A Gordian knot awaits future cybersecurity chief

Improving information sharing and incident response will be major challenges for new cybersecurity coordinator

President Barack Obama's new national cybersecurity coordinator should be the White House action officer for cyber incident response, similar to the role of action officers who monitor terrorist attacks or natural disasters, according to the Cyberspace Policy Review released last week.

Obama announced the creation of the new office last week as the anchor for a number of initiatives recommended in the report. The president called it an initial step toward a new, comprehensive approach to securing the nation’s information infrastructure and as a signal that the new approach will have his full attention and support.

However, of the major goals laid out in the review, creating an effective information sharing and incident response capability across government and the private sector presents some of the greatest technological challenges and trickiest policy minefields. The task is further complicated by the fact that responsibility for cybersecurity is fragmented in government.

“No single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge,” Obama said in announcing the new plan.

It is also complicated by the president’s pledge that government will not monitor or regulate private sector networks. “My administration will not dictate security standards for private companies,” Obama added.

Creating an effective structure with the authority and ability for coordinated incident response could require legislation, the report said, and certainly will require the development of systems that will enable wide scale monitoring of the world’s networks, identifying intrusions and other malicious activity, and integrating and sharing the information.

Individual tools exist to do parts of these jobs, but a systematic implementation is lacking.

“The government needs a reliable, consistent mechanism for bringing all appropriate information together to form a common operating picture,” the report says. “Federal cybersecurity centers often share their information, but no single entity combines all information available from these centers and other sources to provide a continuously updated, comprehensive picture of cyber threats and network status, to provide indications and warning of imminent incidents, and to support a coordinated incident response.”

The Defense Department and intelligence communities look after their own networks, while the US-CERT oversees activity and threats on civilian agency networks and, to a lesser extent, private sector infrastructure. Pilot programs and evaluation still are necessary to identify intrusion detection and prevention sensors to provide needed situational awareness across all government networks, the report concludes and a long-term architecture to enable even broader monitoring and integration with states and private sector also is needed.

Creating incentives for cooperation and information sharing will likely be as big a challenge as creating the technology for to meet those goals. Privacy issues, concerns about security of proprietary data, liability and the impact of bad publicity have made the private sector wary of giving too much information to the government. On the other hand, the government has traditionally been stingy with information shared with the private sector because of security concerns.

“Creation of a not-for-profit non-governmental organization to serve as a trusted third-party host where government and private sector information may be shared to enhance the security of critical government and private-sector networks,” the report said.

The extent to which these goals can be met while maintaining a hands-off approach to private infrastructure is not clear, but Obama has pledged to cooperation “to ensure an organized and unified response to future cyber incidents.”

“Given the enormous damage that can be caused by even a single cyber attack, ad hoc responses will not do,” he said.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Thu, Jun 4, 2009

The biggest problem I see is funding for training of IT staffs, and management understanding the technology that should be implemented and supported. My IT manager thinks he knows IT, but he has no formal IT background or certifications. I have military, & DOD IT background with multiple certifications, and its frustrating to me working for someone who doesn't know IT, let alone best practices for IT security.

Wed, Jun 3, 2009 Davel Indiana

My local library's web server log is filled with invalid web attempts to 'hack' the system. Probably 50% of these are from other compromised systems (some are known to come from other compromised library servers), but 50% come from 'unfriendly' parties. I think this kind of behavior is unwanted and a waste of publicly funded bandwidth and should be prosecuted as an illegal activity. (I'm using language found in workplace sexual harassment policies.) We can't sit around (like FEMA) waiting to react to the next disaster. A high percentage of this activity can be dealt with. And, it can be done so in a manner so as to not raise fears of censorship or 'big brother' intrusion (other topics I've seen raised).

Tue, Jun 2, 2009 Bob Donelson Washingotn DC

Most of the Cyber Security Chiefs work will involve Strategic Planning and Exercises to Respond to Incidents similar to FEMA's Response Planning Processes outlined in the National Incident Management System. With Hurricane Katrina in our Rear View Mirror, Lessons Learned to correct the shortcomings of that calamity mostly involved adopting best practices to respond to National Emergencies. The National Operations and Fusion Centers that include Federal, State, Local and Private Sector Contract Support will have the expertise to bring to bear on any imaginable event. Education and Outreach to Private Sector Entities already exist for most incidents. Continuing to Review Current Policy and Operational Framework and Implementing Current Strategies that are effective against Cyber Threats should be the focus versus worrying about being in charge. Strategies like expanding HSPD-12 capabilities to State and local jurisdictions, University Systems to Grow our Education surrounding such mitigation Strategies, to Private Companies and Individual Citizens to expand understanding of a full Defensive Posture to Protect the Entire U.S. Network against Cyber Attacks and Crime will serve the Cyber Security Chief and our Nation well!

Tue, Jun 2, 2009 Dr Bob Hacker Central Texas

One immediate step to vastly improve security on the gov networks is to take the Nipernet off the public internet. There is no doubt that 99.9% of the gov staff does not need access to the public Internet via the Nipernet. Resources like libraries and the like can provide the public Internet service or a similar 3rd access approach. What could be more obvious?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group