The shift to cloud computing offers an opportunity to better secure the national digital infrastructure by concentrating the burden of cyber security among a relatively small number of service providers rather than thousands of individual businesses, according to a report by a foreign policy think tank.
"Cloud computing has weaknesses, but it also offers the opportunity to aggregate and automate cyber defense," according to a new report by the Center for Strategic and International Studies. The report, "Cybersecurity Two Years Later," is a follow-up to "Securing Cyberspace for the 44th Presidency," which the group issued in 2008.
"Much of the burden of security will shift from consumers and businesses to service providers that may be better equipped to meet advanced challenges," the new report says. "The move to the cloud is not a silver bullet that will solve all cybersecurity problems, but it is part of a larger move to a more mature infrastructure that includes the automation of security practices and monitoring, such as the Security Content Automation Protocol (SCAP), particularly if we find a better way for service providers to work more effectively with government agencies."
In the two years since the foreign policy think tank issued its first report the Obama administration has fallen short of implementing measures that would protect the US from cyber attacks, the new report says.
The good news is that the US is not engaged in a cyber war and it is not suffering cyber attacks from terrorists. The bad news is that if it were, it couldn't do anything about it. "Should this change the United States is unprepared to defend itself," the report says. Cyber spying and cybercrime are the two big threats the country faces.
Public/private partnerships to formulate and implement cyber security won't work and should be dropped, the report says. "The goal for 2011 should be to issue a comprehensive national strategy based on new ideas rather than recycling the 2003 strategy," it says. "This means no appeals to public/private partnerships, information sharing or unilateral efforts at deterrence, as were made in the 2003 strategy."
The organisational structure has been put in place to protect government and military sites, the report says. "But no one in particular defends private networks, where our policy is to rely on some combination of individual action, encouragement, leadership by example and faith in market forces. The market will not deliver adequate security in a reasonable period, and voluntary efforts will be inadequate against advanced nation state opponents."
Stuxnet, the sophisticated worm that destroyed some equipment in the Iranian nuclear programme, is just the beginning of similar attacks that private businesses cannot defend against. "The market will not deliver adequate security in a reasonable period, and voluntary efforts will be inadequate against advanced nation state opponents," according to the report. Federal laws and regulations are needed instead.
Authentication for anyone using critical infrastructure should be implemented. "This would affect fewer companies and no consumers," the report says, making it more palatable. "Some companies do a good job. Others (about half) still rely on easily cracked passwords to secure sensitive functions, including control systems."
There is general recognition that educating more cybersecurity experts is key, but lagging. "However as with much else in cybersecurity policy, the problem has been identified, initial steps have been taken, but there has been slow progress in changing the situation from where we were two years ago," it says.
The federal government should set security standards on products it buys to encourage general use of more secure infrastructure, the report recommends.
Laws governing cybersecurity are actually laws written for other circumstances but being applied to cybersecurity, the report says. An overhaul is needed to address the specifics of cybercrime and cyber attacks.
Community of nations
The US needs to sway other nations to embrace cybersecurity. "Other nations with very different political values are challenging the original, US-centric idea of governance by a private, global community," the report says. "The United States needs to articulate a positive agenda of norms, consequences, and cooperation."
Progress has been made, but not enough. "There are still few consequences for malicious activity in cyberspace, and there are no cooperative structures to create such consequences," the report says.
Pushing the authority of the US Cyber Command into civilian areas such as Tier 1 service providers is desirable from a security standpoint but politically volatile, the report says. "Any discussion of an expanded military role in defending civilian networks runs into powerful antibodies that grow out of civil liberty and privacy concerns. Historical precedent also limits the role of the military in civilian affairs," the report says.
Public sensitivity to privacy encroachment that was heightened by a massive communications surveillance campaign initiated during the George W. Bush administration needs to be lessened through use of the presidentially appointed Privacy and Civil Liberties Oversight Board, the report says. Frequent PCLOB reports could rebuild public trust.
"Our 2008 report concluded that cybersecurity is now one of the major national security problems facing the United States and that only a comprehensive national strategy consistent with US values would improve the situation," the report says. "Many in the current administration share these conclusions, but progress has been slow."
The report says there are symptoms that those in charge of cyber defence are behind the times. "Our policies have not kept up with technology or the emergence of the global network," the report says. "Discussion remains wedded to ideas developed when the Internet was smaller, largely American, and much less important for our economic life. These policies are no longer adequate for global commerce and national security, but there is real resistance to change."
Arguments that innovation would be hampered by restrictive measures that would improve security are simplistic, the report says. "It does little to help innovation and growth if foreign competitors can steal by the truckload the results of investments in research and intellectual property because of weak cybersecurity," it says.
"The process of rethinking cybersecurity will be difficult, but this situation is not new," the report says. "Every time a new technology has emerged to reshape business, warfare, and society, there has been a lag in developing the rules needed for public safety. Cyberspace is different only in its global scope and in its urgency."