It's a huge undertaking but the overarching strategy to protect US assets from cyber attack remains pretty much just a paper plan.
Of the 24 recommendations for online infrastructure protection in President Obama's 2009 cyber policy review, only two have been fully implemented, 22 are partially implemented, according to a report today from the watchdogs at the Government Accountability Office. The two fully implemented recommendations involve appointing within the National Security Council a cybersecurity policy official (Special Assistant to the President and Cybersecurity Coordinator) responsible for coordinating the nation's cybersecurity policies and activities, and a privacy/civil liberties official.
Who really sets global cybersecurity standards?
An example of the partially implemented recommendations includes the item requiring the US to build a cybersecurity-based identity management plan and strategy that addresses privacy and civil liberties, leveraging privacy-enhancing technologies: In June 2010, the administration released a draft strategy (National Strategy for Trusted Identities in Cyberspace) that seeks to increase trust associated with the identities of individuals, organizations, services, and devices involved in financial and other types of online transactions, as well as address privacy and civil liberty issues associated with identity management. It plans to finalize the strategy in October 2010, the GAO stated.
The problem, as the GAO spells it out is that federal agencies have yet to be assigned roles and responsibilities to implement a large majority of the near- and mid-term recommendations specified in the review. "Federal agencies appear to be making progress toward implementing the recommendations, but lack milestones, plans, and measures that are essential to ensuring successful recommendation implementation. The shortcomings are attributable in part to the Cybersecurity Coordinator position being vacant for a critical period of time immediately following issuance of the recommendations. Consequently, going forward, it is essential that the Cybersecurity Coordinator address these shortfalls. Until then, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk," the GAO stated.
The following are the entire 24 recommendations:
- Appoint a cybersecurity policy official responsible for coordinating the Nation's cybersecurity policies and activities;
- Establish a strong National Security Council directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the National Economic Council to coordinate interagency development of cybersecurity-related strategy and policy.
- Update the 2003 National Strategy to Secure Cyberspace to secure the information and communications infrastructure. This strategy should include continued evaluation of Comprehensive National Cybersecurity Initiative activities and, where appropriate, build on its successes.
- Designate cybersecurity as one of the President's key management priorities and establish performance metrics.
- Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
- Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the federal government.
- Initiate a national public awareness and education campaign to promote cybersecurity.
- Develop US government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
- Prepare a cybersecurity incident response plan; initiate a dialog to enhance public- private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
- In collaboration with other Executive Office of the President entities, develop a framework for research and development strategies that focuses on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
- Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
- Improve the process for resolution of interagency disagreements regarding interpretations of law and application of policy and authorities for cyber operations.
- Use the OMB program assessment framework to ensure departments and agencies use performance-based budgeting in pursuing cybersecurity goals.
- Expand support for key education programs and research and development to ensure the Nation's continued ability to compete in the information age economy.
- Develop a strategy to expand and train the workforce, including attracting and retaining cybersecurity expertise in the federal government.
- Determine the most efficient and effective mechanism to obtain strategic warning, maintain situational awareness, and inform incident response capabilities.
- Develop a set of threat scenarios and metrics that can be used for risk management decisions, recovery planning, and prioritization of research and development.
- Develop a process between the government and the private sector to assist in preventing, detecting, and responding to cyber incidents.
- Develop mechanisms for cybersecurity-related information sharing that address concerns about privacy and proprietary information and make information sharing mutually beneficial.
- Develop solutions for emergency communications capabilities during a time of natural disaster, crisis, or conflict while ensuring network neutrality.
- Expand sharing of information about network incidents and vulnerabilities with key allies and seek bilateral and multilateral arrangements that will improve economic and security interests while protecting civil liberties and privacy rights.
- Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology development innovations.
- Use the infrastructure objectives and the research and development framework to define goals for national and international standards bodies. Implement, for high-value activities (like the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.
- Refine government procurement strategies and improve the market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services.
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories:
Software aims to whack drive-by malware threat
White House set to nail up solar panels
Research project aims to simplify large-scale network control
FBI Zeus Trojan crime ring wanted poster
FTC slams shut telephone cramming scam
Too little too late? China's "rare earth" threat prompts US action
Astronomers discover planet that could support life
Worlds collide: Apple iPhone app manages mainframe
MIT researchers tout network intrusion recovery system
NASA takes 2,000lb heart of space telescope on extreme test ride
Smart "E-shirt" monitors your body, helps get your game on
FTC settles privacy violation claims with online data broker
Martian meteorite grabs NASA Mars rover's attention
Air Force teams to build radiation-proof chips for outer space systems