inSync IT Services & Solutions

security >> articles >> a national strategy for cyberspace

The National Strategy to Secure Cyberspace
A Roadmap for Cybersecurity

OCT 22, 2002

Introduction
On September 18, 2002, the United States government took a step forward in the world of information security by releasing the "National Strategy to Secure Cyberspace - Draft for Comment" to the public for review and comment. The National Strategy to Secure Cyberspace (NSSC) is a call to action to safeguard information assets for individuals and organizations. Contained within the document is a set of recommendations, or a "road map" to cybersecurity. The NSSC is not mandated by the force of the law, does ask for a significant voluntary commitment.

One of the main goals of the NSSC is to foster public-private partnerships through asking everyone to work together. The inextricable ties between Canada, the United States and Mexico is also acknowledged, and their shared infrastructures lead to an encouragement of all three nations to work together in this cybersecurity effort.

Vulnerability-based approach
Seeking to influence the philosophy of information security, the NSSC argues for a vulnerability-based approach to security rather than a threat capabilities focus. The pattern of their logic cites worst-case scenario due to the incalculability of threats, which makes them next to impossible to predict based on what we have experienced thus far.

The NSSC is a real indication of the new philosophy in national strategy development and the White House has signified it as a living document that will change and evolve as the environment changes. To prove that they mean business, the White House has put their money where their mouth is. President Bush has requested $4.5 Billion in funding for security federal computer systems in fiscal year 2003.

Putting the NSSC into perspective

U.S. Strategic Family
You can see the dimensions of U.S. security strategy in the following chart:

U.S. National Security Strategy (NSS)
Released on September 20, 2002. This is the single overarching core strategy document for the United States, and lays the groundwork for supporting strategies such as the National Military Strategy and the National Homeland Defense Strategy. The NSSC was developed as a strategy to implement the NSS.

U.S. National Military Strategy
The NSSC touches on the National Military Strategy in several ways. Perhaps the most revealing is that both focus on a capabilities-based approach as noted in the Quadrennial Defense Review Report (QDR) released by the Department of Defense (DoD) on September 30, 2001, which states:

"The new defense strategy is built around the concept of shifting to a 'capabilities-based' approach to defense. That concept reflects the fact that the United States cannot know with confidence what nation, a combination of nations, or non-state actor will pose threats to vital U.S. interests or those of U.S. allies and friends decades from now."

U.S. National Homeland Defense Strategy
President acted quickly following the terrorist attacks in September 2001 to secure our information and telecommunications infrastructure. The President created the Critical Infrastructure Protection Board and launched a public-private partnership to create the NSSC. The NSSC is considered an implementing component of the overall Homeland Security Strategy.

Five Levels of the NSSC

There are five organizational levels to the NSSC:

Level 1: Home Users and Small Businesses
Level 2: Large Enterprises (mainframe users)
Level 3: Critical Sectors of the Economy
Level 4: National Priorities
Level 5: Global Issues
The following recommendations are purely voluntary, but strongly encouraged by the NSSC:

Level 1: Home Users and Small Businesses
While each individual computer may not seem significant, the pool of computing power represented by the sum of all home computers and small businesses is very significant. Telecommuters are also considered in this group, and employees and employers are advised to take special care that remote connections are protected. To make security easier for the home and small business user, the NSSC advocates service and software providers to make automatic updates available, so even the most unskilled computer user can stay secure.

Level 2: Large Enterprises
The NSSC has classified large enterprises as those organizations employing a mainframe computer.

Here are the NSSC's recommendations for such organizations:

Raise the bar on the level of security responsibility within the organization.
Create corporate security councils for cybersecurity "where appropriate."
Devote significant corporate attention to authentication, configuration management, training, incident response, optimizing the organization and its functions surrounding the network, network management, and smart procurement.
Address the challenges of open-ended networks, mainframe security, instant messaging, and other technologies.
The NSSC wants mainframe user organizations to be able to answer the following five key questions:

What board members are responsible for IT security and risk management oversight and do these members provide an annual report to the board?

Who is the senior most corporate official responsible for IT security and to whom is he or she directly accountable?

How often do the CEO and COO review IT security and overall corporate risk management?

What internal IT security policies exist and do they involve annual training for all employees?

Are the security controls of the company's computer systems sufficient enough to prevent unauthorized access to files, alterations of data, and the loss or theft of trade secrets and proprietary assets?

Level Three: Critical Sectors of the Economy
The NSSC chooses to focus on organizations within the same industry because they tend to have the same business models and IT infrastructures, which lead to similar cultures since they are often competing for the same customers and are bound by the same set of rules and regulations.
Ten major industries have already developed planning documents, which you can view at: http://www.pcis.org/.

Level Four: National Priorities
This section can be thought of as the guidance or general direction for dictating the construction of the NSSC. The NSSC document goes into greater detail about three key foundations of securing shared systems, and discusses the relevant aspects of the strongly encouraged public-private partnership.

Level Five: Global Issues
North American Centric: The NSSC is not intended for only the United States, but for the entire North American continent. Canada and Mexico share infrastructures with the United States, and the three countries are inextricably linked. Oil and gas pipelines as well as telecommunications networks are all power grids, which serve as examples of how these three nations are bound together. On a united front, these three countries are committed to creating "smart borders" that are open for business but closed to terrorists.

Punishing Cybercrime: The White House administration has cited the European Union's Cybercrime treaty as a good example and encourages other governments to ratify and adopt that treaty, or at the very least, pass their own computer crime laws and rules for punishing cybercriminals.

Authentication and Information Sharing:
This is another area where international cooperation is key.

Conclusion
Overall, the NSSC represents an advancement in the world of information security, just in the sheer volume of input and the strong argumentation for international public-private partnerships. It not only provides significant security information for all types of cyberspace users, but also puts everyone on notice that each and every individual and organization plays an active role in ensuring cyberspace security.

Market analysts agree that while they had predicted great windfalls for security vendors after September 11, the only beneficiaries so far appear to be those promoting physical security, with guns and bodyguards taking precedence over sorely needed cybersecurity programs. Only time will tell whether the second round of input and the final version of the strategy expected to be signed by President Bush by the end of 2002 will generate other results.