2009 v. 2017 in Cybersecurity: Comparing Recommendations for 44th and 45th Presidencies from The Center for Strategic and International Studies

The Center for Strategic and International Studies (CSIS) produced a cybersecurity report in December 2008 for the 44th Presidency (CSIS-44) and built on that to produce a report in January of 2017 for the 45th Presidency (CSIS-45).  What follows is a limited comparison between the two reports.

Some of the notable differences between CSIS-44 and CSIS-45 include:

Policy: CSIS-44 touted increase use of private-public partnership and the various benefits that could be derived therefrom.  CSIS-45 recognizes the cold hard reality that those partnerships simply failed to materialize and that delivered very little (if any) value to our cybersecurity posture.  CSIS-45 goes so far as to say that this type of approach that “encourages” cooperation is doomed to fail since it neither mirrors market realities nor is there any stick (ergo the private sector will only act if market forces dictate action or if action is mandated via regulations, etc.).

Another lesson learned from CSIS-44 was the attempt to focus on authentication and digital identities. CSIS-45 acknowledges that programs such as the National Strategy for Trusted Identities in Cyberspace (NSTIC) were grandiose in vision and lackluster in practice.

One other area covered here is the need for a national data breach policy.  CSIS-45 postulates that a federal data breach policy will enhance security since entities will understand their requirements and the policies and procedures they must implement.

Take-away: that ideas and vision are wonderful however if there is no mechanism for regulation or enforcement they are unlikely to come to fruition. Thus, the current Administration needs to recognize the bounds and limits of its influence and work with (rather than against) the legislative branch to effect the best possible outcomes.[1]  With respect to the national data breach legislation – I agree that is important, however, I don’t think it is as significant a cybersecurity issue as CSIS-45 postulates.  Not everything that moves from the state level to the federal is wiser or more efficient.  In some respects, states and localities may have more flexible and tailored data breach notification rules than trying to create a one-size-fits-all.  A single standard would certainly be easier but it is not clear how data breach notification rules applied federally will in and of itself create a higher level of cybersecurity.  For instance, what if a locale currently has a very strident data breach policy and the federal policy is less stringent. In such a case, wouldn’t the result be decreased cybersecurity?


Encryption: CSIS-45 includes several paragraphs on encryption and discusses the need to balance the national security implications of privacy, security, and innovation. One would have thought that the various issues surrounding the infamous clipper chip coupled with the latest FBI/iPhone “all-writs-act” court case would have made encryption a more prominent topic not only in CSIS-45 but so too would have warranted at least a mention in CSIS-44.  With respect to breaches and exfiltration of PII, one could argue that encryption is at the very heart of any discussion; however interestingly enough while some specific vulnerabilities are raised, scant attention is paid to this.

What CSIS-45 does say is that private-sector encryption should be encouraged but should also include private-sector cooperation to ensure that lawful access to encrypted data can be achieved. Hopefully, efforts in this area will also include an independent party that is able to make a neutral and detached decision regarding whether or not data can be unencrypted in a lawful manner.  Furthermore, it will be essential to ensure that the tools to effect this do not use the proverbial back-door approach since the government does not seem to be particularly adept at preventing the exfiltration of tools and software that it utilizes (i.e. consider recent tools that made their way into the public market, as well as the Snowden revelations).

Take-away: merely saying that you need to balance privacy, liberty, and security does nothing to ease the misgivings of privacy crusaders, tech companies, and 1st amendment supporters.  Stating that encryption should include a mechanism by which a lawful process can decrypt data strikes fear in the hearts of many.  For one, there has been no proposal as to the “who” that can make such a determination, would it be the judiciary?  Additionally, who would retain the technological capability of decryption?  If the private companies or the industry has this – who will safeguard it?  How will the use of decryption be monitored, logged, and accounted for?  What happens when a new authoritarian figure takes office with the support of a willing and able legislature and is able to define “what” they can access and decrypt?  How much liberty and privacy should we sacrifice for our security?


Cloud and IoT: while CSIS-45 specifically discusses both increased use of cloud devices as well as the proliferation of IoT devices and then goes on to say that any strategy must be fluid in order to accommodate the rapid pace of technological change, this approach seems rather narrowly focused.  While it is easy to view the movement to the cloud and the advent of IoT as disruptive technologies that require a revised strategy that isn’t the case.  Networked storage is not a new phenomenon nor is software-as-a-service (SAAS), taken together and coupled with centralized provider services this is more evolutionary than revolutionary.  The underlying strategy if purpose-built to discuss data and PII should be largely unchanged irrespective of the underlying technology or architecture.  Similarly, with respect to IoT this is more so an issue of scale versus some revolutionary new technology.  Neither the intended uses nor the ubiquity of IoT devices should impact a comprehensive cybersecurity strategy.

Take-away: CSIS-45, on the one hand states that the growing number of IoT devices will result in an immense number of connected devices and then proposes implementing a rating system similar to the NHTSA crash test system.  With the exponential growth in IoT devices, how would such a system be managed? The overhead and administrative burden of operating a program to rate IoT devices would be mind boggling. Further, with the rate of technological change and both software and hardware updates, this system would be impossible at the very least and unwieldy and unworkable at the very best.  Once again, the problem is one of focus — looking at the device and the perimeter vs. what really matters  — PII.


Offensive Cyber Operations: CSIS-44 devotes a fairly large section to a discussion of the use of military and developing appropriate response thresholds.  Whereas, CSIS-45 merely talks about identifying the split of responsibility along the military and civilian spectrum to ensure that no issues arise with respect to use of forces barred from domestic response during a cyber event.  CSIS-45 thus recommends strengthening DHS and simultaneously building capabilities within the National Guard and Reserves, either of which could be rapidly deployed to the states until Title 32 or Title 10/50 (this would have the added benefit of creating citizen-soldiers with expertise in cyber operations).

Take-away: CSIS-45 should likely be viewed in the context of CSIS-44 which provides a wealth of additional background and delves deeper into the concepts of necessity and proportionality (without ever spelling them out).  Ultimately, however, the issue will continue to arise where one force is deployed and tasked with monitoring and defensive operations and a separate force conducts offensive cyber or kinetic operations (especially in the case of cyber events initiated by Nation-states).  What this really comes down to, what really needs to be extrapolated is the attribution element.  The ability to confuse, inveigle, and obfuscate renders the question of cyber or kinetic offensive operations somewhat moot.  This also raises the issue of asymmetry which is probably a topic best left for a separate post.


OrganizationCSIS-44 and CSIS-45 both allude to the fact that an effective cybersecurity strategy is going to require clear leadership with well-defined authority – preferably flowing directly from POTUS to a highly-placed official with operational control over the moving pieces.  Here, CSIS-45 builds on CSIS-44 and states that DHS could continue to be the lead on this if the (1) the DHS Cyber Mission is fully defined; (2) Cybersecurity is put into an independent operational component of DHS; and (3) supporting agencies are strengthened and given key roles (e.g. State, FBI, Commerce, National Intelligence Agencies).

Take-away: the recommendations from CSIS-44 were never followed so we do not have a single lead-agency with the requisite power to manage cyber operations across the landscape.  The report doesn’t specifically call this out, but the OPM data breach, the Sony hack, the IRS hacks, all point to a rather poor cybersecurity posture using the weak-DHS model.  In CSIS-45 it almost seems as though the authors have accepted the way things are and are pushing for modest, incremental change.  However, if creating a standalone cybersecurity model (such as other nations are doing) is the best, most efficient approach shouldn’t’ CSIS-45 continue to advocate for that? Kind of a shoot for the stars and reach the moon approach vs. CSIS-45’s Eeyore, whoa is me approach.


Resources: in this area CSIS-44 and CSIS-45 both advocate for training and education to develop a cybersecurity workforce.  CSIS-44 may not have been dire enough in its prediction of the number of skilled cybersecurity professionals that were going to be needed.  CSIS-45 pays a little more heed to this but still discusses at a very high level.  With all of the rhetoric over the past several months about college tuition and the need for a skilled workforce and the need to build/re-build private/public partnership, this seems like a key opportunity that was missed by CSIS-45.  The obvious truth is that the supply of cybersecurity professionals has been outstripped by the demand by a very large factor.  Thus, this problem impacts the private and public sector alike.[2]

Take-away: might be best to use this workforce shortage to create a long-term supply reaching all the way down to the elementary level, targeting persons whose inherent skills and aptitude make them ideal candidates for such a career path.  Private industry could help defray the costs of training and education, with the benefit of a skilled worker at a reduced rate of pay for a specified duration.  Credits could also be given for the training expense incurred by persons that enter the public vs. the private sector.  Thereby strengthening the public/private relationship and creating a long-term solution to a specific need.  This would also create the infrastructure needed to develop similar pipelines for other skills, thus allowing some level of career pre-determination (several eerie science fiction movies have been based on similar premises).


Conclusion: in many respects, CSIS-45 builds upon what was crafted and delivered in CSIS-44.  Little of this is revolutionary and is largely just an extension of the CSIS-44 principles.  However, taken together these recommendations could serve to bolster US cybersecurity. The key will be to get the White House and Congress to acknowledge the scope of these issues and to devote the necessary time and resources to both short and long-term solutions.  The development of a workforce that targets elementary age children puts the horizon out several presidential terms which dictates that action be taken in conjunction with congress rather than via presidential fiat.



[1] It is interesting to note that the CSIS-45 report has an entire section on previous attempts to model government after the private sector and building in the typical C-Suite executives (CTO/CISO/CIO) and how this has been ineffective since these C-Suite positions lack real authority and thus pushing a private sector organizational model into the public sector falls short.  Since this dialogue was lacking in the CSIS-44 report one can only wonder if the non-business person was assuming the helm if language dictating the pitfalls of trying to apply a private-sector business organization to the government model would have been included?

[2] With obvious trade-offs and incentives within each.  For instance, the lure of an NSA job may be using and developing cutting-edge tools and access to some fascinating technology contrasted with the public sector which can offer more financial incentives than the public sector.

Share:

Tags:

One Response to “2009 v. 2017 in Cybersecurity: Comparing Recommendations for 44th and 45th Presidencies from The Center for Strategic and International Studies”

  1. wcsnyder says:

    Bruce Schneier has added some analysis of the CSIS recommendations on his blog at https://www.schneier.com/blog/archives/2017/02/csiss_cybersecu.html .

Leave a Reply

You must be logged in to post a comment.

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Christopher w. FolkChristopher W. Folk

is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Ryan D. White

Ryan D. WhiteRyan is currently a second year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.Full biography

Anna Maria Castillo

is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington. Full biography

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories