CEO Blog
President Obama’s Cybersecurity Review
Wednesday, June 10th, 2009
This past weekend marked the 65th anniversary of the invasion of Normandy by the Allied Expeditionary Force, otherwise known as D-Day. After ordering the long planned attack, General Eisenhower issued what is easily the best known “order of the day” part of which read:
“Soldiers, Sailors, and Airmen of the Allied Expeditionary Force: You are about to embark upon the Great Crusade toward which we have striven these many months. The eyes of the world are upon you. Your task will not be an easy one. Your enemy is well trained, well equipped and battle-hardened. He will fight savagely. I have full confidence in your courage, devotion to duty and skill in battle. We will accept nothing less than full Victory!”
In announcing his cybersecurity initiative ten day ago President Obama released the intended blueprint of what is required for us to achieve victory in this conflict. The blueprint is contained in the Cyberspace Policy Review he chartered Melissa Hathaway to conduct in February.
It’s a fascinating document for anyone with any interest in cybersecurity in that it includes a very comprehensive review of the history of our attempts to secure both communications infrastructure going back to the invention of the telegraph. There is much to be learned from this history particularly about the pitfalls that abound when government attempts to tackle threats that move as fast as cybercrime and cyberwarfare, but as Ike said, we can accept nothing less than “Victory!”.
The Hathaway Report
Unfortunately, I think expectations in the information security community were so high that there was bound to be some disappointment when the review was finally released, and that has, indeed come to pass. Already the Hathaway report has been criticized for being too reactive, lacking detail, and its recommendations for posing a potential threat to privacy. What seems to have been lost in the intense interest in the Hathaway report is that it was a review and as such is primarily a backward looking document. The 100+ mostly solid recommendations are aimed at resolving known threats, not identifying and addressing the new classes of threats we know are coming.
My own view is that the fact the Hathaway report even exists constitutes significant progress. It’s true that there is very little in the report that is truly new. Nearly all of the problems identified and recommendations proposed rely very heavily on the CSIS report on Ensuring Cyberspace for the 44th Presidency and the proposals found in the two cybersecurity bills now being considered by the Senate.
The list of recommendations, while not as comprehensive as those of us in the security community would like, is certainly significant. To the extent that I can find fault in the Hathaway report, it would be in the lack of recommended prioritization of the proposed changes. As I’ve written previously on this topic, focus is a critical success factor in securing the nation’s Internet infrastructure and the historic lack of focus is one of the main reasons why this issue has achieved the near crisis level we now see. Perhaps it’s unrealistic to expect any kind of prioritization until the new cybersecurity coordinator is identified, but given the perspective Hathaway’s team developed during the course of their work, I think it would be a missed opportunity if we don’t at least get an opinion on this key issue from them.
The Toughest Problem?
The one recommendation I do want to highlight is the expressed need for development of a new structure to facilitate the information sharing required between the public and private sectors. In a cyberwar, the army with the best data wins. It’s somewhat analogous to the air superiority Eisenhower knew he had to have in advance of the Normandy invasion. To win this battle, we’ll need to establish and maintain “data superiority” over our enemies.
It’s fairly obvious then that if we are to truly defend ourselves from the bad actors that wish to harm our Internet infrastructure, we’ll need to find a way to share attack and defense information across the private/public boundary that currently inhibits this type of information sharing. This is not a one-sided problem in which either the public or the private sector is refusing to share the attack and breach data they’ve collected. Both sides currently have a long list regulatory, privacy, security, intellectual property, and other issues that prevent them from simply releasing into the public domain data about the cyberattacks they experience.
Make no mistake about it; this is a big, complex, rapidly moving problem. In other words, it’s the kind of problem government is uniquely unqualified to solve. The private sector, however, is even less qualified to solve it as it has even more conflicting objectives surrounding this issue than the public sector does. This is the kind of problem that can only be solved with the new kind of public/private partnership to which the Hathaway report refers repeatedly. In the end this may not, in fact, be the hardest problem we face in cybersecurity, but I’m betting it’s near the top of the list.
Timing is Everything
While most Americans can tell you what happened on the beaches of Normandy on June 6, 1944, what few know is that Eisenhower had been lobbying to open a western front as early as 1942. Twice the British convinced Roosevelt that such an attack was premature and to instead invade first Africa and then Italy which they viewed as more achievable objectives at the time. Conventional wisdom amongst historians is that Operation Overlord occurred just about as early as it could have to be successful. I believe there is one final lesson to be learned from the D-Day invasion that informs our cybersecurity strategy and it’s this. The key to overall success on this topic depends not on one big victory, but in achieving a series of smaller victories. We can’t delay engaging in this battle to fight others, but building on a track record of success will be key to garnering the resources required for ultimate victory.
Like the Allied Expeditionary Force our enemy is well trained, well armed, and battle hardened. We will need to defeat them not just once, but over and over. I am convinced, like Eisenhower was, that victory is both achievable and necessary to protect our way of life.