Internet Governance Forum - USA, 2010
Cybersecurity is a multifaceted issue that requires attention to various strategic and operational efforts to make progress. Five overarching areas for focus are 1) development of a national strategy; 2) collaboration between government and industry; 3) cybercrime; 4) incident response; and 5) building a culture of cybersecurity/awareness. This session was scheduled to explore how the U.S. is addressing each of these, where there are opportunities for improvement and obstacles to progress, where the U.S. needs to work with international partners, and how cybersecurity contributes to Internet governance globally. Session moderators were Liesyl Franz, vice president for information security and global public policy at TechAmerica, and Audrey Plonk, global security and Internet policy specialist at Intel Corporation.
VIDEO HIGHLIGHTS: The panelists weigh in on the difficulties faced in raising awareness about security issues and educating the public regarding personal security, 5:57FBI Unit Chief Don Codling tells why Internet governance is important to security professionals, adding that any cybercrime committed anywhere is a global issue, 5:26Greg Nojeim of the Center for Democracy and Technology outlines how people’s false sense of security online makes transparency in governance vital to retaining the public’s trust, 7:20Cheri McGuire, director of cybersecurity at Microsoft, says it is important to build trust in new private-industry relationships with governance organizations, 2:40
Details of the session:
Panelists and moderators discussed cybersecurity at one of the first morning workshops at the 2010 Internet Governance Forum-USA at Georgetown University Law Center. Co-moderator Liesyl Franz introduced the workshop and set the scene by presenting the session's five overarching areas of focus, including national strategy, collaboration between government and industry to foster cybersecurity, combating cybercrime, incident response and building a culture of cybersecurity and awareness.
Developing a national strategy
The United States' national strategy for cybersecurity has constantly evolved over the past 15 years. In the 1990s, the Critical Infrastructure Protection Board was created to address issues tied to cybersecurity. A few years later the United States created the Department of Homeland Security. These organizations worked to create the National Strategy to Secure Cyberspace, which was put into place in 2003.
“We’ve moved even beyond the 2003 strategy towards a more comprehensive strategy that is really trying to encompass all the departments and agencies in the United States federal government and deal with the international aspects,” said co-moderator Audrey Plonk, global security and Internet policy specialist at Intel Corporation. “Having a high level of strategy is very important.”
The Obama administration conducted a "clean-slate" review to assess U.S. policy, strategy and standards regarding security and operations in cyberspace in the summer of 2009. That report, aimed at addressing economic, national security, public safety and privacy interests can be found here: http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
Collaboration between government and industry
The panelists noted that a national strategy is dependent on the collaboration of many people, including industry bodies and government agencies.
Cheri McGuire, director for critical infrastructure and cybersecurity at Microsoft and chair of the Information Technology Sector Coordinating Council, said that the public/private partnership relies on several key principles.
“One principle is trust,” McGuire said. “There is a long history of lack of trust between industry and government. This adds a unique factor to when government invited industry to the table to work collaboratively on cybersecurity issues.”
She noted that many public and private partnerships from the past can be used as a lesson on how to conduct successful partnerships today. “There is no one right model, there is no one right way to do this,” McGuire said. “There are a lot of lessons learned - that the many of us who are involved in the public and private debate have learned - that can be used to create the framework for these partnerships.”
The IT-SCC was established in 2006 to encourage cooperation between tech industry entities in addressing infrastructure protection, response and recovery. To read more, see http://www.it-scc.org/.
“Cybercrime runs the gamut of most of the bad things that humans do to each other,” said Don Codling, unit chief at the Federal Bureau of Investigation. “Think of everything from slavery, to human trafficking, to embezzlement, to fraud. You can even hire a hit man online.”
Codling said the domestic approach of the FBI regarding cybercrime almost instantly turns into a global effort. Due to the nature of the Internet, how records are stored and how financial transactions are performed, almost all major crimes become global instantly.
“We are members of the global community,” Codling said. “The global law enforcement community has coalesced rapidly and said we have similar problems. We need to work together.”
To read more about the FBI's cyber mission, see: http://www.fbi.gov/cyberinvest/cyberhome.htm. For background from the U.S. Justice Department on international aspects of computer crime, see this page: http://www.justice.gov/criminal/cybercrime/intl.html
Incident response seen as vital
Scott Algeier, executive director of the IT Information Sharing and Analysis Center, said it is important for there to be open communication in order for people to share their expertise. He noted that when industry partners share information people are able to analyze the different trends that many different companies are experiencing.
“By sharing information, we give each other a larger capability,” Algeier said. “We are able to say ‘this is a neat trend we are seeing,’ and analyze all of the information that we are receiving.”
Computer emergency readiness teams work to assess attacks and vulnerabilities. The US-CERT site is http://www.justice.gov/criminal/cybercrime/intl.html.
Building a culture of cybersecurity and awareness
Franz said the five overarching elements covered in the session are all dependent on each other.
“I don’t want to focus on five elements and that they each do their own thing,” Franz said. “But instead emphasize that it is important to collaborate between these elements.”
“Cybersecurity means preserving this open, free Internet that we have learned to value so much,” said Greg Nojeim, senior counsel and director at the Project on Freedom, Security and Technology of the Center for Democracy and Technology (http://www.cdt.org/about). “We are only just beginning to realize what it would be like if it was all taken away. Security allows you to use the Internet freely.”
Nojeim said correctly balancing the needs for security and privacy online is important. He added that an increase in transparency could make people really understand the need for security.
“A lot of the cybersecurity efforts necessarily have to take place behind the scenes, but I think that openness is one key to a successful program,” Nojeim said. “It builds trust, it helps companies know what happens to the information that they share.”
All panelists agreed that there will never be a time where there is no cybercrime.
“I don’t think there is a perfect system - what we have to find is what is reasonable security and the proper balance between privacy and freedom of speech and safety and cybersecurity,” said Adam Palmer, Norton lead cybersecurity advisor for Symantec Corporation, a security systems company.