President Obamas Chilling Cybersecurity Challenge

The Center for Strategic and International Studies (CSIS) in Washington, DC,

released its page-turner, Securing Cyberspace for the 44th Presidency, in December

2008. The report covers the sobering cybersecurity challenge (protection

of Internet data, systems, and networks) that President Obama faces. It spotlights

the threats and reviews recommendations revolving around national security,

while urging the safeguarding of privacy and civil liberties. The report

declares cybersecurity an urgent, strategic national security issue as perilous as

weapons of mass destruction and global jihad. This chilling challenge impacts

the entire nation and beckons public management practitioners and academics

to address its implications.

Escalating Security Threats

Economic and national security threats to the United States from cyberspace

(the virtual place where online communications occur) grow annually.

A mushrooming underground economy scams computer users to the tune of

$100 billion a year. Recently, the New York Times concluded that thieves profit

tremendously in cyber conflicts. Patrick Lincoln, director of the computer

science laboratory at SRI International, is quoted as saying, Right now, the

bad guys are improving more quickly than the good guys. Several Business

Week articles over the past year relate a rising number of security gaps amid

sensitive computer networks. For example, in fiscal year 2008, the Department

of Homeland Security (DHS) wrestled with nearly thirteen thousand

cybersecurity incidents, a 150 percent increase from the prior year. In the

summer

of 2007, Newsweek reports

that 1,500 Pentagon computers were

hacked. The Department of Defense

acknowledges that the military copes

with over three million digital intrusions

to official networks daily.

The CSIS report verifies that

foreign opponents invade U.S. computer

networks and capture valuable

data regularly. Corporate losses

measure in the billions. Such attacks

threaten the economy as antagonistic

interests gain access to corporate

business plans, intellectual property,

supply chain information, and customer

communications. This erodes

the dividends from innovation and

unintentionally underwrites the research

and development of international

competitors. Failure to defend

cyberspace adequately encourages

more attacks. Moreover, the global

strategic environment means cyberspace

vulnerabilities offer high value

targets to antagonistic interests.

Commission on Cybersecurity

The mission of the CSIS Commission

on Cybersecurity, established

in August 2007, is to review U.S.

preparedness. Further, it is tasked

with formulating a comprehensive

national approach to cybersecurity

for consideration by the forty-fourth

president. The commission finds that

(1) cybersecurity poses a pressing national

security issue, (2) action in this

arena must be swift while reinforcing

privacy and civil liberties, and (3)

nothing short of a comprehensive

national strategy, encompassing both

domestic and international facets,

will increase U.S. security.

Recommendations for

President Obama

Presidential Leadership

The commission urges a comprehensive

national security strategy

for cyberspace. Such a strategy should

follow a presidential pronouncement

that the cyber infrastructure constitutes

an essential asset for the U.S.

economy and national security. It

would place hackers on notice that

the United States will employ diplomatic,

intelligence, military, law enforcement,

and economic power to

protect this asset. Such a pronouncement

signals unfriendly interests that

the United States will marshal resources

to ensure resiliency and continuity

of service. The commissions

report suggests this may even involve

taking the offensive with attackers.

Cybersecurity leadership needs

to be based in the White House. The

commission proposes an office for

cyberspace in the executive office of

the president and the creation of new

supporting public-private advisory

groups. It recommends consolidation

of existing efforts with the National

Security Council to defend national

networks while preserving privacy

and civil liberties. This action refines

strategic focus, reduces mission overlaps,

improves collaboration, and establishes

accountability.

The commission counsels President

Obama to direct priority toward

education and training for cybersecurity

leadership. This acknowledges

that cyberspace represents a

vast realm for international conflict

and competition and currently the

advantage rests with attackers. The

United States needs a cadre of cyber

security experts with ongoing training

and career paths for recruitment

and retention. Financial aid from the

National Science Foundation scholarship

program to accredited curricula

could expand the pool of skilled

professionals. Federal training centers

should provide elementary cyber

skills and develop a national cyber

skills certification program. Concurrent

with the proposed education and

training component, the commission

advocates an enhanced investment in

research and development to advance

a less vulnerable cyber ecosystem to

support this vital national interest.

Two goals for this endeavor involve

developing a national research and

technology agenda and encouraging

multidisciplinary collaboration.

Legal and Regulatory Initiatives

Legal and budgetary authorities

pertaining to federal cybersecurity

must be modernized. The Federal

Information Security Management

Act requires overhauling to shield

governmentconnected systems from

attacks and known vulnerabilities.

The commission recommends that

this include performance assessment.

Further, the historic distinction between

civilian and national security

systems must be replaced with a riskbased

orientation that demands privacy

impact appraisals. As part of the

legal review, the statutory framework

for pursuing criminal investigations

of Internet crime needs updating.

The primary task here is to engage

Congress in legislation designed to

speed investigations while protecting

the privacy of legitimate users.

Cyberspace demands regulation.

On the basis of threat assessment

levels, the United States must secure

sustainability of critical services in

cyberspace through defending criti-

cal cyber infrastructures and issuing

standards. The commission identifies

energy, finance, convergence of information

technology and communications,

and government services (including

state and local governments)

as essential cyber infrastructures. It

suggests a new regulatory approach

that avoids overreliance on market

forces. Public-private partnerships

should concentrate on infrastructures

while coordinating protocols

for protection and response. Performance

security metrics and enforceable

standards require development.

Mandate Authentication

The commission calls for mandating

authentication (verifying user

identity and the integrity of transmitted

messages) for access to vital

cyberspace infrastructure. It suggests

that consumers be permitted to utilize

government-authorized credentials

for Internet transactions so long

as privacy and civil liberties continue

uncompromised. Commercial operations

would be managed on a riskbased

credentialing process. This ensures

that market interests could not

compel government-supplied credentials

for all Internet activities.

Revamp Procurement

Recognizing that the federal

government is the largest consumer

of information technology, acquisition

policies should mandate secure

cyber products. Security features for

information technology products and

telecommunications carriers demand

immediate action. This recommendation

encourages sharing of federal

configurations with state and local

governments and collaborative partnerships

with industry.

Where to Start?

The commission recommends

building on the Bush administrations

Comprehensive National Cybersecurity

Initiative. While critical

of the secrecy surrounding the Bush

effort, the commission evaluates it as

a workable foundation from which

a new administration can transform

the cybersecurity environment. President

Obama has the opportunity

to reinvent the U.S. approach to an

evolving international environment

dependent on a secure cyberspace.

Under his leadership the country can

reduce risks, increase resiliency, and

position itself to exploit the advantages

of cyberspace.

Public Management Implications

Seeds of service opportunities lie

within the commissions report across

the field of public management. Public

management practitioners and

academics can supply the expertise to

guide the effort in the following areas:

Leading intersectoral collaboration

and problem-solving while

facilitating intergovernmental relations

surrounding cybersecurity

Developing budgetary means to

feed the cybersecurity initiative

with performance accountability

Educating and training cyber

professionals

Developing job classifications

and career ladders while honing

a compensation system to attract

and to retain cyber professionals

Formulating and executing public

policy in modernizing legal

authorities and related issues

Proposing a research agenda to

support cybersecurity and associated

activities

Developing security performance

indicators for measurement

and program evaluation

Tailoring procurement practices

to ensure that cyber infrastructure

standards are frontloaded

in acquisition specifications.

President Obama can confront

this chilling challenge by establishing

a security structure to counter cybersecurity

threats. The commissions report

lays the foundation from which

to address this national service opportunity.

Public managers must be

in the forward trenches of this battle.