and communications must understand that security breaches imply failure and those responsible will be replaced.”

THE OFFICIAL OBAMA PLAN

The following is a list of the incoming Obama Administration’s cyber security goals, taken from Change.gov, the official site of the President-Elect. Does it reflect some of the suggestions listed above? We welcome feedback in the comments section of this article.

• Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
• Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
• Protect the IT Infrastructure That Keeps America’s Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
• Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
• Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
• Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.