Lessons from America

The US has already implemented its national strategy on cybersecurity. What parts of the US strategy should the UK adopt, and can...

The US has already implemented its national strategy on cybersecurity. What parts of the US strategy should the UK adopt, and can it learn from the mistakes made by the US? Liz Warren reports

The US government released its national strategy in February for securing cyberspace, one of several strategies concerned with protecting critical infrastructure. In the UK, the Office of the E-envoy is in the early stages of a similar initiative to develop a UK cybersecurity strategy. What can the UK learn from the US?

Where possible, the US is looking to exploit existing structures rather than launch new ones, while improving the way intelligence is shared between disparate bodies. The Department of Homeland Security (DHS), which will assume responsibility for the strategy, is currently being created out of the existing parts of a number of other agencies.

According to Steve Marsh, director of security policy, information assurance and resilience in the Office of the E-envoy, the UK strategy will also look to complement existing activities, including the National Infrastructure Security Co-ordination Centre, the National High-Tech Crime Unit and the Communications Electronic Security Group.

"The challenges of securing cyberspace in the UK and the US are very similar," he says. "We have similar aspirations and work closely together. We expect the UK national strategy to broadly address the same issues with variations reflecting our differing political, commercial and geographic situations. Our national strategy will, among other things, provide the context for the Home Office e-crime strategy."

The US strategy not only uses existing government operations, but also draws on established groups in the private sector. Data on threats is then pooled and warnings are disseminated to members. Members include the Federal Bureau of Investigation and other law enforcement agencies; Infragard, an information-sharing partnership between the private sector; and the various industry-led information sharing and analysis centres (Isacs) for particular vertical sectors. The DHS aims to co-ordinate these efforts to create a national cyberspace security response system, incorporating a cyber warning and information network to issue alerts.

There have traditionally been commercial and legal barriers which have discouraged the private sector from participating in such information exchanges, and the US is looking to remove these where possible. For example, internet service providers have been granted immunity from legal action by customers whose details are passed to federal agencies. Data on vulnerabilities and breaches will be exempt from disclosure under the US Freedom of Information Act, allowing companies to report incidents without worrying it will have a negative impact on their share price.

Bill Hancock, chief security officer with Cable & Wireless and chair of a private sector network security forum which advises the US government, suggests these changes will make little difference. "Many of the restrictions were removed last October, but there is no greater effort to share information now because of a long-term lack of trust in the private sector," he says. He points out that the telecoms Isac, of which C&W is a member, has been in existence for more than 20 years but is still struggling to encourage participation. It receives reports from just a fraction of the security breaches that have taken place.

Hancock thinks it will take many years to implement the strategy, confirming the view of Howard Schmidt, vice-chairman of the President's Critical Infrastructure Protection Board, the group that developed the strategy. Schmidt has likened improving cybersecurity to introducing car seatbelts: when first introduced in the mid-1960s, he points out, almost no one used them; today, no child will get into a car without putting on a seatbelt and telling any adult to do the same. Yet that culture of security has taken decades to create.

Phyllis Schneck, chair of the national executive of Infragard, believes one positive aspect of the US strategy is the way it addresses the whole market, covering both public and private sectors and ranging from individuals with home PCs and small businesses through to big corporations and government departments.

She thinks the UK should also copy the way the US government used the process of developing the strategy to create buy-in. "There was good outreach from the government to the private sector and the private sector felt it had plenty of opportunity to contribute, so we feel that this is our strategy," she says.

Marsh claims the team writing the UK strategy is "consulting widely within government and also with a wide range of private sector partners such as suppliers, service providers and information security specialists. The UK government will consider how best to promote this strategy to the public over the next few months".

Schneck thinks the UK should follow the US example by creating a team of people to evangelise the need for proactive security to colleagues in the private sector. She also feels the UK would benefit from developing more groups like Infragard and the Isacs, which can gather information on threats and vulnerabilities and provide warnings and emergency response services.

Marsh acknowledges that "securing cyberspace involves a wide range of technical, commercial, cultural and regulatory issues. The difficulties arise from complex interdependencies and the pace of change. The strategy will need to evolve constantly."

The UK should also seek to avoid the danger currently facing the US strategy: that it will be at least temporarily derailed by a discontinuity between the team that wrote it and the team tasked with its implementation. In March, responsibility for the strategy passed from its authors to the DHS. The DHS is still in the throes of creating the structures, teams and workplans to implement the strategy and Hancock feels implementation will be slowed by this current state of confusion.

Andrew Rathmell, chief executive of the UK-based Information Assurance Advisory Council, a forum for promoting cybersecurity led by the private sector, agrees, "One of the strong points of the US strategy is that it recognises the need for a central point of focus in government and also coherent leadership.

"The transfer of responsibility to the DHS and the changes to key people will take time to settle down. In the UK, parts of the strategy are already in place, such as the High-Tech Crime Unit, but we still need a firm, central lead. The strategy needs to be a priority for Andrew Pinder, the e-envoy, and it needs a strategic ministerial lead."

The US strategy also places a great deal of emphasis on educating ordinary citizens about securing their home PCs. Rathmell suggests that the UK has not yet begun to tackle the issue of citizen education with sufficient seriousness. However, Schneck points out, the effectiveness of the US strategy (and any UK strategy) does not depend on implementing every single part: even if only a few elements are introduced, US cyberspace will be more secure.

"Every company whose systems become more secure is one less company whose systems can be used as the source of an attack," she says. The difficulty will be to persuade organisations to make up-front investments in security which will impact their bottom line, before they have suffered losses as the result of a cybersecurity breach.

Yet a thread throughout the US strategy is that, aside from securing its own systems, the government has only a limited role to play. The strategy suggests that the government should only intervene when there are costs or legal barriers to the private sector taking the necessary steps, or only if the government can provide the incentives needed to prompt the private sector to take action.

This represents a considerable change in attitude from the first draft of the strategy issued for consultation last year, which took a more aggressive stance towards introducing regulation of security in the private sector.

Dan Geer, chief technology officer of security consultancy @stake, believes the best way to enforce security in the private sector is by making it a straight commercial decision. "It is my own affair how much I want to protect my own systems by, for example, filtering inbound traffic, but it is irresponsible of me not to filter what is going out if that means my servers can be used to launch an attack on others. The insurance industry may end up 'enforcing' better security, simply through the pricing regimes for liability insurance."

He thinks the government can also promote the strategy by using its purchasing power to drive the market. For instance, it may want to steer suppliers into developing off-the-shelf products that include more effective security as standard. It could look at prosecuting companies that release software with bugs that create vulnerabilities.

Geer feels that the strategy is weakened by its removal from the original draft of proposals to develop some form of licensing or registration for security consultants comparable with other professions. "Because the demand for security expertise is outstripping supply, as the proportion of charlatans in the field increases, so the pressure for licensing increases," he says. "The government should have a role in licensing, even if it is simply to select and regulate industry groups to issue licences and police them."

Hancock is disappointed that elements have disappeared from the strategy during the review period. "This strategy was altered by a group of people who do not have as much expertise in live networking as the people who researched the original draft," he says.

In particular, he is concerned about the loss of emphasis on networks controlling other forms of critical infrastructure, such as utilities. There is also no longer any recognition that the protocols on which the internet is based need updating to reflect the change from a small group of participants in the 1970s with a high degree of trust between them, to the current "distrusted" model of millions of anonymous users and servers.

Hancock is reassured that the UK government is paying close attention to developments in the US and making good choices about which parts of the US approach to adopt and which parts to reject.

The US armed forces have been looking at the issue of cyberwarfare for the past 10 years, both defensively and offensively. Last July, the US government issued National Security Presidential Directive 16, which lays down the rules and guidelines for offensive cyberwar. The UK and Nato are working on similar steps to codify policies for cyberwarfare techniques.

"Cyberwarfare is gradually becoming a tool in military actions, but it is still not being used much because most of the targets are not as networked as we are," says Andrew Rathmell, chief executive of the Information Assurance Advisory Council, a UK-based forum for promoting cybersecurity led by the private sector.

There are also concerns that the cyberweapons currently available would be too indiscriminate, affecting not only military targets but also civilian life. They might result in damage to the senders' systems and would encourage retaliation that would have a greater impact on the heavily networked US and Nato forces than on their enemies. Because of these uncertainties, the Pentagon has specified that cyberattacks require "top level approval".

Using IT to identify threats   
The US government not only aims to secure cyberspace, but to use IT to prevent attacks on other forms of critical infrastructure. At least two projects - the Pentagon's Total Information Awareness programme and the Transportation Security Administration's Capps II system for the airline industry - are currently under way. These rely on datamining techniques originally used in the financial sector to spot credit card fraud and provide credit ratings. 

TIA will look for patterns of suspicious behaviour in data as varied as CCTV feeds, credit card data, airline reservations and phone records.

Capps II will use data on  past addresses and financial history, with an emphasis on how well an individual is "rooted in the community", to construct risk scores that will determine whether someone can board a flight. Capps II may eventually be used to screen all transport workers, such as  lorry and train drivers, whose work involves the public trust. 

Concerns about privacy and the potential for abuse have led to the US Congress demanding greater oversight and threatening that both programmes will be suspended if they are abused.

Unless Congress receives detailed reports on how TIA is working and reassurance that it is not being used against US citizens for domestic law enforcement it will be suspended. However, the president might decide that to halt the programme would endanger national security. In practice, this means both programmes are likely to continue. 

Dan Geer, chief technology officer of security consultancy @stake, points out these programmes are still generating hypotheses about what patterns are significant, which means that they need to gather data to test out their ideas. The political question is not whether such data should be collected, because the cost of collecting and storing it is low, but what you do with it.

The US strategy at a glance   
The US national strategy to secure cyberspace was developed by the President's Critical Infrastructure Protection Board. Implementation of the strategy now falls within the remit of the Department of Homeland Security, which assumed responsibility for protecting US infrastructure from 1 March. 

The strategy recognises that much of cyberspace is controlled by the private sector and that governments alone cannot secure it. However, the strategy requires the government to play a lead role in raising awareness through providing education and encouraging research and development into security products.    

Three strategic objectives 

  • Prevent attacks from being made 
  • Reduce vulnerability to attempted attacks 
  • Minimise the damage and downtime resulting from any attacks.   

These objectives translate into five priorities 

  • Develop a public-private system to share and analyse information on attacks and vulnerabilities; to issue alerts about potential threats; and to co-ordinate the development of contingency plans. This system is likely to draw heavily on existing security initiatives such as the Isacs which have been established by private companies in a number of vertical sectors 
  • Develop a threat and vulnerability reduction programme by giving law enforcement agencies the tools to prevent attacks and to prosecute, and by encouraging organisations to improve their own security 
  • Reduce vulnerabilities caused by end-user ignorance by educating everyone from individuals using the internet at home to the largest corporations. The National Science Foundation and the National Institute of Science and Technology will share $900m (£570m) over five years to develop university courses to create a series of R&D centres involving universities and private sector suppliers 
  • Secure the government's own systems and using public sector purchasing power to drive the market to develop more secure products 
  • Achieve greater international co-operation to reduce threats and vulnerabilities launched from systems outside the US.

Read more on IT risk management