A panel of web experts from government, private and the military sectors released a report yesterday urging the next president to establish a new office of cyberspace security and begin federal regulation of the Internet.
The report, “Securing Cyberspace for the 44th Presidency,” from the Center for Strategic and International Studies, a Washington, D.C., think tank established during the Cold War, alleges the Department of Homeland Security has failed to secure the Internet and new measures are needed – despite inevitable concerns about online privacy – to keep America safe.
“We still have an industrial-age government that was organized a century ago,” said Jim Lewis, one of CSIS’s directors, as reported by the San Francisco Chronicle. “The DHS has a 1970s-style solution to a 21st century problem.”
“The United States must treat cybersecurity as one of the most important national security challenges it faces,” the CSIS panel asserts in its report. “This is a strategic issue on par with weapons of mass destruction and global jihad.”
To back its claim, the panel cites a litany of cybersecurity breaches that it claims hit sensitive areas in 2007 alone:
“The unclassified e-mail of the secretary of defense was hacked, and DOD officials told us that the department’s computers are probed hundreds of thousands of times each day,” the panel reports. “A senior official at the Department of State told us the department had lost ‘terabytes’ of information. Homeland Security suffered break-ins in several of its divisions, including the Transportation Security Agency. The Department of Commerce was forced to take the Bureau of Industry and Security off-line for several months, and NASA has had to impose e-mail restrictions before shuttle launches and allegedly has seen designs for new launchers compromised.
“Recently the White House itself had to deal with unidentifiable intrusions in its networks,” the report continues. “Senior representatives from the intelligence community told us that they had conclusive evidence, covertly obtained from foreign sources, that U.S. companies have lost billions in intellectual property.”
To counter the reported attacks, the panel recommends steps that, by the CSIS’ own admission, may raise privacy concerns for American citizens.
While acknowledging the benefit of online anonymity, the report nonetheless contends there must be better systems in place to authenticate Internet users’ digital identities.
“Creating the ability to know reliably what person or device is sending a particular data stream in cyberspace,” the panel states, “must be part of an effective cybersecurity strategy.”
The report continues, “We appreciate that many may be concerned about where this [review of Internet usage laws] may lead.”
The panel acknowledges police may worry new laws might make enforcement difficult, companies may worry that new laws may hinder online business, and, “Civil libertarians may worry that, in a world consumed with terrorism, the protection for civil liberties may take a back seat to national security and public safety.”
“These concerns are all legitimate,” the panel admits. “But in a world where the Internet citizen is about to embrace cloud computing (or, put another way, in a world where a citizen’s most sensitive data may routinely be globally accessible and in the possession of third parties), we have a unique opportunity to proactively decide what the right rules should be.”
The report sets forth a seven-stage plan of recommendations for implementing its cybersecurity strategy, beginning with the next president.
“This strategy should be based on a public statement by the president that the cyber infrastructure of the United States is a vital asset for national security and the economy,” the report recommends, “and that the United States will protect it, using all instruments of national power, in order to protect national security and public safety.”
From that first step, the report recommends creating a new National Office for Cyberspace under the Executive Office of the President, partnering with the private sector, limiting the federal government’s information purchases to only secure technology, creating a digital ID for both government and private citizens online and reviewing current laws to create a market-sensitive, federally regulated Internet.
The report acknowledges several times that digital identity authentication and federal regulations may be controversial, but, the panel asserts, they are necessary.
“We believe that cyberspace cannot be secured without regulation,” the report insists. “Market forces alone will never provide the level of security necessary to achieve national security objectives.”
Regarding digital identification, the panel proposes that high-risk situations (such as accessing critical infrastructure controls) require a strong authentication system, while low-risk situations (such as accessing public government data or purchasing a pair of shoes) need not utilize increased identification measures.
Further, the report asserts, “Our discussions made it clear that government programs must provide security while also protecting privacy and civil liberties.”
“Greater security must reinforce citizens’ rights, not come at their expense,” the CSIS report concludes.
The CSIS is a bipartisan, nonprofit organization that conducts research and analysis and advises decisionmakers in government, international institutions and the private sector. Based on K Street in Washington, D.C., CSIS has approximately 220 employees and an annual operating budget of $29 million, which comes mostly from corporate, foundation and government sources.
The panel that produced the cyberspace report was chaired by Rep. James Langevin, D-R.I., Rep. Michael McCaul, R-Texas, Scott Charney, corporate vice president for trustworthy computing at Microsoft Corporation and retired Lt. General Harry Raduege, USAF.
At least five members of Obama’s transition team contributed to the report, and the remainder are looking forward to reviewing the recommendations, a spokeswoman told the Chronicle.
The Department of Homeland Security, however, was less enthusiastic.
“We’re the first ones to admit that there’s more work to be done,” department spokeswoman Laura Keener told the Chronicle, “but to stop midstream and reorganize the deck chairs is not an effective use of resources.”