WASHINGTON — As they grapple with a growing crop of increasingly sophisticated threats that know no political borders, nations must dramatically improve their framework for coordinating on cybersecurity policy and preventing and responding to attacks, according to a new study sponsored by security software vendor McAfee.
McAfee commissioned the Security and Defense Agenda (SDA), a prominent think tank based in Brussels, to canvas global leaders and cybersecurity experts for the report entitled, “Cybersecurity: The Vexed Question of Global Rules,” released at an event here on Monday.
The authors of the report emphasized the need for sharing information about threats in real time, both among nations around the globe and between the public and private sectors in any given country.
Some 57 percent of the leaders and experts polled said they believe the world is in the midst of a cyber arms race, and 36 percent said that cybersecurity should rank as a higher priority than missile defense programs.
Those findings underscore the new reality that cyber operations, both offensive and defensive, play an increasingly central role in virtually every modern military and intelligence operation, even if the sort of full-on electronic warfare that could knock out a regional electric grid or telecommunications system has yet to transpire.
Under Cyber Assault
“We’re not in cyber wars today but all of the nations that were surveryed feel that they’re under assault from a significant campaign of cyber espionage,” said Stewart Baker, a partner with the law firm of Steptoe and Johnson who served as assistant secretary at the Department of Homeland Security under the George W. Bush administration.
“People recognize it isn’t happening now, but the attackers who are engaged in cyber espionage are so effective that it’s obvious that if they chose to they could turn to having the equivalent of kinetic effects without too much difficulty, and consequently, for most countries, the prospect of cyber war is very real but has not yet eventuated,” Baker said.
The authors of the report evaluated the level of cyber readiness in 23 countries based on a methodology developed by Robert Lentz, the president and CEO of the consultancy Cyber Security Strategies and a former deputy assistant secretary of defense. Lentz’s model is a five-step roadmap that evaluates the relative maturity of the cyber defenses of a government or business, with the ultimate goal of reaching a high level of resilience.
No country the researchers evaluated merited a score of five, though three—Finland, Israel and Sweden—received a four-and-a-half. The United States, along with several European nations, including the United Kingdom, France and Germany, earned a four.
Meanwhile, several nations with surging online populations didn’t fare so well, including Mexico, which received a two, the lowest of any country evaluated, and India and Brazil, both scoring two-and-a-half, and China and Russia, which both scored a three.
Lentz explained that most countries have yet to reach the higher levels of cyber maturity, marked by codified standards and data exchanges and, eventually, an agile defense system with cyber defenses layered into sophisticated sensors and intrusion prevention systems spanning from host to gateway.
“They’re really not looking at this in terms of a long-term consequence or strategy,” Lentz said. “So as a result, they are very, very focused on the near term.”
Legislation on the Horizon
The McAfee-SDA report comes out as members of the Senate are putting the finishing touches on a comprehensive cybersecurity overhaul bill.
“We are working hard toward having something out this week,” said Jeff Greene, counsel for the majority staff of the Senate Homeland Security and Government Affairs Committee. Several draft bills have been circulating around the upper chamber outlining various approaches toward many of the contentious issues in play, particularly the balance of federal oversight of private networks and infrastructure, but as of Sunday, Greene said that Majority Leader Harry Reid’s office had still indicated the intention to schedule time for a floor debate in the current working period.
The Obama administration delivered a set of legislative proposals to Congress last May, asking for additional authorities to safeguard digital infrastructure. Last week, on the heels of the president’s State of the Union address, White House Cybersecurity Coordinator Howard Schmidt reiterated the administration’s support for comprehensive legislation, seeming to reject the more piecemeal approach that lawmakers have taken in the House, where work on cybersecurity issues has been balkanized into a series of more limited bills working their way through the various committees that hold jurisdiction.
“Legislation that fails to provide the legislative authorities our professionals need to work with the private sector to ensure the safe and reliable operation of our critical infrastructure networks would not be commensurate with the very real and urgent risks to our nation,” Schmidt wrote in a post on the White House blog.
A Model for Information Sharing
Greene said that the bill that emerges in the Senate will address the crucial question of information sharing, as do some of the proposals pending in the House.
That keeps with the spirit of the McAfee/SDA report, which favors a model developed in the Netherlands that established a third-party cyber exchange for sharing threat information between the public and private sectors.
But in the private sector, sharing inherently sensitive information about security threats invites a host of concerns about consumer privacy and reputational damage, not to mention the widely held feeling that public-private partnerships too often don’t flow as a two-way street.
“The government only inhales, it never exhales,” said Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, a Washington think tank. “It will take all the information but it will take any excuse to not share,” added Healey, who served as director of cyber infrastructure protection at the White House from 2003 to 2005.
The information-sharing question, then, requires a good-faith effort, both between public and private sector entities and among nations. The authors of the McAfee-SDA report highlighted the absence of any widely adopted framework for multinational coordination on cyber defenses and intelligence gathering.
The authors recommend against a multinational treaty on cybersecurity in the model of traditional arms control conventions, as some leaders have advocated. They warn that such a measure would be unverifiable and unenforceable, and could not account for common practices in the cyber world, such as the use off-shore proxies to carry out espionage and attacks.
Instead, they call for cyber-confidence measures that would codify a set of norms in the cyber realm and provide for a level of transparency with regard to the use of cyber tactics in military doctrine. Proposals to develop such a framework, which would aim to cultivate a climate of trust and honest engagement in the global community, are under consideration at the United Nations and the Organization for Economic Cooperation and Development, and could appear on the agenda at international conferences on cyber issues scheduled this year in Budapest and next year in South Korea.
“It goes back to trust,” said Phyllis Schneck, McAfee’s vice president and CTO for the global public sector, “because you get what you give in information sharing.”
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.