The US has already implemented its national strategy on
cybersecurity. What parts of the US strategy should the UK adopt,
and can it learn from the mistakes made by the US? Liz Warren
reports
The US government released its national strategy in February for
securing cyberspace, one of several strategies concerned with
protecting critical infrastructure. In the UK, the Office of the
E-envoy is in the early stages of a similar initiative to develop a
UK cybersecurity strategy. What can the UK learn from the US?
Where possible, the US is looking to exploit existing structures
rather than launch new ones, while improving the way intelligence
is shared between disparate bodies. The Department of Homeland
Security (DHS), which will assume responsibility for the strategy,
is currently being created out of the existing parts of a number of
other agencies.
According to Steve Marsh, director of security policy, information
assurance and resilience in the Office of the E-envoy, the UK
strategy will also look to complement existing activities,
including the National Infrastructure Security Co-ordination
Centre, the National High-Tech Crime Unit and the Communications
Electronic Security Group.
"The challenges of securing cyberspace in the UK and the US are
very similar," he says. "We have similar aspirations and work
closely together. We expect the UK national strategy to broadly
address the same issues with variations reflecting our differing
political, commercial and geographic situations. Our national
strategy will, among other things, provide the context for the Home
Office e-crime strategy."
The US strategy not only uses existing government operations, but
also draws on established groups in the private sector. Data on
threats is then pooled and warnings are disseminated to members.
Members include the Federal Bureau of Investigation and other law
enforcement agencies; Infragard, an information-sharing partnership
between the private sector; and the various industry-led
information sharing and analysis centres (Isacs) for particular
vertical sectors. The DHS aims to co-ordinate these efforts to
create a national cyberspace security response system,
incorporating a cyber warning and information network to issue
alerts.
There have traditionally been commercial and legal barriers which
have discouraged the private sector from participating in such
information exchanges, and the US is looking to remove these where
possible. For example, internet service providers have been granted
immunity from legal action by customers whose details are passed to
federal agencies. Data on vulnerabilities and breaches will be
exempt from disclosure under the US Freedom of Information Act,
allowing companies to report incidents without worrying it will
have a negative impact on their share price.
Bill Hancock, chief security officer with Cable & Wireless and
chair of a private sector network security forum which advises the
US government, suggests these changes will make little difference.
"Many of the restrictions were removed last October, but there is
no greater effort to share information now because of a long-term
lack of trust in the private sector," he says. He points out that
the telecoms Isac, of which C&W is a member, has been in
existence for more than 20 years but is still struggling to
encourage participation. It receives reports from just a fraction
of the security breaches that have taken place.
Hancock thinks it will take many years to implement the strategy,
confirming the view of Howard Schmidt, vice-chairman of the
President's Critical Infrastructure Protection Board, the group
that developed the strategy. Schmidt has likened improving
cybersecurity to introducing car seatbelts: when first introduced
in the mid-1960s, he points out, almost no one used them; today, no
child will get into a car without putting on a seatbelt and telling
any adult to do the same. Yet that culture of security has taken
decades to create.
Phyllis Schneck, chair of the national executive of Infragard,
believes one positive aspect of the US strategy is the way it
addresses the whole market, covering both public and private
sectors and ranging from individuals with home PCs and small
businesses through to big corporations and government
departments.
She thinks the UK should also copy the way the US government used
the process of developing the strategy to create buy-in. "There was
good outreach from the government to the private sector and the
private sector felt it had plenty of opportunity to contribute, so
we feel that this is our strategy," she says.
Marsh claims the team writing the UK strategy is "consulting widely
within government and also with a wide range of private sector
partners such as suppliers, service providers and information
security specialists. The UK government will consider how best to
promote this strategy to the public over the next few
months".
Schneck thinks the UK should follow the US example by creating a
team of people to evangelise the need for proactive security to
colleagues in the private sector. She also feels the UK would
benefit from developing more groups like Infragard and the Isacs,
which can gather information on threats and vulnerabilities and
provide warnings and emergency response services.
Marsh acknowledges that "securing cyberspace involves a wide range
of technical, commercial, cultural and regulatory issues. The
difficulties arise from complex interdependencies and the pace of
change. The strategy will need to evolve constantly."
The UK should also seek to avoid the danger currently facing the US
strategy: that it will be at least temporarily derailed by a
discontinuity between the team that wrote it and the team tasked
with its implementation. In March, responsibility for the strategy
passed from its authors to the DHS. The DHS is still in the throes
of creating the structures, teams and workplans to implement the
strategy and Hancock feels implementation will be slowed by this
current state of confusion.
Andrew Rathmell, chief executive of the UK-based Information
Assurance Advisory Council, a forum for promoting cybersecurity led
by the private sector, agrees, "One of the strong points of the US
strategy is that it recognises the need for a central point of
focus in government and also coherent leadership.
"The transfer of responsibility to the DHS and the changes to key
people will take time to settle down. In the UK, parts of the
strategy are already in place, such as the High-Tech Crime Unit,
but we still need a firm, central lead. The strategy needs to be a
priority for Andrew Pinder, the e-envoy, and it needs a strategic
ministerial lead."
The US strategy also places a great deal of emphasis on educating
ordinary citizens about securing their home PCs. Rathmell suggests
that the UK has not yet begun to tackle the issue of citizen
education with sufficient seriousness. However, Schneck points out,
the effectiveness of the US strategy (and any UK strategy) does not
depend on implementing every single part: even if only a few
elements are introduced, US cyberspace will be more secure.
"Every company whose systems become more secure is one less company
whose systems can be used as the source of an attack," she says.
The difficulty will be to persuade organisations to make up-front
investments in security which will impact their bottom line, before
they have suffered losses as the result of a cybersecurity
breach.
Yet a thread throughout the US strategy is that, aside from
securing its own systems, the government has only a limited role to
play. The strategy suggests that the government should only
intervene when there are costs or legal barriers to the private
sector taking the necessary steps, or only if the government can
provide the incentives needed to prompt the private sector to take
action.
This represents a considerable change in attitude from the first
draft of the strategy issued for consultation last year, which took
a more aggressive stance towards introducing regulation of security
in the private sector.
Dan Geer, chief technology officer of security consultancy @stake,
believes the best way to enforce security in the private sector is
by making it a straight commercial decision. "It is my own affair
how much I want to protect my own systems by, for example,
filtering inbound traffic, but it is irresponsible of me not to
filter what is going out if that means my servers can be used to
launch an attack on others. The insurance industry may end up
'enforcing' better security, simply through the pricing regimes for
liability insurance."
He thinks the government can also promote the strategy by using its
purchasing power to drive the market. For instance, it may want to
steer suppliers into developing off-the-shelf products that include
more effective security as standard. It could look at prosecuting
companies that release software with bugs that create
vulnerabilities.
Geer feels that the strategy is weakened by its removal from the
original draft of proposals to develop some form of licensing or
registration for security consultants comparable with other
professions. "Because the demand for security expertise is
outstripping supply, as the proportion of charlatans in the field
increases, so the pressure for licensing increases," he says. "The
government should have a role in licensing, even if it is simply to
select and regulate industry groups to issue licences and police
them."
Hancock is disappointed that elements have disappeared from the
strategy during the review period. "This strategy was altered by a
group of people who do not have as much expertise in live
networking as the people who researched the original draft," he
says.
In particular, he is concerned about the loss of emphasis on
networks controlling other forms of critical infrastructure, such
as utilities. There is also no longer any recognition that the
protocols on which the internet is based need updating to reflect
the change from a small group of participants in the 1970s with a
high degree of trust between them, to the current "distrusted"
model of millions of anonymous users and servers.
Hancock is reassured that the UK government is paying close
attention to developments in the US and making good choices about
which parts of the US approach to adopt and which parts to
reject.
Cyberwarfare
The US armed forces have been looking at the issue of cyberwarfare
for the past 10 years, both defensively and offensively. Last July,
the US government issued National Security Presidential Directive
16, which lays down the rules and guidelines for offensive
cyberwar. The UK and Nato are working on similar steps to codify
policies for cyberwarfare techniques.
"Cyberwarfare is gradually becoming a tool in military actions, but
it is still not being used much because most of the targets are not
as networked as we are," says Andrew Rathmell, chief executive of
the Information Assurance Advisory Council, a UK-based forum for
promoting cybersecurity led by the private sector.
There are also concerns that the cyberweapons currently available
would be too indiscriminate, affecting not only military targets
but also civilian life. They might result in damage to the senders'
systems and would encourage retaliation that would have a greater
impact on the heavily networked US and Nato forces than on their
enemies. Because of these uncertainties, the Pentagon has specified
that cyberattacks require "top level approval".
Using IT to identify threats
The US government not only aims to secure cyberspace, but to use IT
to prevent attacks on other forms of critical infrastructure. At
least two projects - the Pentagon's Total Information Awareness
programme and the Transportation Security Administration's Capps II
system for the airline industry - are currently under way. These
rely on datamining techniques originally used in the financial
sector to spot credit card fraud and provide credit ratings.
TIA will look for patterns of suspicious behaviour in data as
varied as CCTV feeds, credit card data, airline reservations and
phone records.
Capps II will use data on past addresses and financial history,
with an emphasis on how well an individual is "rooted in the
community", to construct risk scores that will determine whether
someone can board a flight. Capps II may eventually be used to
screen all transport workers, such as lorry and train drivers,
whose work involves the public trust.
Concerns about privacy and the potential for abuse have led to
the US Congress demanding greater oversight and threatening that
both programmes will be suspended if they are abused.
Unless Congress receives detailed reports on how TIA is working
and reassurance that it is not being used against US citizens for
domestic law enforcement it will be suspended. However, the
president might decide that to halt the programme would endanger
national security. In practice, this means both programmes are
likely to continue.
Dan Geer, chief technology officer of security consultancy
@stake, points out these programmes are still generating hypotheses
about what patterns are significant, which means that they need to
gather data to test out their ideas. The political question is not
whether such data should be collected, because the cost of
collecting and storing it is low, but what you do with it.
The US strategy at a glance
The US national strategy to secure cyberspace was developed by the
President's Critical Infrastructure Protection Board.
Implementation of the strategy now falls within the remit of the
Department of Homeland Security, which assumed responsibility for
protecting US infrastructure from 1 March.
The strategy recognises that much of cyberspace is controlled by
the private sector and that governments alone cannot secure it.
However, the strategy requires the government to play a lead role
in raising awareness through providing education and encouraging
research and development into security products.
Three strategic objectives
- Prevent attacks from being made
- Reduce vulnerability to attempted attacks
- Minimise the damage and downtime resulting from any
attacks.
These objectives translate into five priorities
- Develop a public-private system to share and analyse
information on attacks and vulnerabilities; to issue alerts about
potential threats; and to co-ordinate the development of
contingency plans. This system is likely to draw heavily on
existing security initiatives such as the Isacs which have been
established by private companies in a number of vertical
sectors
- Develop a threat and vulnerability reduction programme by
giving law enforcement agencies the tools to prevent attacks and to
prosecute, and by encouraging organisations to improve their own
security
- Reduce vulnerabilities caused by end-user ignorance by
educating everyone from individuals using the internet at home to
the largest corporations. The National Science Foundation and the
National Institute of Science and Technology will share $900m
(£570m) over five years to develop university courses to create a
series of R&D centres involving universities and private sector
suppliers
- Secure the government's own systems and using public sector
purchasing power to drive the market to develop more secure
products
- Achieve greater international co-operation to reduce threats
and vulnerabilities launched from systems outside the US.