U.S. cybersecurity plans lagging, critics say

Aug. 20 (Bloomberg) -- Richard Falkenrath, a principal at Chertoff Group and a Bloomberg Television contributing editor, talks about cybersecurity and Intel Corp.'s $7.68 billion acquisition of security software maker McAfee Inc.. Falkenrath speaks with Erik Schatzker on Bloomberg Television's "InsideTrack." (Source: Bloomberg)
By Ellen Nakashima
Washington Post Staff Writer
Thursday, September 16, 2010; 1:14 PM

More than a year after President Obama made a White House speech proclaiming that the protection of computer networks was a national priority, the federal government is still grappling with key questions about how to secure its computer systems as well as private networks deemed critical to U.S. security.

The administration unveiled a cyberspace policy review last year, and Obama appointed a White House cyber coordinator to synchronize the government's efforts in December.

But the administration is still debating whether it needs new legal authorities - to strengthen the government's ability to defend private sector networks, for example - or whether existing law allows such actions. Critics also say that officials have not adequately assuaged privacy concerns or determined the extent to which the government should regulate or collaborate with the private sector to ensure that telecommunications firms, electric utilities and other critical industries are protected against hackers.

Congress, meanwhile, has crafted dozens of bills with varying prescriptions to improve the country's cybersecurity - including one that would place new security requirements, enforceable by the federal government, on certain elements of critical private sector networks - but the White House has yet to weigh in with a position on any of them.

"There's a degree of caution about what direction to move, how far to move," said James A. Lewis, a cyber and national security expert at the Center for Strategic and International Studies. "You've got a lot of agreement on what the problem is but very little agreement on the solution, both within the government and outside."

Officials have warned of the dangers of failing to address the threat, saying that a sophisticated cyberattack could cripple U.S. computer networks.

The Pentagon's second-in-command, Deputy Secretary William J. Lynn III, recently disclosed details about the "most significant breach of U.S. military computers ever," in which a foreign intelligence agency used a flash drive infected with malicious code to spread a rogue program undetected through classified and unclassified systems.

In a recent article in Foreign Affairs, he also noted that more than 100 foreign intelligence organizations are trying to hack into the military's digital networks. Indeed, the Pentagon has been battling a series of significant and long-standing intrusions into military networks by foreign adversaries looking to steal secrets worth potentially billions of dollars in terms of information technology and development of military capability, sources said.

Lynn asserted that the threat to intellectual property of businesses, universities and the government may be "the most significant cyberthreat" facing the country. He cited the case of Google, which in January disclosed it had lost significant intellectual property as the result of a network intrusion originating in China.

The president's cyber coordinator, Howard Schmidt, said in an interview that the administration was deliberating the appropriate regulatory role for the federal government, but the emphasis must be on collaboration. "It's very clear," he said, "we've recognized it's a partnership."

He noted that officials have reduced the number of government "gateways" to the Internet, which makes network monitoring easier; begun connecting federal network security centers so that technicians can better see what's happening on computers across the government; and crafted a national cyber emergency response plan.

He has also touted a proposal to enable computer users, if they wish, to obtain a "smart identity card" that authenticates their identity for online banking and other online transactions.

CONTINUED     1        >

© 2010 The Washington Post Company