Saturday, May 30, 2009

National Cyberspace Policy Review

President Obama released the nation’s new cyberspace policy review. This is the result of a sixty day review that call for a number of measures to improve computer security for both the government and private network. Obama said, "Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient." Obama said. "We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage."

Obama will create a cyber security coordinator "responsible for orchestrating and integrating all cyber security policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response." This is new from previous administrations. Prior “Cybersecurity Czars” were low on the access list to the President. This position should have "regular access" to the President, will be a member of the National Security Council, and will work with the federal CTO and CIO. In politics, importance and attention is given to those with regular access to the chief executive. This should raise the focus on information security at the highest levels.

From the Executive Summary:

· It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and ensure that the United States and the world realize the full potential of the information technology revolution.

· The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well­ being of citizens. The private sector, however, designs, builds, owns, and operates most of the digital infrastructures that support government and private users alike.

· The United States needs a comprehensive framework to ensure a coordinated response by the Federal, State, local, and tribal governments, the private sector, and international allies to significant incidents. Implementation of this framework will require developing reporting thresholds, adaptable response and recovery plans, and the necessary coordination, information sharing, and incident reporting mechanisms needed for those plans to succeed.

· The government, working with key stakeholders, should design an effective mechanism to achieve a true common operating picture that integrates information from the government and the private sector and serves as the basis for informed and prioritized vulnerability mitigation efforts and incident response decisions.

· The Nation’s approach to cyber security over the past 15 years has failed to keep pace with the threat.

Some basic analysis of the document is that the government is moving to more a leadership role as in the "coordinated response “term. In previous discussions terms such as "information sharing" and "public-private partnership" were used. The general consensus is that that the government needs to assist in improving industry's cyber security posture, by either legislation blocking liability, spending money improving infrastructure or forcing security standards on industry through regulation. Simple market economics won’t resolve our security problems, and it appears that Obama is open to use other means as necessary.

No comments: