Making Cyber-Security a National Priority

Citizen involvement in cyber-security is crucial.

by / October 5, 2009

As the Pentagon continued its development of the F-35 Joint Strike Fighter program -- the costliest weapons project in U.S. history -- news surfaced in April that for more than a year, hackers downloaded several terabytes of sensitive data from contractors' computers.

The breach was a startling realization that even the most secretive projects are vulnerable. Defense Secretary Robert Gates admitted to CBS News that the United States is "under cyber-attack virtually all the time, every day" and that the Pentagon is changing its strategy to combat and use cyber-warfare in the U.S. defense policy. Gates ordered the creation of a new military cyber-command that will defend the Pentagon's networks and conduct cyber-warfare. The Pentagon also will more than quadruple the number of security experts it employs to combat cyber-attacks.

Yet as hackers and botnets -- groups of "zombie" computers that autonomously spam the Internet -- continue to attack organizations worldwide, a prevailing cyber-security question is how to unite the public and private sectors, as well as individual computers, to fight cyber-crime.

Partnering With Citizens

President Barack Obama announced that cyber-security is a national priority and that he'll appoint a cyber-security coordinator. He also stated that the U.S. government would collaborate with the private sector to create a comprehensive national cyber-security policy. But he did not outline citizen involvement, which some security experts say is crucial.

"I think civilian participation in cyber-security is absolutely essential because the systems that are used in attacks and most of the systems that are attacked are owned and operated by civilians," said Susan Brenner, professor of law and technology at the University of Dayton School of Law.

Brenner believes the current system for cyber-space enforcement is outdated and based on modern criminal law that's oriented around territorial domains, which limits law enforcement. Because cyber-attacks occur from anywhere around the world, law enforcement deterrence and prevention has become very difficult.

Brenner said cyber-crime can be prevented by information sharing and coordinating response from the public and private sectors, and especially individual citizens. Since citizens are usually the ones attacked, Brenner said they should be included in cyber-security response by reporting attacks and making their systems more resistant.

Since civilians often don't report attacks to authorities, cyber-security enforcement is losing valuable information about cyber-attacks. If law enforcement and the military create a rapid flow of threat data across the public, private and individual sectors, the nation's cyber-security would be strengthened, Brenner said.

Brenner suggested a "distributed" approach to cyber-crime, where governments would require anyone accessing cyber-space to employ security measures, without infringing on civil liberties. New cyber-crime prevention laws could potentially require citizens and private- and public-sector organizations to implement tools necessary to prevent threats like identity theft, anonymous e-mail relaying and the expansion of botnets.

"People are currently the biggest flaws in cyber-security," said Joseph J. Schwerha, associate professor of business law at California University of Pennsylvania, who co-wrote an article with Brenner on cyber-crime. "Because information has to be available for people to use it, people are frankly the weak link in the chain."

Educating the Population

Education has been the primary cyber-crime prevention strategy, with numerous organizations -- including the U.S. Department of Homeland Security, InfraGard and the United States Computer Emergency Readiness Team -- gathering and relaying information about cyber-threats. Education is essential on the individual level, Schwerha said since cyber-criminals are increasingly targeting and hijacking individuals' computers to conduct cyber-warfare and perform other malicious activities.

The National Cyber Security Alliance (NCSA) is a public-private organization that specializes in cyber-security awareness to build a national understanding about appropriate online tools and behavior.

The NCSA believes education is the key to protecting individual computers and networks.

"The biggest threat I see, in general, is that users don't understand the connection between what they do on a computer and how that affects the networks they use," said Michael Kaiser, the alliance's executive director. "We really believe the answer to cyber- security issues is sharing information. We don't believe one organization, nonprofit, school or parent can do it individually. It has to be done collectively."

However, only five states have mandated Internet security training for individuals, and fewer than one-third of all classrooms teach anything related to cyber-security, according to the NCSA. In addition, an estimated 60 percent of teachers admitted they don't feel prepared to teach cyber-security. To help remedy this education gap, the NCSA created a volunteer program that brings IT security professionals into classrooms to teach about cyber-security, ethics and safety.

A partnership between the FBI and private sector called InfraGard disseminates information and reporting among its members on cyber-crime and other major crime programs. Many private-sector members of InfraGard have improved internal education programs for their employees because individuals working for organizations are often the cause of security threats. The increasing use of portable technologies -- such as laptop computers, PDAs, BlackBerrys, phones and flash media -- containing sensitive information has made many organizations vulnerable to cyber-security threats.

"As industries become more global with outsourcing and you have computer files with product designs, such as CAD files, that are available electronically, it's very easy for those files to go where they shouldn't," said John Landwehr, a member of the San Francisco Bay Area InfraGard local board of directors.

Challenges and Requirements

Though educating employees is important, the idea of incorporating private citizens into cyber-security protocol is a challenging proposition, said Ronald Dick, president of the InfraGard national members alliance, because privacy issues must be addressed, enforcement would be difficult -- especially in other countries -- and service providers would also need to be included.

Dick, who is the former director of the FBI's National Infrastructure Protection Center, said there should be more stringent requirements on software developers and hardware manufacturers to increase Internet security. He's encouraged by Obama's recent attention to securing the country's critical Internet infrastructure, but said more work must be done to form effective collaboration between the public and private sectors.

"There is the realization that for our national security and the security of our information -- both from the public- and private-sector standpoints -- there has to be a partnership between the two sectors," Dick said. "It will not work without the two of them working together to better secure networks. There is this realization, but the question is: How do you execute it? There's a real searching on both sides on how do we make it work to protect the rights of citizens and the nation."


Chandler Harris Contributing Writer