A new national cybersecurity strategy under development by the Obama administration should not reiterate obsolete ideas that nonetheless continue to dominate the cybersecurity debate, says a new report from the Washington, D.C.-based Center for Strategic & International Studies Cybersecurity Commission.

Among policy concepts that have failed to bring about real change are "public private partnerships," "information sharing" and "self regulation," says the report, which was released publically Jan. 31.

The report is a follow up to a much-read December 2008 CSIS Cybersecurity Commission set of recommendations, "Securing Cyberspace for the 44^th Presidency." James Andrew Lewis is the commission project director.

While the past two years have seen the emergence of cybersecurity as a major public policy issue, the United States remains unprepared to defend itself against nation-state cyber opponents, the new report states.

Report authors attribute slow progress in part to those in the private sector who reject government regulation on ideological grounds or who fear it would stifle innovation.

"Americans usually assume that market processes will solve problems without government intervention," they state, adding that they believe that the Internet is merely the latest major new commercial technology in need of federal oversight. Past examples include the automobile, and carmakers similarly said that safety regulations would stifle innovation, the report says. As for innovation, economic espionage via the Internet is likewise a threat to its existence, it adds.

The current "voluntary, disaggregated" federal approach to national cybersecurity with its emphasis on information sharing and public-private partnerships incorrectly assumes that private entities will share information "despite liability, antitrust and business competition risks." It also underestimates the difficulty of sharing classified information with the private sector, the report adds.

(Coincidentally, a lessons learned report about stopping the Conficker worm that criticized the government for failing to share information with the private-sector led working group that neutralized the worm with no assistance from federal agencies, emerged only days ago.)

Report authors also criticize federal agencies for being unwilling to cede their current cybersecurity roles to what authors say should be a White House cybersecurity office with powers analogous to such as the Office of the U.S. Trade Representative has.

As the Obama administration prepares a new national cybersecurity strategy to replace the current one, crafted in 2003, it should draw on new ideas, the report says--in particular, those in the "Securing Cyberspace for the 44^th Presidency."

For more:
- download the new CSIS Cybersecurity Commission report, "Cybersecurity Two Years Later" (.pdf)

Related Articles:
Feds had no role in stopping Conficker, says report
Guest Commentary: Bruce Brody cybersecurity reform in the new Congress 
Smart grid cybersecurity standards still lacking, says GAO