By Rep. Bart Gordon (D-Tenn.) - 07/14/09 03:39 PM EDT
Cybersecurity has long been a priority for the federal government: Congress has passed 12 major pieces of legislation that address the issue since 1987; both the Clinton and Bush administrations instituted major cybersecurity initiatives; and the federal government is spending nearly $7 billion annually on various aspects of securing cyberspace, including research and development.
Cyber crimes have cost Americans more than $8 billion over the last two years. In 2007, due to a cyber attack on an American retailer, the personal information of 45 million credit and debit card holders was compromised.
And the threats are continuing. Cyber attacks have steadily increased over the past decade. The Pentagon reported more than 360 million attempts to break into its network last year. Earlier this month a high-profile, coordinated attack attempted — with limited success — to disrupt over two dozen government, financial and news websites in the U.S. and South Korea, including the White House.
If we’re serious about improving cybersecurity — and we should be — we need to work smarter, not just harder. We need to make an objective assessment of what has worked, and what has not worked and why.
I applaud the Obama administration’s recent release of its Cyberspace Policy Review, which includes recommendations for improving federal government efforts. The recommendations fall into four categories:
• Improve interagency coordination. The National Institute of Standards and Technology is responsible for the security standards of all unclassified federal IT systems, as directed by the Computer Security Act of 1987. It does this by issuing Federal Information Processing Standards and guidelines that are used by federal agencies and industry. The best known is the Digital Encryption Standard, the “gold standard” for both the federal government and the private sector.
The National Science Foundation supports basic research in the field of cybersecurity. The Department of Homeland Security supports cybersecurity research, monitors the unclassified federal IT systems for cyber attacks, and coordinates federal responses when attacks occur. Additionally, numerous agencies are involved in sector-specific activities; for example, the Department of Energy is concerned with the security of remotely controlled and monitored electric utility facilities, while the Federal Aviation Administration works to ensure the security of our air traffic IT infrastructure.
There is also a dichotomy in which the security of classified federal IT systems falls to the Department of Defense and the National Security Agency. These agencies and others in the intelligence and military communities conduct cybersecurity R&D to improve the security of their systems. The sharing of cybersecurity technologies and best practices between classified and unclassified IT systems is also of concern.
We need to make certain that the various efforts of the federal government are working effectively and collectively toward the common goal of improving cybersecurity.
• Improve public-private partnerships. One of the major challenges with ensuring cybersecurity is that 85 percent of the nation’s critical infrastructure is owned and operated by private entities. The federal government needs to develop a process to work with the private sector to help prevent, detect and respond to cyber incidents.
• Modernize the research agenda. Protecting the security of IT systems is much harder than attacking them. We are constantly installing new patches and updates to prevent the newest computer virus from crashing our computers, but this reactive mode to cybersecurity is a losing battle. The federal government needs to invest in innovative research that will result in more fundamentally secure technologies.
• Improve cybersecurity education. In addition to ensuring we have trained IT professionals who will monitor our cyberspace and develop the hardware and software necessary to maintain our security, we need to improve the general public’s awareness of the risks and consequences of poor security practices.
While many of the recommendations in the Policy Review were not new, they offered a frank appraisal of current federal activities and a roadmap for needed actions. I think there are a few factors coming together right now that will allow us to finally get ahead in cybersecurity.
First, the president has indicated that this is a priority. At the press conference I attended with top-ranking officials from the broad range of government agencies working on cybersecurity, the president announced his intention to nominate a cybersecurity coordinator.
Second, there is a shifting in focus from outputs to outcomes. This small but important change will help make sure we’re not just doing something — as we have been for years — but that our actions are having the desired effect.
Lastly, we are realizing that a secure cyberspace is not only a federal issue, it also an issue for the private sector, the public sector and each individual. The only way we can develop a secure cyberspace is if we understand the needs of each of those communities. It is Congress’s responsibility to take a hard look at all federal cybersecurity activities and only then take action. The House Committee on Science and Technology has held three hearings on the issue, and we will continue our work, though we realize that the federal government cannot fix this with regulation and legislation alone, but through a collective effort by the federal government, the private sector, our scientists and engineers, and every American.
Gordon is chairman of the House Committee on Science and Technology.