In a very impressive CSO Perspectives conference keynote speech on April 6th, Howard A. Schmidt, Special Assistant to the President and the Cybersecurity Coordinator, told the audience that the U.S. was taking very strong measures to prevent and defend against cyber-security attacks. President Obama has made cyber-security a top policy priority within his Administration. On May 29th of 2009 Obama stated that the "cyber threat is one of the most serious economic and national security challenges we face as a nation" and that "America's economic prosperity in the 21st century will depend on Cyber-security."
In his CSO Perspectives lecture (no slides were presented), Mr Schmidt provided a brief history of U.S. cyber security initiatives, discussed the role of the private sector and the government in securing cyberspace and covered the Comprehensive National Cybersecurity Initiative (CNCI) action items in detail. He very deftly answered attendee questions, including two very pointed one's from this author.
Recent History of Computer and Cyber Security in the U.S.
About 13 years ago (circa 1997), the U.S. government issued a rather critical report on U.S. cybersecurity efforts. There were three very important conclusions in that report:
- Technology had become entwined in our daily life more than ever before, especially the Internet.
- No one in the U.S. federal government was focusing on security components of the Internet and other critical networks. In particular, it was ot know who, if any entity, was protecting U.S. financial connections.
- The role of the federal government in protecting U.S. security needed to be improved.
In 2000, the U.S. urged the private sector to co-operate amongst themselves and with the federal government to identify security threats, vulnerabilities and best practices for cyber-security. In February of 2000, a distributed denial of service attack hit eBay, ESPN, and other information purveyors. It acted as a cyber security wake up call for the government, which then embarked on a national strategy to secure cyberspace. The federal government then recognized that our IT infrastructure was a critical national asset and must be protected at all costs. It then began real world sharing of information with the private sector, which was a major milestone for the U.S. government.
The resulting near term action items for the U.S. Executive branch included:
- Appoint a cybersecurity co-ordinator.
- Attempt to collaborate with private sector and international partners to share information on threats and vulnerabilities.
- Examine deterrence issues.
- Consider response mechanisms to an attack(s).
- Work with leadership in Congress.
- Encourage NIST to develop standards, e.g. for strong authentication.
- Protect privacy and civil liberties, while using technology to make the U.S. more secure.
- Initiate a national awareness and education campagin to make companies and individuals more attentive and vigilant to security issues.
- Public-private sector mobility, including small business participation.
- Develop an international cybersecurity policy framework; specifically on how to normalize threats from overseas.
Cyberspace Policy Review and Importance of the CNCI Directive
Shortly after taking office, President Obama ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing our digital infrastructure. In May 2009, President Obama accepted the recommendations of the resulting Cyberspace Policy Review, The activities under way to implement the recommendations of the Cyberspace Policy Review build on the Comprehensive National Cybersecurity Initiative (CNCI) launched by President George W. Bush in January 2008. The CNCI and its associated activities are evolving to become key elements of a broader, updated national U.S. cybersecurity strategy. These CNCI initiatives will play a key role in supporting the key recommendations of President Obama’s Cyberspace Policy Review. The intiatives include:
- To establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.
- To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
- To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.
All 12 CNCI initiatives are detailed HERE
Mr. Schmidt said the U.S. government can do a lot to improve the nation's cyber defenses, but ultimately, the key to warding off attacks on commercial enterprises (e.g. like the one Google experienced in China) remains private-sector vigilance and quick response. Right after his CSO Perspectives speech, Mr Schmidt was headed to London to meet with his cyber security counterparts from other countries to discuss co-ordination of their efforts.
Threat Analysis and Scenario Planning
Mr. Schmidt indicated that security threats are coming from criminals, nation states, non-nation actors (e.g. terrorist organizations), and other malicious parties. In answer to a question from this author, he stated that various government agencies, including the FBI, are working together and with the private sector to identify the potential security threats and develop scenarios for what each actor might try to do. The government is preparing both deterrent strategies to prevent attacks as well as disaster recovery scenarios in the event of an attack (presumably to prevent one attack to cascade into others which could do damage to our criticial resources and infrastructure.
After his presentation, I privately asked Mr. Schmidt whether the federal government was taking an Al Qaeda cyber attack seriously. "You bet," he said. My read of what he told me was that the government was pulling out all stops to prevent such an attack from succeeding. He quipped that I could now sleep better at night as a result.
However, in doing background research for this report, I found articles questioning the U.S.'s ability to defend against such a cyber attack(s).
Here is one that's particularly scary which was published one day after Mr. Schmidt's speech: Is the U.S. the Nation Most Vulnerable to Cyberattack?
And here are a few others (also published on April 7. 2010):
So, the reader will have to make his own assessment of whether the public- private partnership to combat cyber security threats will succeed, as Mr. Schmidt believes, or whether or not the government needs to take an even more active role (which might compromise privacy).