Report: US needs to adopt minimal national security standard for cybersecurity


The United States cannot allow cyber insecurity in information systems to reach a point where weaknesses would result in leaders "unwilling to make a decision or unable to act on a decision fundamental to our national security," said a new think tank report, suggesting a new national security standard for what's important to protect in cyberspace.

Richard Danzig, who served as secretary of the Navy under the Clinton Administration, authored the Center for a New American Security report (pdf) published July 21.

The report describes the vulnerabilities and other insecurities in information systems as well as recommending several initiatives, including articulating the minimal national security standard, to improve the nation's cybersecurity posture.

"A more stringent standard may later be in order, but this standard can now secure a consensus, illuminate the minimum that the United States needs to do and therefore provide an anvil against which the nation can hammer out programs and priorities," Danzig wrote.

Danzig said that because IT dependency and accompanying insecurities have come so rapidly evolved, the U.S. doesn't really understand what is acceptable and unacceptable risk let alone what the government's and the private sector's roles are in this area.

Leaders are more reactive when confronted with dramatic changes, he wrote. And the absence of a cybersecurity standard "cripples efforts at consensus and therefore disrupts strategies, undermines legislative proposals, makes budget allocations difficult to size and defend, etc."

He also said that the U.S. may need to adopt a strategy that "self-consciously" gives up some cyber benefits in exchange for greater security on key systems.

This might involve "stripping down systems so they do less but have fewer vulnerabilities" and less reliance on digital systems and more on humans, among other recommendations.

Another interesting initiative is to "map the adversarial ecosystem of cyberspace in anthropological detail" as a way to better understand enemies, our own incentives and operational methods, he wrote.

For more:
- read the CNAS report (.pdf)

Related Articles:
Study: Utilities, others in critical infrastructure sector unprepared for cyber attacks
Senate panel OKs bill encouraging companies to share cyber threat data with gov't
Study: Cybersecurity problems won't be solved with a permanent solution any time soon