By Brian Krebs
washingtonpost.com Staff Writer
Monday, December 8, 2008 1:20 PM
A bipartisan commission of computer security experts are recommending today that President-elect Barack Obama set up a high-level post to tackle cyber security, consider new regulations to combat cyber crime and shore up the security of the nation's most sensitive computer networks.
The proposals (pdf) from the Commission on Cybersecurity for the 44th Presidency follow a series of cyber security breaches at some of nation's most sensitive computer systems. Last year, many government agencies suffered major intrusions by unknown foreign entities. They included Defense, State, Homeland Security, and Commerce departments, the National Aeronautics and Space Administration (NASA), and the National Defense University.
An investigation last year by The Washington Post showed that multiple compromises of unclassified computer systems for the Transportation Security Administration and DHS headquarters went unnoticed for months in 2006 because the agency failed to effectively monitor its own networks.
President-elect Obama has promised to make cyber security a top priority, and there are signs that the Obama team is already moving to implement some of the recommendations. On its change.gov Web site, the incoming administration said it plans to "declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy."
Since 2002, responsibility for coordinating government and private industry efforts to secure critical information networks has fallen to the Department of Homeland Security. DHS is responsible for encouraging efforts by private sector companies, that control more than 80 percent of the nation's critical networks, but the report concludes that the task is simply too big for DHS, and requires a more coordinated and prescriptive response.
"It is completely inadequate to defer national security to the private sector and the market," the report concludes. "This is a strategic issue on par with weapons of mass destruction and global jihad, where the federal government bears primary responsibility. We have deferred to market forces in the hope they would produce enough security to mitigate national security threats. It is not surprising that this combination of industrial organization and overreliance on the market has not produced success. As a result, there has been immense damage to the national interest."
James Lewis, director of technology and public policy at the Center for Strategic and International Studies (CSIS), the Washington think tank that organized the commission, said some of the panel's recommendations are likely to be controversial. For example, the commission recommends revisiting the nation's wiretap laws to make it easier for authorities to obtain so-called data warrants rather than traditional search warrants, which it called "increasingly impractical in the online environment."
"We can't do a lot of these things without strong privacy safeguards," Lewis said. "But for an issue of such economic and national security importance, we can't just rely on voluntary efforts anymore."
The Bush administration has embarked on a massive $15 billion "comprehensive national cyber security initiative," aimed at locking down federal computer networks. But Lewis said that effort is mainly defensive, and falls well short of the efforts needed to develop policies on how the United States might respond in the event of a coordinated cyber attack on key assets.
The panel also suggests that the government share more information about cyber threats with the private sector, and require stronger identity authentication regulations for critical industries, such as energy and finance.
In addition, the U.S. government should use its purchase power to improve the quality and security of software, buying only from information technology vendors that meet standards for secure products. Such requirements could then be enforced by an agency like the Federal Trade Commission, said Marcus Sachs, executive director for government affairs and national security policy at Verizon Communications and a member of the CSIS commission.
"We need an entity that enforces the advertising that companies put into their products, so that if you as a vendor say your products can do something, someone who will hold your feet to the fire on those claims," Sachs said.
Many of the individuals who contributed to the report are former cyber advisors to the Bush and Clinton administrations. At least four members of the commission members are currently serving on Obama's transition team, including Paul Kurtz, a former special assistant to President Bush and senior director for critical infrastructure protection on the White House's Homeland Security Council.
The Obamna team said it plans to work with industry and academia to "develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure," and "work with the private sector to establish to tough new standards for cyber security and physical resilience." They also pledge to help combat cyber espionage and "initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime."