- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - When the first salvos of cyberwar are fired against the United States, the responsibility to defend the country falls to the president who, aided by advisers from the broad spectrum of government agencies and also the private sector, must feel his way along an uncertain path to decide the appropriate response.
Because possible return fire could come from traditional military, intelligence, diplomatic or economic agencies -- and perhaps even from private business -- the United States needs a set of policies and procedures for cyberwarfare that are still in the making, experts say.
The president's top cyber adviser, Howard Schmidt, has said in interviews that the responsibility for cybersecurity is a shared responsibility between public and private sectors. And within the government it will be shared among government agencies but not in a well-defined way. "Who's in charge?" asks Jamie Sanbower, the director of security for Force 3, an integrator that works with the federal government. "That's the number-one challenge we're facing right now."
Emerging as a powerful player is the appointed head of the U.S. military Cyber Command Army Lt. Gen. Keith Alexander, who is the director of the National Security Agency (NSA) and would retain that title if his appointment to CyberCom is approved by the U.S. Senate, indicating the broad reach and central authority the president believes is needed to respond to attacks. But it makes Congress jumpy, and it has reportedly sought explanation from the Department of Defense about what shape the relationship between the Defense Department and the NSA would take.
Meanwhile, Schmidt's role as White House adviser on cybersecurity has no such concentrated authority. His direct boss is not the president, but rather two separate groups, the National Security Council and the National Economic Council, both of which report to the president. That assignment of authority appears to limit Schmidt, but also points to the broad nature of the cyber threat.
Contributing to the difficulties creating a cyberwar framework is that rules of engagement remain uncertain. In a conventional
military confrontation -- known as kinetic war -- centuries of conflict have yielded a set of agreed-upon procedures for what
constitutes war and what acceptable responses are to attacks. Cyberwar, ill-defined as it is, has no such procedures.
That leaves the U.S. government scrambling to establish a chain of command for cyberwar in which threats can vary, Sanbower says, from cyber spying on government and industry to defacement and take-down of government Web sites to attacks on critical infrastructure that incapacitate, for example, the country's electrical grid.
In response to public concern about its cyber defenses, Schmidt recently released a declassified version of the Comprehensive National Cybersecurity Initiative (CNCI) that contains a 12-point list of things that ought to be done to protect against attacks that includes defining who will do what in response.