The federal government has made slow progress on securing critical U.S. infrastructure two years after a Center for Strategic and International Studies (CSIS) report helped it identify cybersecurity as a major area of concern, according to the center's progress report.
In 2008, CSIS published "Securing Cyberspace for the 44th Presidency," identifying the cybersecurity of critical U.S. infrastructure as something the new president should focus on at a time when policies and efforts concerning the topic were not a key focus.
The "Cybersecurity Two Years Later" report, which assesses what's been done since 2008, paints a grim picture for the federal government, which -- even in a year that saw major cybersecurity problems -- has been slow to respond to the challenges, according to the report. "2010 should have been the year of cybersecurity," according to the report, which cites major security breaches of Google and other Fortune 500 companies as well as the appearance of the Stuxnet super-virus and the Wikileaks scandal as reasons the government should have been paying closer attention.
The report notes the federal government's historically slow pace to act to meet security challenges in other industries -- such as aviation and transportation -- and suggests the government is dragging its feet in a similar way on cybersecurity. "We thought then that securing cyberspace had become a critical challenge for national security, which our nation was not prepared to meet," according to the report. "In our view, we are still not prepared."
The center's advice for the federal government is not to let history repeat itself, and the report identifies 10 key areas on which the U.S. must take cybersecurity action -- crucial points cybersecurity experts at the center believe have not been addressed since the 2008 report.
The CSIS recommends that United States develop the following to improve its cybersecurity position and prevent critical infrastructure from remaining vulnerable to attack:
-- Coherent organization and leadership for federal efforts for cybersecurity and recognition of cybersecurity as a national priority;
-- Clear authority to mandate better cybersecurity in critical infrastructure and new ways to work with the private sector;
-- A foreign policy that uses all tools of U.S. power to create norms, new approaches to governance, and consequences for malicious actions in cyberspace that also lays out a vision for the future of the global Internet;
-- An expanded ability to use intelligence and military capabilities for defense against advanced foreign threats;
-- Strengthened oversight for privacy and civil liberties, with clear rules and processes adapted to digital technologies;
-- Improved authentication of identity for critical infrastructure;
-- An expanded workforce with adequate cybersecurity skills;
-- A new federal acquisition policy to drive the market toward more secure products and services;
-- A revised policy and legal framework to guide government cybersecurity actions; and
-- Research and development (R&D) focused on the hard problems of cybersecurity and a process to identify these problems and allocate funding in a coordinated manner.
To be fair, the federal government already is working on a number of these efforts to improve how it protects critical U.S. infrastructure. For instance, the Obama administration has indeed identified cybersecurity as a major priority, and a host of agencies -- including the Department of Defense (DoD), the Department of Homeland Security (DHS), and the National Security Agency (NSA) -- are working both separately and pooling their resources to attack the problem.
While it's true there has been criticism over how agencies are cooperating on the matter, the government is taking steps to improve this situation. In October the federal government created a cybersecurity pact among the DHS, the DoD, and the NSA to create a formal structure to coordinate joint-agency efforts on protecting critical infrastructure.
The Obama administration also is working to improve identity-management across all federal agencies. The DHS recently expedited a move to a new biometric and smartcard identity-management system government-wide to better vet who can access federal facilities and networks.