The US Department of Homeland Security has failed to ensure the nation's cybersecurity, because the threat of cyberattacks is too vast for any one agency to tackle and must be addressed by a new White House office, as well as revised laws and government practices, a report released on Monday concludes.
As president-elect Barack Obama fills the remaining cabinet positions in his administration, a Center for Strategic and International Studies commission is recommending that Obama creates a new office in the White House: the National Office for Cyberspace, headed by an 'assistant to the president for cyberspace'.
The Commission on Cyber Security for the 44th Presidency, an independent, non-partisan group, released its final report on Monday after more than a year of exploring how to address threats to the country's cybersecurity.
"America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009," the report states. It is "a battle fought mainly in the shadows. It is a battle we are losing".
The immediate risk is to the economy, the report concludes, given the widespread use of cyberspace to conduct commerce and store intellectual property. However, the scope of threats is much more far-reaching, the commission said, with the most dangerous threats coming from the military forces and intelligence services of other nations.
President Bush charged the Department of Homeland Security (DHS) with tackling cyberterrorism when he created the department in 2002. The DHS runs the National Cybersecurity Center, yet it is not prepared to address cybersecurity threats, the Government Accountability Office reported in September. The National Cybersecurity Initiative, established by Bush in January, has received harsh criticism as well, particularly for being too secretive.
Monday's report acknowledges that the next administration will have to strengthen the DHS but concluded that even a bolstered DHS "is not the agency to lead in a conflict with foreign intelligence agencies or militaries, or even well-organised, international cybercriminals".
One of Obama's earliest actions as president, the commission recommends, should be to make a statement declaring cyberspace a vital national asset that will be protected by all instruments of national power.
New White House office, new regulations
That would mean putting in place a national, comprehensive strategy led by a National Office for Cyberspace and an assistant to the president for cyberspace, the commission said.
The recommended executive office, staffed by 10 to 20 employees, would merge the DHS National Cybersecurity Center and the Joint Interagency Cyber Task Force (created by the director of national intelligence).
The new office should take a "federated approach" to governing across agencies, modelled after the Office of the Director of National Intelligence, the commission said.
Along with the new office, Obama should establish a new cyberspace directorate in the National Security Council that absorbs existing Homeland Security Council functions, the commission recommended.
"The split between 'homeland' and 'foreign' makes no sense for cybersecurity and, in a globalised world, makes little sense for US security in general," the report states.
The National Office for Cyberspace's overarching responsibilities would include issuing security standards for cyber-infrastructure to other agencies, and monitoring their compliance. To best achieve this, the commission said, the Federal Information Security Management Act would have to be revised to allow the National Office for Cyberspace to more closely monitor other agencies' cybersecurity efforts.
Other new regulations could include a mandatory requirement for agencies to contract only with telecommunications carriers that use secure internet protocols.
Criminal laws, like the Wiretap Act and the Stored Communications Act, also need to be reviewed, the commission said, to reflect modern realities, such as the potential need for rules for remote online execution of a data warrant.
Partnerships abroad and in the private sector
As the US reinforces its own cybersecurity practices, it should continue to do so at the international level as well, the commission said. The US should encourage other nations to ratify the Council of Europe Convention on Cybercrime, it said, and can reinforce such international cybersecurity norms with the threat of sanctions for non-compliance.
Better communication and trust also needs to exist between the public and private sectors, the commission said. It recommended that the next president creates three new public-private advisory groups dedicated to cybersecurity, including a presidential advisory committee to provide a line between the White House and executives from critical cyberinfrastructure companies.
The commission's report identified four critical cyber-infrastructures: energy, finance, the converging information technology and communications sectors, and government services.
"They form the backbone of cyberspace," the report states.
