, SecurityFocus 2009-02-19
ARLINGTON, VA As the Obama administration embarks on a 60-day review of the United States' cyber policy, an advisor to the president's campaign argued that the government needs to quickly come up with answers to a few thorny cyberspace questions.
Speaking to attendees at the Black Hat Security Briefings near the capitol on Wednesday, Paul Kurtz — an advisor to both the Clinton and Bush administrations on cyber policy — urged the current administration to formulate a strategy regarding the role of the intelligence community in defending cyberspace, the development and deployment of cyber weapons and which agency should lead in the event of a major Internet outage or attack.
The issues need to be addressed in the 60-day cybersecurity policy review being conducted by Melissa Hathaway, the top advisor on cyberspace in the Office of the Director of National Intelligence, Kurtz said. With regular attacks targeting government computers over the Internet, the United States should establish a strong national Internet policy.
"We are in the danger zone today, but it is fair to let the administration get its hands dirty and understand the issues," Kurtz said, adding that a 60-day timeframe to accomplish the review is very aggressive.
All three policy topics have become major issues in government circles, as online attackers continue to brazenly attack U.S. network and computer systems. In the past few years, a number of government agencies — including the Departments of Commerce, Defense and State — have suffered attacks and intrusions into their sensitive systems. Many of the attacks come from Internet addresses in rival nations, raising policy questions about whether such attacks might be acts of war. The issue is not limited to the United States: Russian sympathizers have leveled serious online assaults against networks in the nations of Estonia, Georgia and Kyrgyzstan.
However, while the United States has embarked on the Comprehensive National Cybersecurity Initiative (CNCI), an ambitious project to secure government systems, the broad policies regarding intelligence gathering, cyber weapons and the lead agency in cyberspace remain unresolved.
"I don't think we have an answer (to those questions), and that is pretty scary," Kurtz said.
The first issue to tackle is how to combine information from the private sector and government — specifically, law enforcement and intelligence services — to help pinpoint attackers and respond to incidents, he said. Many companies do not share information with the government, unless required by law or as part of their contract with a federal agency. Just as bad, the government's release of incident information is glacially slow, said one employee for a large government contractor, who asked not to be identified.
"They want to get all this information from us, but the information that we get back is six- to nine-months old and we have already heard it from someone else," the worker said.
Contractors that work for the Department of Defense have to take part in the Defense Industrial Base Network, or DIBNet, and are required to share information on breaches and incidents, referred to as advanced persistent threats, or APTs. While the one-sided relationship can be improved, the government will only be requesting more information from companies, not less, Kurtz said.
Moreover, combining that intelligence with incidence information from different agencies, so as to form the clearest picture of threats to U.S. cyberspace, has become extremely important. Just as the National Counterterrorism Center (NCTC) was formed to create a single hub for mining disparate reports and creating intelligence on on terrorist activity, a national cyber center could bring together information on cybercrime and cyber attacks, Kurtz argued.
"When I think of deterrence in cyberspace, a lot of what you can do depends on who," Kurtz said. "If you don't know who is behind the attack, then you can't target their systems as part of a deterrence policy."