|
CyberWars
Cybersecurity: National Priority or 'Flavor of the Week'?
7
2,009
By Sandra I. Erwin
A White House-led plan to strengthen the nation’s computer networks is so overarching and ambitious that agencies worry that they don’t have enough knowledge or talent to take on the challenge.
Everyone agrees that the United States needs to better protect public and private sector critical infrastructure information systems, and that it should synchronize cybersecurity efforts across the public and private sectors. But it is far from clear how this will be achieved, cybersecurity officials said at a June 26 panel discussion in Washington, D.C.
A major obstacle to achieving U.S. cybersecurity objectives is the lack of expertise, said Philip Reitinger, deputy undersecretary for the national protection and programs directorate at the Department of Homeland Security. “We are not producing in this country enough of the security talent, or development talent, that we need,” he said at a conference hosted by the Center for a New American Security and Google Inc.
Education programs and personnel polices must be revamped to reward students and professionals who want to specialize in cybersecurity, he said. “We have a lot of vacancies” at DHS. “We’re doing a lot of hiring.”
Personnel shortage is a problem both in government and industry, said Christopher Painter, director of cybersecurity for the National Security Council. “The bench isn’t very deep in this area.”
The extensive media hype about cybersecurity masks the reality that the government is far from having reached consensus on who and when will take on specific roles and missions.
“It’s the flavor of the week … Everyone wants to do something,” said Painter. But before the United States begins to pour billions of dollars into cyberdefense efforts, it will be necessary to “rationalize” plans so “we get the most bang for the buck,” he said.
The biggest challenge is how to quantify success or failure, said Richard Hale, chief information assurance executive at the Defense Information Systems Agency. “In the Defense Department, we have struggled with how to measure progress,” Hale said.
All federal agencies need “metrics” so they can make routine day-to-day decisions such as what software they should buy, said Reitinger. “Until we have effective metrics tied to outcomes, people will make cybersecurity decisions based on religion rather than facts,” he said. “We have to go to a more scientific and data-driven decision making process for cybersecurity.”
Hale agreed. “If we are going to throw money at the problem, are we going to end up with a more resilient infrastructure and a better response plan?”
Reitinger admitted that the government currently is ill equipped for coping with cyber-emergencies.
The United States needs a response plan in order to avoid the confusion over “who’s in charge” that followed disasters such as 9/11 and Hurricane Katrina, said Ellen Doneski, Democratic staff director for the Senate Commerce Committee. The Cybersecurity Act of 2009, introduced by Senators Jay Rockefeller, D-West Va., and Olympia Snowe, R-Maine, specifically calls for action in that area, Doneski said.
A significant hurdle in developing a response plan is that government and industry don’t routinely share information, and often don’t trust each other, said Reitinger. “Public-private partnerships can’t just happen when there’s an emergency.”
One of the most significant impediments to U.S. cybersecurity efforts will be the philosophical differences between the Defense Department and the civilian agencies on issues such as privacy rights, identity management and use of proprietary software.
The Defense Department’s goal is to “drive anonymity completely out of our networks,” said Hale. The latest authentication technology makes it possible to do that while protecting an individual’s personal data such as social security numbers, Hale said. “We haven’t yet solved all the privacy issues,” he said.
Reitinger noted that anonymity is constitutionally protected. “I don’t think the point is to drive anonymity out of the system,” he said. “But we need to make it easier to have strong authentication” that is not just affordable for the Defense Department but also for the entire government.
Hale said all government agencies should pool their buying power and consider building “our own technology,” to make it easier to protect. China, for instance, developed its own operating system. “The U.S. government has to be more active in demanding a more robust infrastructure,” said Hale. While the government does not dominate the information technology market, it has enough buying power to “nudge it.”
|