Strengthening defenses against cyberwar

* Paper says the nation is unprepared

In my last column, I pointed to a valuable paper from _NATO Review_ in Winter 2001-2002 that you can use in educating upper management about the strategic importance of information assurance not only for your organization but also for your nation. Today I want to point you to another valuable resource along the same lines: a white paper prepared by the Business Roundtable.

Published in June 2006, the paper is called “Essential Steps to Strengthen America’s Cyber Terrorism Preparedness: New Priorities and Commitment from Business Roundtable’s Security Task Force.” The 21-page report has four sections:

I. Introduction and Background

This section provides an non-technical overview of the importance of “the Internet and its communication infrastructure” for the “information exchange that is vital to our nation’s security and our economy.” The authors point out that we are simply not ready for failure of the Internet: “well-intentioned government officials and industry leaders are not currently in a position to synchronize efforts and deploy coordinated and tested capabilities to restore Internet services.”

Subsections are titled “The Problem: Our Nation Is Unprepared to Reconstitute the Internet after a Massive, Nationwide Disruption” (p. 7 using the PDF file pagination), “Stakes Are High for Economic Security and Preparedness” (p. 8) and “Roundtable Role: Identify Gaps and Recommend Solutions.” (p. 9).

II. Significant Cyber Gaps

“The Roundtable’s review of Internet-response programs highlights three significant gaps in our nation’s ability to reconstitute the Internet following a major disruption.” These are elaborated upon with about one page per topic (quoting exactly but without quotation marks):

Gap Number 1: Lack of Formal “Trip Wires” to Indicate an Attack Is Under Way (p. 7)

Gap Number 2: Lack of Accountability and Clarity on Which Institutions Provide Reconstitution Support (p. 8)

Gap Number 3: Lack of Resources for Institutions that Must Reconstitute Internet Infrastructure. (p. 9)

III. Roundtable Recommendations

In this section, the authors provide one or two paragraphs for each of the following headings and subheadings (again, I’m quoting without inserting quotation marks):

* The private sector must undertake most of the responsibility for fixing weaknesses in key Internet assets. (p. 13)

- Establish a single point of contact and responsibility for government interaction.

- Set strategic needs and direction.

- Consolidate early warning and response organizations.

- Agree on an information-sharing mechanism.

* The federal government should complete response plans by defining key terms and responsible parties. (p. 14)

- Communicate the government’s policy for reconstitution of the Internet.

- Fix the NRP’s Cyber Annex.

- Develop a national economic recovery system.

* The private sector and the government should cooperate to create joint public and private programs and institutions. (p. 16)

- Improve the ability to warn globally about Internet attacks.

- Increase the ability to respond quickly.

- Create a panel of subject matter experts.

- Exercise, train and develop processes from lessons learned.

- Develop a joint program to shore up market confidence.

- Provide effective oversight and strategic direction.

IV. Conclusion (p. 19)

The authors end succinctly as follows:

"The lack of a national policy on Internet reconstitution could undermine the economy and the security of the nation. The gaps identified from this analysis, as well as the possible solutions, do not require extensive funding. In addition, implementation of these recommendations does not require massive reorganization of the government.

"Instead, both the public and private sectors must commit to focus their efforts and funding on specific capabilities to have strategies and plans in place to reconstitute the Internet following a significant disruption. A coordinated response will help our nation and our economy recover more quickly following a cyber attack."

In this case, the report will be useful in focusing your attention and that of your colleagues on how you can contribute to a national discussion of this aspect of critical infrastructure protection. If you are in the United States and have not already joined your local chapter of InfraGard, this useful document can serve as part of the justification to your managers for your involvement in the organization.

Related:

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022