How can the Obama administration stop the accelerating wave of hackers and cyberspies stealing government data and threatening America's critical infrastructure? According to one group that has the president-elect's ear, closing the gaps in America's defenses may require being more open.
On Monday, two senators and a commission of more than 60 IT security specialists in government and business released a set of recommendations aimed at shaping the president-elect's cybersecurity policies, and particularly his plans for a "Cyber Initiative" launched by the Bush administration in January. The White House has largely kept the details of this cyber-defense project secret, but estimates of the cost of the program have ranged as high as $30 billion.
Among the commission's recommendations: Share more of the classified program with the private sector and appoint a cybersecurity chief who will report directly to the president.
"Transparency is good," says James Lewis, who directed the commission, coordinated by the Center for Strategic and International Studies, which released Monday's report. "One of the problems with the Cyber Initiative has been that it's top secret. If you need to work with the private sector but you classify everything, that creates a dilemma."
That call for openness is more than armchair commentary. Although Obama has so far been largely silent on the question of how to stop hackers and cyberspies, the commission that wrote Monday's report includes at least three experts serving on Obama's transition team.
How to stop cyber-bullying
Evidence has accumulated for years that networks controlling many of the country's critical systems, including the financial system, transportation and power grids, may be vulnerable to digital attacks. Since 2006, hackers have gained access to unprotected systems at several infrastructure companies and extorted money, according to Alan Paller, director of the cybersecurity education and the crisis management center SANS Institute, in an interview with Forbes.com last year.
In May, Congress held a hearing on the security of the American power grid, and lambasted officials from the North American Electric Reliability Corporation for leaving systems vulnerable to cyber attack. And more than half the infrastructure IT managers surveyed by tech analyst firm IDC for a study released earlier this month reported that industries including oil and gas, telecommunications, water, utilities, transportation, chemicals, and shipping were all unprepared for a cyber attack.
To protect those key businesses, CSIS' collection of cybersecurity insiders suggest big moves: Along with creating a new White House body that would take top-level control of the Cyber Initiative away from the Department of Homeland Security, the commission recommends that Obama create a Center for Cybersecurity Operations, where private- and public-sector network watchers could meet and share information about the threats they're facing.
Focusing on the private sector means not just cooperation but also regulation. Under the plan, a new White House-based National Office on Cybersecurity would create and enforce standards on the security of critical infrastructure networks. Any economic stimulus package aimed at rebuilding crumbling infrastructure--which Obama has proposed--would have to weave in those standards.
Regulations would affect computer system vendors, too. The commission demands that the government only buy IT products that have passed strict vulnerability tests, requiring what SANS' Paller calls "baked-in" security rather than systems that require security to be "bolted on" after they're bought. Mandating less vulnerable systems for government, Paller contends, would also make more secure systems available to the private sector.
"If the government uses its annual $70 billion in IT budget to demand security that's baked in, other buyers can, too," says Paller. "You lower the cost of buying secure technology for everyone."
Notable among the commission's members are individuals who may end up wielding influence in the Obama adminstration: Paul Kurtz, a security consultant for the firm chaired by former Clinton terrorism czar Richard Clarke, is part of the transition team's national security group. Dan Chenok, an executive at the federal IT contractor Pragmatics, and Bruce McConnell, a technology consultant to government contractors, are both members of Obama's transition team focused on technology and innovation.
McConnell in particular has been an active critic of the Bush administration's Cyber Initiative's secrecy. In an interview with Forbes.com last April, he said that "to protect critical infrastructure, we need to create trustworthy mechanisms for sharing information. That can't happen when one side's position is secret."
One issue that the report doesn't directly address is just how much access the Cyber Initiative should grant the government to monitor businesses for cyber attacks. One major element of the initiative involves revamping "Einstein," a Department of Homeland Security software program designed to detect intrusions on government networks. Bush's initiative would extend Einstein's coverage and allow the NSA to take partial control of the program, a response to the repeated intrusions by foreign cyberspies who have stolen White House and Pentagon data in recent years.
A revamped Einstein could also extend that security monitoring to comb the systems of private-sector infrastructure companies. Some sources close to the Cyber Initiative say the project may allow companies to voluntarily give the new monitoring software access to their networks.
But for privacy advocates, the possibility of an NSA-involved program sifting through private networks has raised hackles. Jim Dempsey, the director of public policy at the Center for Democracy and Technology, believes privacy concerns would prevent commission members from pushing for monitoring of the private sector.
But the involvement of the NSA, an agency he has described as "bent on stealing information," still raises the threat of snooping. "The apparent ascendancy of the NSA as having a dominant role in setting cybersecurity policy and implementing the program increases the risk that surveillance will trump security," he says.
But on that front, Obama may actually have more leeway than Bush, says CSIS commission director Lewis. The Bush administration's privacy controversy surrounding the NSA's warrantless wiretapping made businesses and other government agencies wary of cooperating on a cybersecurity monitoring program, he says. Obama's privacy record, by comparison, remainsclean.
"Because of Bush's warrantless surveillance, even a routine monitoring program was seen as a spy thing," says Lewis. "But I think there will be an improvement on that front. The new administration doesn't have the baggage that its predecessor had."