These days, it’s hard to turn on the news or open a newspaper without seeing something about cybersecurity. President Obama calls for an immediate evaluation of U.S. cybersecurity initiatives. Rod Beckstrom, cybersecurity chief at the Department of Homeland Security (DHS), resigns amid turf battles with the National Security Administration (NSA). The Chinese government is accused of orchestrating cyber attacks on U.S. military networks. Congress is contemplating new legislation to expand government authority to manage Internet operations and other national cyber infrastructure. These headlines, coupled with criticism from all directions, has our leaders looking for the answer to the $64,000 question– is it truly possible for the government to a.) Share information freely enough to ensure national security, b.) Continuously defeat cyber attackers, and c.) Respect citizen privacy? All at the same time?
A Call for Action
Before we throw our hands up in frustration, we ought to remember that cybersecurity needs to strike a balance between protecting citizens and enabling the collective business of government and industry – day in and day out. What we need is a solution to ease the natural – and very strong – tension between protecting sensitive data from the wrong hands and completely imprisoning mission-critical information for fear that it will be used inappropriately. The solution must also protect the network infrastructure supporting the data, while facilitating the sharing of the very information it protects.
Federal agencies have been working to develop this solution for quite some time, and at its core is the practice of information assurance. Information assurance combines aspects of physical and cyber security protections, allowing for safe information sharing and collaboration across agencies. While restricting unauthorized information access, information assurance simultaneously enables protected access to the network that supports the flow of information.
To Share or Not to Share
Given the grave threats to our critical infrastructure, it is tempting to lock down buildings, networks and data, limiting access in efforts to mitigate risks. However, agencies must realize that information sharing is as important to our government’s security posture as both information and physical security. Intelligence must be shared to realize its value. From Social Security numbers and tax information to law enforcement data and classified national security intelligence, agencies must carefully determine which parties can access the information, and how. Through the enforcement of policies and procedures and the deployment of technology solutions – from CAC cards to secure ID tokens to iris scans and other tools – agencies have access to the power, the technology and the know-how to allow authorized individuals in and keep others out.
Periodically, public concern arises that agencies like the NSA have too much access to information. But there have been laws on the books with substantial penalties for the wrongful use of sensitive information long before we started saying, “cybersecurity.” When I worked with the U.S. Customs Service (later Customs and Border Protection), we frequently coordinated with Federal, state, tribal, and local public safety officials as well as numerous commercial trade organizations. Many times we were given access to very specific information that we could only use for an authorized purpose. After obtaining the information, I was civilly and criminally liable for protecting and appropriately using that information. So I made sure we used it only for its authorized intention. Information assurance policies function similarly – users are granted access to specific information for a specific mission. Once the mission is complete, access is restricted once again.
Protecting the Network from Cyber Attack
Network security is critical to information assurance. It isn’t just about keeping rogue agents out; effective network security also enables information sharing across, within, and among Federal agencies and important mission partners. Technology tools – and skilled professionals – are needed to defeat attackers that are intent on intruding to steal information or to disable the network itself. Systems analysts and software can monitor networks 24/7 for unusual patterns. In the case of a security breach, devices containing secure information can be completely locked down or, in some cases, open a trail leading directly to the cyber attacker.
It is possible for government agencies to realize cybersecurity as it was meant to be: a function that allows information sharing, protects data from unauthorized use, and protects citizen privacy. Leadership and commitment from the highest levels of government and industry are the answers. Only with visible and sustained focus from the top on properly funding and staffing information assurance will the cultural change and sustained investment in disciplined governance and defensive cyber technologies occur. Cybersecurity is fundamentally a people problem, not a technology problem. We know what to do; we need the will to do it. Accountability and trust are the behaviors that need to be institutionalized. We know how to do this at the micro-organizational level. We now need to commit to do it at the macro-level for the national and global cyberspace.