, SecurityFocus 2009-03-11
It's high time that the United States drew a line around its networks and pledged to defend its interests in cyberspace.
That's the message that five security experts delivered to Congress on Tuesday, along with a scathing review of the state of the nation's cybersecurity posture. With critical infrastructure still open to online attack and information of national importance regularly stolen by network intruders, the United States must develop the equivalent of a Monroe Doctrine for the Internet, defining what constitutes its cyberspace and pledging to defend its virtual borders, the experts told Congress.
The most forceful proponent of the ultimatum was Mary Ann Davidson, the chief security officer of business software vendor Oracle.
"The advantages of invoking a Monroe-like Doctrine in cyberspace would be to put the world on notice that the U.S. has cyber 'turf,' ... and the second is that we will defend our turf," Davidson told the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology in a prepared statement. "We need to do both — now."
The Monroe Doctrine is named for U.S. President James Monroe, who warned the nations of Europe in 1823 that any interference or further colonization of the Americas would be considered infringing on the United States sovereignty and would be considered an act of aggression, requiring a — possibly armed — response. The doctrine was cited by later U.S. presidents as a reason for armed action, including by President John F. Kennedy during the Cuban Missile Crisis.
Such a policy would not mean the militarization of cyberspace, Davidson stressed.
"A cyber-Monroe Doctrine (should not) lead to permanent government encampments in private networks," Davidson said. "With proper guidance, various government agencies and the private sector can find their natural role in guarding our cyber infrastructures in a manner similar to how we currently protect our real-world interests."
Talk of formulating an aggressive doctrine in cyberspace comes as the Obama administration embarks on a 60-day review of the nation's cybersecurity strategy, which is slated to be finished by the end of April. The review will determine how the previous administration's Comprehensive National Cybersecurity Initiative (CNCI) should be changed to better secure and protect U.S. networks.
The review should address the development of a doctrine for cyberspace, identifying which agency will lead the cybersecurity charge, and what concrete steps should be taken to secure critical network infrastructure, the panel of experts said. In addition to Davidson, the panel included Dave Powner, director of information technology for the Government Accountability Office, Scott Charney, vice president of trustworthy computing for Microsoft, Amit Yoran, CEO of NetWitness, and Jim Lewis, project director of the Center for Strategic and International Studies.
Last month, Paul Kurtz, a former advisor to the Bush and Clinton administration on cybersecurity and a member of the Obama transition team on the subject, argued similarly that the U.S. needs to formulate a policy for the use of cyber weapons, choose a lead agency for cyber incidents and determine the role of intelligence agencies in cyberspace.
Recently, support has grown among some government officials and security analysts for the National Security Agency, whose mission is to defend U.S. communications and surveil the communications of other countries, to police cyberspace. Yet, last week, the head of a start-up information sharing initiative housed in the U.S. Department of Homeland Security resigned, criticizing the NSA's influence in cybersecurity initiatives.