Following a 60-day review of cybersecurity in the United States, the White House today released details of a short-term action plan, which includes the appointment of a "cybersecurity policy official" - a cybersecurity czar, if you will. (PDF of full report)
In a nutshell, the report concluded that the U.S. has dropped the ball in terms of cybersecurity over the past 15 years and now needs to step up its game - on both the homefront and internationally. It's time to start shaking things up. (Techmeme) From the report:
... federal leadership and accountability for cybersecurity should be strengthened. This approach requires clarifying the cybersecurity-related roles and responsibilities of federal departments and agencies while providing the policy, legal structures, and necessary coordination to empower them to perform their missions. While efforts over the past two years started key programs and made great strides by bridging previously disparate agency missions, they provide an incomplete solution. Moreover, this issue transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective or authority to match the sweep of the problem.
Of course, the government can't do this alone either. It's going to take a widespread cooperation between public and private sectors, as well.
The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well-being of their citizens. The private sector, however, designs, builds, owns, and operates most of the network infrastructures that support government and private users alike. Industry and governments share the responsibility for the security and reliability of the infrastructure and the transactions that take place on it and should work closely together to address these interdependencies. There are various approaches the Federal government could take to address these challenges, some of which may require changes in law and policy.
Uh-oh. Here it comes:
Private-sector engagement is required to help address the limitations of law enforcement and national security. Current law permits the use of some tools to protect government but not private networks, and vice versa. Industry leaders can help by engaging in enterprise information sharing and account for the corporate risk and the bottom line impacts of data breaches, corporate espionage, and loss or degradation of services. Industry leaders can demand higher assurance from vendors and service providers while taking responsibility to create more secure software and equipment. Businesses need effective means to share detection methods, information about breaches and attack methods, remediation techniques, and forensic capabilities with each other and the Federal government.
So, from the private sector perspective, where's the incentive? Keep reading:
If the risks and consequences can be assigned monetary value, organizations will have greater ability and incentive to address cybersecurity. In particular, the private sector often seeks a business case to justify the resource expenditures needed for integrating information and communications system security into corporate risk management and for engaging partnerships to mitigate collective risk. Government can assist by considering incentive-based legislative or regulatory tools to enhance the value proposition and fostering an environment that facilitates and encourages partnership and information sharing.
Already, the President's plan is getting some support from watchdog groups. The Internet Innovation Alliance, a Washington-based group that's backing the idea of a National Broadband Strategy, commended President Obama for bringing the issue to the forefront. In a statement, the group said:
Serious cyber-crime threats against consumers like phishing, hacking and identity theft persist, while national security challenges to government systems and critical infrastructure threaten our country every day. Overcoming these challenges to encourage widespread broadband Internet adoption requires a concerted effort with the government and private sector working closely together. The cybersecurity report and proposed action plan represent an essential first step toward a most critical goal.
The table below details the short-term action plan recommended by the cybersecurity policy review board.