Obama urged to fast-track cybersecurity policy

U.S. President Barack Obama speaks before signing a Presidential Memorandum outlining the next steps in his vision for cleaner, more efficient vehicles in the Rose Garden of the White House in Washington on May 21, 2010. UPI/Yuri Gripas/Pool
1 of 2 | U.S. President Barack Obama speaks before signing a Presidential Memorandum outlining the next steps in his vision for cleaner, more efficient vehicles in the Rose Garden of the White House in Washington on May 21, 2010. UPI/Yuri Gripas/Pool | License Photo

WASHINGTON, May 24 (UPI) -- The Obama administration is coming under increasing pressure from industry professionals to fast-track cybersecurity policies announced a year ago.

"It's still not a plan but rather a plan to begin planning," wrote Adam Stone in a Federal survey of developments since a Cyberspace Policy Review, announced by the administration in 2009, and a nationwide cybersecurity awareness campaign last fall.


The review document explored the state of the nation's cyber defenses amid a spate of incidents involving organized hacking that affected government departmental Web sites, corporate cyberspace and public service portals.

Damage to the cyberspace was estimated to have cost tens of billions of dollars, though more figures were never revealed because of fears that disclosure would damage reputations of departments and corporate entities.

Cybersecurity officials also cited links between organized hacking, organized crime and "They are in the process of rethinking what it is that we ought to be doing," said Larry Clinton, president of the Internet Security Alliance, an association representing the information security sector. "This is probably a good way to start."


Stone said a few specifics are emerging.

"Private and public sectors will need to work in closer cooperation. Government agencies will need to implement new monitoring and defensive technologies. And federal managers will need to take a more active role in enforcing cybersecurity practices within their organizations," he said.

The Obama plan follows on from the Bush administration's Comprehensive National Cybersecurity Initiative and is believed by experts to have incorporated elements from CNCI.

Among items of interest to the federal workforce, Stone said, a 12-point CNCI summary calls for a continuation of the Trusted Internet Connections initiative, which is meant to reduce the number of connections between government computers and the Internet.

There are plans also to implement deployment of an intrusion detection system of sensors across the government.

Coordination of research and development across government needs to improve and there are plans to develop a pipeline of skilled cybersecurity employees.

Although coordination and cooperation with the private sector to address security matters of common interest is on the cards, Stone saw problems with it.

"There's wide agreement that the expertise of the private sector ought to be aligned with the security needs of government," he said, pointing out that the private sector may not yet respond positively.


"To secure our country from cyberattacks, we must have shared responsibility between the government and the private sector," U.S. Sen. Jay Rockefeller, D-W.Va., told the Business Software Alliance Cybersecurity Forum in April.

However, private sector sources cited by Stone said that industry may not be ready to work with government and vice versa.

Pat Clawson, CEO of security and vulnerability technologies firm Lumension, said, "There has been no effort in terms of ironing out the legalities."

He pointed out that regulatory and legal issues might prevent publicly held companies from sharing sensitive corporate data about activities within their networks -- data that government might need to implement security measures.

However, "There is no bridge in sight that will allow for certain types of cooperation," Clawson said.

"Today, if a company has a cybersecurity problem and wants to notify authorities, the only option is generally to call the FBI," Clawson said in a recent blog posting. "That can result in long delays and in many cases nothing gets done -- and the company ends up with negative publicity if the story gets out that there's been a security breach."

Industry sources said fear of negative publicity was one of the reasons material losses resulting from cyberattacks and hacking remained one of the great unsolved mysteries.


Banks and major corporations involved with financial transactions continue to keep a lid on losses rather than risk loss of customers with public disclosures that show them as victims of cybercrime.

Industry analysts want the government to make a start with implementing basic defensive measures such as more sophisticated scanning and robust firewalls. The technologies for implementing those measures are mature and ready to deploy, they said.

"None of this creates big privacy issues, none of this creates questions about law enforcement and jurisdiction, or questions about offensive tactical military maneuvers," said Robert Richardson, director of San Francisco's Computer Security Institute.

He said the administration's cybersecurity agenda was "just a question of will and budget."

Latest Headlines