Risk Assessments

Cyber Commission Encore Presents Challenges

The Commission on Cybersecurity for the 44th Presidency made a big splash when it released its recommendations to the new chief executive in December 2008 with its recommendations to improve the federal government's approach to information security. Indeed, its suggestions from its members of former senior government and military IT security practitioners, lawmakers and leading thought leaders served as the basis for President Obama's Cyberspace Policy Review and key cybersecurity bills before Congress.

The commission never disbanded, but the success of its initial report may prove to be a hard act to follow. Commission Co-Chairman Harry Raduege said in an interview with GovInfoSecurity.com (transcript below) that the panel will only submit a report if its recommendations meet three criteria: they're new, implementable and bold.

"We could just make the recommendations that have either been stated in the past or are not very bold in nature, and I don't think that would serve what we are trying to do with our commission at all," said Raduege, a retired Air Force general who once headed the Defense Information Systems Agency. "What we are trying to do is come up with bold new ideas that the administration and others can take onboard and consider for moving ahead organizational alignment."

The commission, though, last month published a white paper that recommended ways to improve the federal cybersecurity workforce, one of three major areas the panel is exploring. The other two are what Raduege characterizes as dynamic defense, more popularly known as attribution, and international engagement.

"We have had very lively dialogue ongoing with these subjects and not all of our members have completely agreed on the next steps forward but we are certainly making progress on our discussions and perhaps what might be recommendations that will come out in the future," said Raduege, who chairs the Deloitte Center for Cyber Innovation.

ERIC CHABROW: How has the government's cybersecurity changed since the Commission on Cybersecurity for the 44th Presidency issued its initial report almost two years ago?

HARRY RADUEGE: There has been tremendous change within the government since our first report was issued. When I think about it, Melissa Hathaway (the White House official who led President Obama's cyberspace review) gives our commission's report great credit as a foundational document for kicking off the 60-day assessment that the president asked for, and of course that assessment began less than 30 days with the administration in office.

Also, the Cyberspace Policy Review that was issued as a result of the 60-day assessment was issued in May 2009. Additionally, we had a cybersecurity coordinator appointed for the first time in our nation's history in December. Also, the U.S. Cyber Command just stood up two months ago. The government has changed significantly since our first report.

CHABROW: Are we any more secure?

RADUEGE: We are moving toward being more secure because we have got a lot of key people in key positions and I think there is a great roadmap and framework for actions to be accomplished. We have many, many activities, both in government and industry that are working toward the success of those initiatives that we have tried to put in place.

CHABROW: We are recording this conversation the second full week in July and I believe the Commission met again this past week or so, is that correct?

RADUEGE: That's correct.

CHABROW: What's on the agenda for the commission now and what can we expect in the coming months and years, especially the topics that are being explored?

RADUEGE: Some of those areas include the cybersecurity workforce, which many, many people were talking to us about, dynamic defense of out networks, and also international engagement. We have had very lively dialogue ongoing with these subjects and not all of our members have completely agreed on the next steps forward, but we are certainly making progress on our discussions and perhaps what might be recommendations that will come out in the future.

One ground rule, however, that we had with our commission and entering into a second report possibility was that we wanted to make sure that we had new and bold recommendations, just like we had in report No. 1. We also wanted to make sure that we weren't asking for something that wasn't implementable. So any ideas that we had needed to be bold and new and also implementable. We also wanted to ensure that anything that we recommended would have an impact on security in the near term.

CHABROW: Let's just delve briefly into some of these issues. We don't have to go into a lot of detail, but you mentioned about the workforce; how would you characterize the cybersecurity workforce and what are the big challenges there?

RADUEGE: We see the need for a trained cybersecurity workforce and I think we are starting to see a number of actions now that are happening across the nation and within the various departments. People are asking for more cyber trained professionals and we are also seeing educational institutions, universities standing up to this call for cyber trained people.

Our government is really asking for this and also industry is asking for it. A cyber-trained workforce is the foundational element for the way we are going to move ahead in this dynamic area.

CHABROW: Is the idea that you will come up with concrete examples of what the government should do, or sort of suggestions of a path they should follow to address this issue?

RADUEGE: The areas that we have been discussing, we will get into each one of those areas. We would have sort of what is going on now, what is available, because in a lot of cases people are not even aware of the different opportunities that exist out there or the different organizations or activities that they can become involved with or aligned with.

Also, we are planning to make recommendations in this area that the administration or other activities can pick up on and move out with based on our experience and in our study during this last year.

CHABROW: You also talk about dynamic defense. What do you mean by that?

RADUEGE: That is really the situational awareness that Gen. Keith Alexander (head of the National Security Agency and the U.S. Cyber Command) as a matter of fact called for; increased capability with leading the United States Cyber Command. We really have to be very agile with all of the attacks that are coming at us these days. They are very, very complex, they are very dynamic, and our networks are exceptionally busy, not only with passing all of the good traffic that we intend to get from Point A to Point B, but also in trying to defend our networks to ensure that they can operate properly.

CHABROW: Now if I understand, with the idea of situational awareness, it is basically knowing who is in the system, correct? If they are trying to attack?

RADUEGE: Absolutely.

CHABROW: And that still presents I guess quite a challenge, the technology is not quite there; is that correct?

RADUEGE: We have the technology to geo-locate if you will, where the computer is that is being used. We quite often find that in one nation or another, but the problem is who is actually on that computer; who is using it, and more importantly, what is their intent of any adverse activity that they are pushing against us in our networks.

CHABROW: The third area that you mentioned was international engagement. In what respect is the commission looking into this?

RADUEGE: There is opportunity in the international world to work with other nations. We are finding that so many other nations are in the same situation that we are and they are looking for new ideas on how to control and be in charge of cyberspace and to have proper cybersecurity techniques. There is a lot of sharing of information among international players, and there also may even be an opportunity in the future for exploring treaties on things not to attacks, just as we have had treaties in that area of national defense in the past. Everything is on the table in this area and I think it is a rich environment for being able to talk with the international community.

CHABROW: When you talk about something about a treaty of something what not to attack, such as not attacking each nation's electrical grid, that kind of thing?

RADUEGE: Sure. We could have a treaty that would protect critical infrastructures. We have decided on those types of critical infrastructures and each nation of the world has the same type of those critical elements that they depend on for their nation's security.

CHABROW: That's helpful when you are dealing with other nation states, but I guess that still presents a problem when you are dealing with terrorist organizations?

RADUEGE: Terrorist organizations are probably a different category and I don't think we will ever be entering into any type of agreement or treaty with them. They are a different breed and we handle them differently with other issues and matters with our government.

CHABROW: You mentioned these three areas, so what is the process now with the commission's work and when do we expect to see some kind of recommendations?

RADUEGE: We decided on the fact that there were some key areas, mentioned three of them for example, that we have been addressing together this last year. Every member of our commission comes with a very strong background. They are very strong individuals, but they come with different points of views. The issues are widely debated, both on our commission as they are elsewhere in our population today. We have decided that our report would be issued only if we have these new bold recommendations like we carried forward in Report 1, that the recommendations we are making are implementable and the fact that they need to also have an immediate impact the security of our nation.

CHABROW: I don't want to read anything into what you are saying but I just want to clarify a point. You said people come with different views, which is of course not uncommon, we see this in Congress as they debate this, although there seems to be sort of a general acceptance of what should be done, it's maybe the specifics. Are we dealing with that kind of a situation or is there something that could really threaten some kind of agreement from occurring with your commission?

RADUEGE: The deeper you go into some of these, and the fact that if you are going to have some sort of a bold movement forward, that gets out of some individuals comfort zone. We could just make the recommendations that have either been stated in the past or are not very bold in nature and I don't think that would serve what we are trying to do with our commission at all. What we are trying to do is come up with bold new ideas that the administration and others can take onboard and consider for moving ahead organizational alignment.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.