The report correctly identifies the cyber-threat. It states that cyber threats span the range from cybercrime (estimated up to $1 trillion annually). It points to potentially devastating cyber attacks against U.S. critical infrastructure, both civilian and military. Cyberspace has become a sanctuary from which criminal hackers, spammers, viruses, botnets, and other cyber threats prey daily and openly on U.S. individuals and organizations. The Nation’s capacity for innovation and commerce, including time to market advantages for commercial products and unique U.S. technologies for national defense, is drained by cyber industrial espionage and theft.
What are the findings from the distinguished presidential Council?
1. The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyber attacks more difficult by implementing best practices for its own systems.
2. Many private-sector entities come under some form of Federal regulation for reasons not directly related to national security. In many such cases there is opportunity, fully consistent with the intent of the existing enabling legislation, for promoting and achieving best practices in cyber security.
3. Industry-driven, but third-party-audited, continuous-improvement processes are more likely to create an effective cyber security culture than are Government-mandated, static lists of security measures.
4. To improve the capacity to respond in real time, cyber threat data need to be shared more extensively among private-sector entities and—in appropriate circumstances and with publicly understood interfaces—between private-sector entities and Government.
5. Internet Service Providers are well positioned to contribute to rapid improvements in cyber security through real-time action.
6. Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches.
1. No analysis or critique offered for “rarely follows accepted best practices”. Without assessment why close to $100 billion/year for IT is not following best practices leaves the Council without relating the weakness of government IT with immediate remedial actions. The listing of some measures, such as increasing standards, has little value.
2. There is not evidence that enabling legislation for promoting best practices as ever produced results that directly counters cyber threats.
3. Industry-driven, but third party audited, continuous-improvement processes are acknowledged to be superior to government mandated measures. How to implement such support is not explained. The Council completely misses the opportunity of using the transition from 2nd generation to 3rd generation as a direction for following leading industrial innovators.
4. Information about cyber threats needs to be shared among private-sector firms is missing regulatory direction and an outline how this can be accomplished. Commercial interests perform a current effort in this field. This is done without institutional support from variety of government agencies and particularly from the Department of Homeland Security, which is lacking staff and budget.
5. The recommendation to place greater reliance for cyber security on Internet Service Providers (ISPs) is misplaced. ISP’s are commercial competitors with limited scope to be counted as the leaders in cyber defenses.
6. There is a strong academic bias when emphasizing greater funding for research on systems with dynamic, real-time defenses to complement hardening approaches. Actionable cyber defenses are now emerging from software firms, not hardware suppliers and certainly not from universities.
The 2013 report to the President is neither actionable nor immediate. It illustrates a gaping hole in the national executive leadership.