US Cyberspace Policy Review

I’ve finally got round to reading the US Cyberspace Policy Review. Authored by Melissa Hathaway, Cybersecurity Chief at the National Security Council, this document was published at the end of May, and provides near-term and mid-term action plans for the White House to protect US interests in Cyberspace.

It’s not a bad document at all, and it’ll be interesting to compare with Digital Britain when that appears later today. Hathaway was writing for the most senior of policymakers, with just a 60-day timeframe to do so, and as such her document remains very much a high-level policy statement that isn’t really news for a security professional: the government has to take responsibility for cybersecurity from the highest executive levels; policies, plans and performance metrics are essential; collaboration with industry and foreign countries will underpin the framework; citizen awareness will change behaviours. All the sort of security recommendations we’re accustomed to hearing even at a corporate level.

What particularly interested me was the assertion that cyberspace must “support US goals of economic growth, civil liberties and privacy protections, national security…”. The US has prioritised privacy above national security, which is very different from our approach here in the UK where national security ‘trumps’ any liberties consideration.

There is, for me, one key problem with Hathaway’s report. The requirement for an identity management vision and strategy is mentioned towards the end of the body text, and appears as the last of the ten near-term recommendations. That’s great to see, but it fails to prioritise the importance of the IdM approach:

  • IdM failures are at the heart of a great deal of incidents and frauds, and a decent, trustworthy IdM approach would reduce the number of incidents we have to deal with;
  • IdM is essential if ‘rescuers’ are to be able to assist individuals, corporates or nation states in recovering from incidents – after all, how will they know who they can trust online if systems have become fatally overrun by attackers? The US has thrown a lot of effort into its PIV initiative, and that needs to be replicated internationally in cyberspace;
  • IdM will be essential to deliver the inter-agency, public-private, and international collaboration recommended by Hathaway.

That said, it’s an interesting report and I doubt I could better it, so let’s hope that Lord Carter’s document is up to the same standard.