Think Tank Panel: Feds Need Major Cybersecurity Changes

The U.S. government should overhaul its approach to cybersecurity by imposing sweeping new regulations on businesses and creating a centralized cybersecurity office in the White House, an outside group of experts recommended today.

The White House office is needed because the Department of Homeland Security isn’t equipped to protect the federal government against cyberattacks, according to a report issued by a cybersecurity commission that was set up last year by the Center for Strategic and International Studies (CSIS). Many members of the Commission on Cyber Security for the 44th Presidency “felt that leaving any cyber function at DHS would doom that function to failure,” according to the report.

The 96-page report, which was presaged in September when some commission members testified at a congressional hearing, also calls for new government regulations focused on protecting computer networks in the U.S. Many of those regulations would focus on refining government efforts to protect its own cyber infrastructure, but regulations on private industry are needed as well, the report said.

In addition, the report rejected the market-driven approach to cybersecurity advanced by President Bush. “The strategy essentially abandoned cyber defense to ad hoc market forces,” the report said. “In no other area of national security do we depend on private, voluntary efforts. We believe that cyberspace cannot be secured without regulation.”

New regulations are needed for the IT, finance and energy industries including the use of identity authentication credentials, and for supervisory control and data acquisition, or SCADA, systems, the report said. The commission also called on the government to change its own acquisition rules for IT products to focus more on cybersecurity.

Furthermore, the report recommended that federal officials should allow U.S. residents to use government-issued cyber credentials for their online activities.

“Cybersecurity is among the most serious economic and national security challenges we will face in the 21st century,” wrote James Lewis, director of the Technology and Public Policy Program at the CSIS. “Our research and interviews for this report made it clear that we face a long-term challenge in cyberspace from foreign intelligence agencies and militaries, criminals, and others, and that this struggle will wreak serious damage on the economic health and national security of the U.S. unless we respond vigorously.”

The DHS, which has been the lead agency focused on cybersecurity, can be strengthened, according to the CSIS commission. But “the nature of our opponents, the attacks we face in cyberspace, and the growing risk to national and economic security mean that comprehensive cybersecurity falls outside the scope of DHS’s competencies,” the report said. “DHS is not the agency to lead in a conflict with foreign intelligence agencies or militaries or even well-organized international cyber criminals.”

Cybersecurity is no longer a homeland security or critical infrastructure problem, the report added. “This is far too narrow a scope,” it said. “Cybersecurity is no longer (if it ever was) a domestic issue. It is an issue of international security in which the primary actors are the intelligence and military forces of other nations.”

The report recommends that the DHS retain responsibility for the U.S. Computer Emergency Readiness Team and related functions, but it envisions a new White House National Office of Cyberspace that would coordinate and oversee cybersecurity efforts governmentwide. Currently, the government has hundreds of people working on cybersecurity issues, and this “too often resembles a large fleet of well-meaning bumper cars,” the report said.

A DHS spokesman didn’t immediately respond to a request for comment on the CSIS report. In September, after the congressional testimony by commission members, the agency dismissed their suggestions as “political posturing” and said their call to reassign cybersecurity responsibilities was “a classic ‘inside the Beltway’ gambit.”

Members of the commission said in their testimony that the current approach isn’t working. “We are under attack, and we are taking damage,” Lewis told a House of Representatives subcommittee then. “The U.S is disorganized and lacks a coherent national [cybersecurity] strategy.”

Other outside observers have also said that improving cybersecurity needs to be a higher priority for the next administration. Despite a variety of initiatives that were launched during the Bush administration, the cybersecurity effort is still seen as a work in progress.

The CSIS, a nonpartisan think tank in Washington, launched the cybersecurity commission in August 2007 in an effort to make recommendations to the next U.S. president. More than 40 people, including employees of IBM, Oracle, Sun Microsystems, EMC and AT&T, have been serving on the commission.

The group’s report also recommends that:

-The government develop a new national cybersecurity strategy that includes diplomacy, military action, changes in policy and the involvement of intelligence and law enforcement officials in the U.S.

-President-elect Barack Obama put a new emphasis on having the government work with the private sector, with clearly defined responsibilities and a focus on building trust with the business community.

-Congress increase spending on cybersecurity research and create a scholarship program to encourage more college students to obtain cybersecurity degrees.

“We are in a long-term struggle with criminals, foreign intelligence agencies, militaries, and others with whom we are intimately and unavoidably connected through a global digital network,” the report said. “This struggle does more real damage every day to the economic health and national security of the United States than any other threat.”