A cybersecurity report published by the White House on Friday provides a list of wide-ranging guidelines advising President Barack Obama on how the government should proceed in its national plan to secure cyberspace.
It touches on everything from establishing communication networks for emergency response teams to the role government should play in the protection of critical infrastructure networks and whether or not entities that experience a breach should have to notify governments and law enforcement agencies. Privacy and civil liberties concerns receive a repeated nod, with privacy being mentioned in the report more than five dozen times.
The 76-page report (.pdf) was released in conjunction with a White House announcement that the president will be creating a new cybersecurity office and czar, as well as a privacy and civil liberties official to oversee the government's cybersecrity plans.
The report and announcement are the result of a 60-day review that Obama ordered shortly after taking office to examine the government's current cybersecurity efforts in order to guide him on how the government should proceed in this area. The review was conducted by acting White House cybersecurity chief Melissa Hathaway.
To save you the trouble of reading the entire report, hera are highlights from its recommendations:
Regarding the New Cybersecurity Czar
The new cybersecurity czar should be the White House action officer for cyber incident response. In addition, all departments and agencies should establish a point-of-contact for cybersecurity-related issues to work with the czar when needed.
The cybersecurity czar should not have operational responsibility nor have authority to make policy unilaterally but should have a role in all appropriate economic, counterterrorism and science and technology policy discussions to provide an informed cybersecurity perspective to policymakers.
The cybersecurity czar should be involved in developing a legislative agenda to take to Congress that would support the government's cybersecrity and technology plans. Government's Cybersecurity Strategy
The government should prepare a cybersecurity incident response plan in coordination with private industry.
Create an information and threat-sharing plan with private industry that protects trade secrets; develop a centralized process -- perhaps through a non-profit organization -- for communicating known threats to industry and government agencies.
Determine the role government should play in the defense of critical infrastructures, while safeguarding privacy and civil liberties. "The common defense of privately-owned critical infrastructures from armed attack or from physical intrusion or sabotage by foreign military forces or international terrorists is a core responsibility of the Federal government," the report states. "The question remains unresolved as to what extent protection of these same infrastructures from the same harms by the same actors should be a government responsibility if the attacks were carried out remotely via computer networks." The report goes on to indicate that "key elements of the private sector have indicated a willingness to work toward a framework under which the government would pursue malicious actors" and assist the private sector with information and technical support to secure its networks.
Work with like-minded nations to address questions about territorial control and use of force when it comes to responding to cybercrime, data protection and other issues.
Work with state and local partners to institute purchasing strategies that will pressure vendors to make more secure products and services for the public. The government might also explore ways to reward good security practices and punish poor ones through indemnification, tax incentives and regulatory requirements.
Encourage state and local governments to designate a single cybersecurity leader to coordinate activities in their communities and with the federal government. The federal government should also work with fusion centers that have been set up around the country.
In order to better track network intrusions, the government should look at breach notification laws and consider forcing entities that experience an intrusion to report the incident not only to victims of the intrusion but also to government agencies and even law enforcement agencies.
Support research and development of technologies to enhance security; provide the research community with event data to help them create tools and testing models for securing networks. Authentication and Privacy and Civil Liberties Issues
Evaluate -- in consultation with civil liberties advocates -- pilot deployment of intrusion detection and prevention systems for federal networks and state government systems. "These sensors will be vital to gaining situational awareness for federal networks, and the government will benefit from any policy, legal, or technology lessons learned as these deployments move forward," the report states.
The report states cryptically that the government should "leverage the Nation’s long-term investments in the fundamental development of cryptologic and information assurance technologies. . . . These investments, along with other intelligence capabilities, are critical to national strategic warning for attacks through cyberspace." In addition, the federal government should identify gaps in law enforcement capacity or investigative authority needed to defend the nation’s infrastructure. "Any new authorities would need to be consistent with the protection of civil liberties and privacy rights," it states.
The government -- in collaboration with industry and privacy advocates -- should build a digital identity management strategy for the country. "The Federal government must interact with citizens through myriad information, services, and benefit programs," the report says, "and thus has an interest in the protection of the public’s private information as well. Increased use of on-line transactions involving financial, health, and commerce require a basis for building trust between the parties to a transaction." See also:
