IT Security Panel Urges Obama To Name Cyberspace Czar

cyberspace a blue-ribbon commission on cybersecurity

The CSIS commission's 96-page report, "Securing Cyberspace for the 44th Presidency," was intended to recommend an "actionable plan" that was "not so specific that it mandates specific technology," said commission member Shannon Kellogg, director of information security policy in the Office of Government Relations at EMC.

"The commission did not recommend specific technology specifications. We did come out and say we support a series of guidelines drafted in conjunction with private industry that builds on existing initiatives," Kellogg told ChannelWeb Monday after the release of the report by the Washington, D.C.-based policy think tank.

The commission's recommendations also include revamping the U.S. government's password-based user-authentication system with more robust technologies and using the federal government's value as a technology consumer to pressure IT vendors to meet higher security standards with their products.

Thus, if the commission has its way, Obama would direct the Office of Management and Budget and the proposed National Office of Cyberspace "to develop mandatory requirements for agencies to contract only with telecommunications carriers that use secure Internet protocols."

"A central tenet of the regulatory recommendations is to leverage government buying power to spur companies toward building better security products. So the recommendation on secure configurations, for example, is one way to spur the sort of behavior in the private sector on security that we want," Kellogg said.

A report that calls for broad new government regulation of online activity is sure to receive some criticism on privacy and civil liberties grounds. Kellogg said the CSIS commission was particularly sensitive to the balance between such concerns and the need to modernize government's response to cyberspace-related threats.

"The objective of protecting privacy and civil liberties was something we took seriously," Kellogg said, pointing to the commission's recommendation of a "risk-based" approach to standardizing authentication protocols for digital identities. The highest security gates would be built around access to "critical cyber infrastructures" such as communication backbones, energy, finance and government services, with lower authentication hurdles for activity like online shopping and none at all for political speech, he said.

The report is not kind to the current federal IT security standard, the Bush administration's Comprehensive National Cybersecurity Initiative (CNSI), which the commission calls "not comprehensive," adding that "unnecessary secrecy reduced its effect."

Kellogg said the CNSI was "a good baseline to build on," but that the commission's goal of fostering cybersecurity partnerships between government and the private sector would be "difficult to do if things are overly classified."

How likely is the new president to buy into the CSIS recommendations? Obama is expected to take the report seriously, considering that several members of the commission are also on Obama's presidential transition team, including technology advisers Dan Chenok of McLean, Va.-based government IT contractor Pragmatics, and Bruce McConnell, founder of Washington, D.C.-based procurement consultant McConnell International.

The panel also included representatives of such IT heavyweights as Cisco Systems, IBM, Microsoft, and Sun Microsystems, as well as advisers from AT&T and Verizon, and a number of commission members from government and academia.

"The report advocates some bold moves, which is in theory what the Obama administration has expressed interest in supporting," said Mike Haro, a senior security adviser at security software vendor Sophos.

The CSIS commission was established in August 2007 in response to "a wave of damaging attacks in cyberspace" that rocked the U.S. government, including security breaches at the Departments of Commerce, State, Homeland Security and Defense, according to Kellogg.