The Department of Homeland Security has failed to ensure the nation's cybersecurity, a new report to be released Monday concludes, because the threat of cyberattacks is too vast for any one agency to tackle and must be addressed by a new White House office, as well as revised laws and government practices.
As President-elect Barack Obama fills the remaining cabinet positions in his administration, a Center for Strategic and International Studies commission is recommending Obama create a new office in the White House: the National Office for Cyberspace, headed by an Assistant to the President for Cyberspace. The Commission on Cyber Security for the 44th Presidency, an independent, nonpartisan group, releases its final report Monday after more than a year of exploring how to address the country's cybersecurity threats.
"America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009," the report says. It is "a battle fought mainly in the shadows. It is a battle we are losing."
The immediate risk lies with the economy, the report concludes, given the widespread use of cyberspace to conduct commerce and store intellectual property. However, the scope of threats is much more far-reaching, the commission said, with the most dangerous threats coming from the militaries and intelligence services of other nations.
President Bush charged the DHS with combating cyberterrorism when he created the department in 2002. The DHS runs the National Center for Cybersecurity, yet it is not prepared to address cybersecurity threats, the Government Accountability Office reported in September. The National Cyber Security Initiative established by President Bush in January has received harsh criticism as well, particularly for being too secretive.
Monday's report acknowledges the next administration will have to strengthen the DHS but concluded that even a bolstered DHS "is not the agency to lead in a conflict with foreign intelligence agencies or militaries, or even well organized international cyber criminals."
One of Obama's earliest actions as president, the commission recommends, should be to make a statement declaring cyberspace a vital national asset that will be protected by all instruments of national power.
A new White House office, new regulations
That would mean putting in place a national, comprehensive strategy led by a National Office for Cyberspace and an Assistant to the President for Cyberspace, the commission said. The recommended executive office, staffed with 10 to 20 employees, would merge the DHS National Center for Cybersecurity and the Joint Inter-Agency Cyber Task Force (created by the Director of National Intelligence).
The new office should take a "federated approach" to governing across agencies, modeled after the Office of the Director of National Intelligence, the commission said.
Along with the new office, Obama should establish a new cyberspace directorate in the National Security Council that absorbs existing Homeland Security Council functions, the commission recommended.
"The split between 'homeland' and 'foreign' makes no sense for cybersecurity and, in a globalized world, makes little sense for U.S. security in general," the report reads.
The NOC's overarching responsibilities would include issuing security standards for cyberinfrastructure to other agencies and monitoring their compliance. To best achieve this, the commission said, the Federal Information Security Management Act would have to be revised to allow the NOC to more closely monitor other agencies' cybersecurity efforts.
Other new regulations could include a mandatory requirement for agencies to contract only with telecommunications carriers that use secure Internet protocols.
Criminal laws, like the Wiretap Act and the Stored Communications Act, also need to be reviewed, the commission said, to reflect modern realities like the potential need for rules for remote online execution of a data warrant.
Partnerships abroad and in the private sector
As the U.S. reinforces its own cybersecurity practices, it should continue to do so at the international level as well, the commission said. The U.S. should encourage other nations to ratify the Council of Europe Convention on Cybercrime, it said, and can reinforce such international cybersecurity norms with the threat of sanctions for noncompliance.
Better communication and trust also needs to exist between the public and private sectors, the commission said. It recommended the next president create three new public-private advisory groups dedicated to cybersecurity, including a presidential advisory committee to provide a line between the White House and executives from critical cyberinfrastructure companies.
The commission's report identified four critical cyberinfrastructures: energy, finance, the converging information technology and communications sectors, and government services.
"They form the backbone of cyberspace," the report says.