Monday, May 31, 2010

National Security Strategy is Empty on "Cyberspace"

The new National Security Strategy (.pdf) says the following about "cyberspace":

Secure Cyberspace

Cybersecurity threats represent one of the most serious national security, public safety, and economic challenges we face as a nation. The very technologies that empower us to lead and create also empower those who would disrupt and destroy. They enable our military superiority, but our unclassified government networks are constantly probed by intruders. Our daily lives and public safety depend on power and electric grids, but potential adversaries could use cyber vulnerabilities to disrupt them on a massive scale. The Internet and e-commerce are keys to our economic competitiveness, but cyber criminals have cost companies and consumers hundreds of millions of dollars and valuable intellectual property.

The threats we face range from individual criminal hackers to organized criminal groups, from terrorist networks to advanced nation states. Defending against these threats to our security, prosperity, and personal privacy requires networks that are secure, trustworthy, and resilient. Our digital infrastructure, therefore, is a strategic national asset, and protecting it — while safeguarding privacy and civil liberties—is a national security priority.

We will deter, prevent, detect, defend against, and quickly recover from cyber intrusions and attacks by:

Investing in People and Technology: To advance that goal, we are working across the government and with the private sector to design more secure technology that gives us the ability to better protect and to improve the resilience of critical government and industry systems and networks. We will continue to invest in the cutting-edge research and development necessary for the innovation and discovery we need to meet these challenges. We have begun a comprehensive national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms and to build a digital workforce for the 21st century.

Strengthening Partnerships: Neither government nor the private sector nor individual citizens can meet this challenge alone — we will expand the ways we work together. We will also strengthen our international partnerships on a range of issues, including the development of norms for acceptable conduct in cyberspace; laws concerning cybercrime; data preservation, protection, and privacy; and approaches for network defense and response to cyber attacks. We will work with all the key players — including all levels of government and the private sector, nationally and internationally — to investigate cyber intrusion and to ensure an organized and unified response to future cyber incidents. Just as we do for natural disasters, we have to have plans and resources in place beforehand.
(emphasis added)

*Yawn*. What a disappointment. So, we're going to "secure cyberspace" through "investing in people and technology" and "strengthening partnerships." Lame. Weak. I'd go so far to say irresponsible. It's clear that the national digital security policy situation has degraded since the President's speech on cyber security last May. That's right, it's been one year and all the President has to show on this is... Howard Schmidt, who is mostly famous for saying "There is no cyberwar" because "There are no winners in that environment." He also said:

"A cyberwar is just something that we can't define," he said. "I don't even know (how a) cyberwar would benefit anybody. Everybody would lose. There's no win-lose in the cyber realm today. It affects everybody; it affects businesses, it affects government, so number one, there's no value in having one."

What a disappointment.

7 comments:

Keydet89 said...

Richard,

What would you suggest as a strategy?

dearista said...

I thought Schmidt was a MicroSoft lobbyist? Oh, right, ....
I agree it is lame, but what I truly find irresponsible is how long the govt. is languishing in this state of affairs without putting more funding into research. Not cheaper-faster-better technology enhancements, but theoretical understanding of this very complex problem.
Every day it seems those who claim to 'know better' need to take their vocation and work the system, and hopefully affect change. Yes, funding would be nice :)
Dan

"If I'd asked my customers what they wanted, they'd have said a faster horse."
- Henry Ford

Richard Bejtlich said...

Harlan -- my post

http://taosecurity.blogspot.com/2009/05/president-obamas-real-speech-on-cyber.html

where I wrote as if I had the President's cyber security speech, outlines what I propose.

joe st sauver said...

The first step toward a national security strategy for cyberspace is understanding what cyber war, cyber terrorism, and cyber espionage are, and what those terms mean. You can see my take on that point in
http://www.uoregon.edu/~joe/cyberwar/cyberwar.pdf

The second step is to recognize that the government has a cyber security responsibility to the general public, it isn't just responsible for protecting itself online. See http://www.uoregon.edu/~joe/ecrime-summit/ecrime-summit.pdf

The third step is begining to articulate concrete steps that those in the government, as well as private companies and individuals can take to actually improve their cyber security. Google, for example, reportedly just decided that it will no longer use Microsoft Windows because of the security risks they perceive to be associated with that operating system. What advice does the government have for American citizens? Surely we have some of the best cyber security minds in the world working in Washington, so why do we never hear any recommendations from them about how to be more secure online, eh?

The fourth step is for the government to begin publicly documenting what it sees. Currently the best-documented public cyber intelligence is probably from Spamhaus. The describe what they're seeing, and they offer actionable intelligence in the form of IP and domain name block lists, and things like the Do Not Route or Peer (DROP) list. Why isn't the government doing the same thing?

And finally, we need an aggressive program tackling cyber crime, particularly "franchised" cyber crime -- affiliate programs and the like -- and the infrastructure that supports it (particularly financial channels and product fulfillment/shipping channels).

In my opinion, if you handle those five steps, you'll be well on your way to substantially improving our nation's cyber security. Will you fix all the issues we confront online? No. But you will substantially change the game, and substantially improve our chances of success.

Regards,

Joe

Brian said...

I agree, this seems sorely lacking. Perhaps there is more going on behind the scenes, however? My guess is that the government is not going to lay out all their plans for their adversaries to see...

webjedi said...

Most of your good security folks spend too much of their time trying to fight the "checkbox" security model. They are also apt to succumb to the 'shiny keys' distraction, that is... somebody in government infosec has something that's "supposedly working" .. which gets the attention of "leaders" only to then change ship in mid-course of whatever they were doing (say, engineering) to chase down that new "shiny thing".

Unfortunately, as I see in the leadership in DC when it comes to InfoSec, none of them were Ops people... all policy, no substance. This is why Rich and other's noting "threat management and identification" isn't grasped. Letting a former vendor rep sit as your "cybersecurity" chief, when that vendor is probably the WORST example (say, next to Adobe now) of a company who's got a grasp of things. While some of these folks are enthusiastic (Vivek) - I doubt many of them have REALLY cut their teeth doing the work to understand the problem.

Vivek is my age... he's the CIO... dunno what he did previous to that, but I doubt it didn't involve actually say, installing and securing a *NIX environment in a live-fire network. Much of the same goes for those who participated in the simul-attack earlier this year... do any of them understand what they were trying to react to? Had any of them come and listened to Rich's TCP/IP Weapon's School? Until we get a hacker (in the traditional sense) up higher in these ranks, I'll still call B.S. on policy and direction.

okay, rant off...

gih said...

It is somewhat an idea to overcome any circumstances that may interfere.