Sharing is the key to cybersecurity
The first step is admitting you have a problem.
Last week, the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency issued a report on the nation's cybersecurity efforts. And it was, to say the least, unkind in its assessment of how government is handling the issue. With cybersecurity and cyberwarfare tasks spread across multiple agencies and departments, CSIS found that a cabinet-level position was required for national cybersecurity coordination.
While the threat of cyberwarfare has been made clear by events in Georgia this last summer, and in Estonia last year — and on the networks of the Department of Defense last month, for that matter — there is little in the way of coordination between U.S. agencies and private industry in the realm of assessing and responding to cyber threats. At last week's AFCEA Solutions conference on cyberspace, there were a number of discussions on ways to improve the situation, but in general there was more discussion of how poor coordination was than there was discussion of how to solve it.
This week Business Executives for National Security (BENS) is conducting Cyber Strategic Inquiry 2008 , a cyber war-game — a strategic simulation — in an effort to help kickstart some creative thought about how to solve the problem and meet the potential threat of a cyber attack against the U.S. The event has the Defense Department's attention and participation: Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, will be speaking at the event on Dec. 17. BENS has conducted similar "wargames" for dealing with pandemic outbreaks, Alzheimer's research and port security, according to Mark Gerenscer, senior vice president of Booz Allen Hamilton and a BENS member.
I spoke with Gerenscer about the threat cyberwarfare poses to the U.S. and to DOD at the AFCEA event last week about the need for cross-organizational openness to meet challenges like cybersecurity. He said that the cyber threat requires a whole new level of thinking,and information sharing — the sort of approach outlined in the book he co-authored, Megacommunities — where information sharing can help create an environment for innovation and problem solving where all parties benefit.
In a nutshell, it's an open-source approach — the creation of a community around a common problem that creates solutions everyone can share and build upon, much like what was done with Linux. Gerenscer said that if IBM had embraced that approach earlier, perhaps they wouldn't have had to go through the traumatic realignment they did.
The problem is, the enemy is using the open source approach already, or commercial derivatives of it. Exploits, shared toolkits and a marketplace of ideas are all available to would-be cyber warriors and criminals, yet information about what they do is kept close to the vest by their targets.
The same approach being used by the Joint Tactical Radio System Joint Program Executive Office to manage the development of the Software Communications Architecture — shared information, gated by need to use, contributed to by all who use — would be one way to help at least lessen the risk to the national infrastructure. Perhaps that should be at the top of the list for whomever President-Elect Obama hands the cyber problem to.
Posted by Sean Gallagher on Dec 15, 2008 at 8:12 AM