Over the past couple of days, I have been reading Securing Cyberspace for the 44th Presidency, a report by the non-profit Centre for Strategic and International Studies (CSIS, not be confused with Canada’s Canadian Security Intelligence Service).
Published last December, with the ambition of catching Barack Obama’s incoming presidential eye, it is a surprisingly frank and clear-headed document, and one that our 22nd Prime Minister might profit from reading, too.
(If you are interested, you can find it under “Publications/Reports” at csis.org.)
The United States is the most wired, e-commerce- and e-government-driven nation on Earth; it has the world’s largest and most aggressive internet surveillance systems (the National Security Agency, the Office of Homeland Security); it has some of the free world’s most intrusive informational security laws; and it has, according to CSIS, one of the world’s most feeble cyber security systems.
In 2007, for instance, the mean-and-scary Department of Homeland Security suffered cyber-break-ins in many of its departments, and NASA had the security of some designs for new shuttle launchers compromised by hackers.
In other words, the US government is doing a terrible job of protecting the integrity of its information about citizens and organizations, and a terrible job of protecting its own technological intellectual property.
The root of this problem, according to the CSIS group, is that the US government has no co-ordinated cyber security strategy, and no means, at present, to effect such a strategy, even if it had one.
As is the way of things, informational security in the US government is largely handled by the various departments themselves, with no real agreement about standards or methodologies and little pooling of expertise.
Neither has there been any organization within the government doing active research to assess and address the government’s security risks and needs.
On the whole, the government operates on off-the-shelf software, using off-the-shelf security programs, warding off the wrong dangers while ignoring the real ones burgeoning under its nose.
The danger this nonchalance creates was brought home recently—though, luckily for the USA, in Europe—by the success of the internet worm Conficker, which in January of this year insinuated itself into the computer network of the French navy.
The French had to ground a number of aircraft at infected airbases, because they could not download the flight plans they needed from the quarantined computers.
Imagine that kind of thing happening to the USA in the middle of a shooting war.
The CSIS group’s overall conclusion as to the existing status of US cyber security at the end of the Bush era could not be more glum:
“Years of underinvestment have weakened both government and our scientific establishment … The reputation of the United States has been badly tarnished, and our failure to protect cyberspace, despite huge informational losses, has encouraged our opponents to increase their attacks.”
Given all this, what is to be done?
The CSIS people have a number of proposed solutions, some technical, some bureaucratic, a few of which I will highlight here.
Their major recommendation is that Obama should create an office of cyberspace security within his Executive Office—in other words, make cyberspace security a core element in his policymaking, on a par with the “war on terror” efforts, for instance.
A second recommendation is that this “cyberspace czar” should oversee the development of a government-wide, co-ordinated cyberspace security strategy, which would encompass things like protecting privacy of information, and imposing economic or other sanctions on rogue nations that indulge meddle with America’s cyberspace security, or connive with hacker gangs that do so.
A third recommendation is that the US invest heavily in cyber-security related research and development, so that it can be an active leader in the field, not an a hapless consumer of whatever products the private sector puts on offer.
Furthermore, the US government should leverage its status as a major consumer of IT products to enforce enhanced standards on the security-software industry.
All of these recommendations sound so reasonable and necessary as to be self-evident; though that, of course, is no guarantee that they will be implemented by the new White House, which has a quite different kettle of fish on the fryer, at the moment.
Certainly, there have been no major announcements from the White House so far about the state of the nation’s cyber security.
Should the US get serious on this front, though, it would be doing a favour to a goodly number of other, smaller “wired” democracies—like Canada, for instance—which have many of the same needs and weaknesses, and nothing like the same scale of resources.
The case of poor little Estonia comes to mind.
In 2007, in the middle of a dispute with its former invader, Russia, Estonia fell victim to a wide range of cyber-attacks, of varying degrees of sophistication, which disrupted the work of government ministries, newspapers, radio stations and the like—attacks which many people still believe originated with the Russian government, though that has never been proved.
If little Estonia had access to cyber-defenses developed by a more active and informed USA, they might have been spared a lot of pain.
So let’s hope that this CSIS report on the state and needs of the US cyber-nation does, eventually, catch the eye of the very busy 44th President.
It could do the US a lot of good, and us, too.
Rick Steele is a technology junkie
who lives in Whitehorse.