Cloud services could bolster national cyber security

The shift to cloud computing offers an opportunity to better secure the national digital infrastructure by concentrating the burden of cyber security among a relatively small number of service providers rather than thousands of individual businesses, according to a report by a foreign policy think tank.

The shift to cloud computing offers an opportunity to better secure the national digital infrastructure by concentrating the burden of cyber security among a relatively small number of service providers rather than thousands of individual businesses, according to a report by a foreign policy think tank.

"Cloud computing has weaknesses, but it also offers the opportunity to aggregate and automate cyber defense," according to a new report by the Center for Strategic and International Studies. The report, "Cybersecurity Two Years Later," is a follow-up to "Securing Cyberspace for the 44th Presidency," which the group issued in 2008.

Government security: White House officials push online trusted IDs

"Much of the burden of security will shift from consumers and businesses to service providers that may be better equipped to meet advanced challenges," the new report says. "The move to the cloud is not a silver bullet that will solve all cybersecurity problems, but it is part of a larger move to a more mature infrastructure that includes the automation of security practices and monitoring — such as the Security Content Automation Protocol (SCAP) — particularly if we find a better way for service providers to work more effectively with government agencies."

In the two years since the foreign-policy think tank issued its first report the Obama administration has fallen short of implementing measures that would protect the U.S. from cyber attacks, the new report says.

More on security: Who really sets global cybersecurity standards? 

The good news is that the U.S. is not engaged in a cyber war and it is not suffering cyber attacks from terrorists. The bad news is that if it were, it couldn't do anything about it. "Should this change the United States is unprepared to defend itself," the report says. Cyber spying and cybercrime are the two big threats the country faces.

Public-private partnerships to formulate and implement cyber security won't work and should be dropped, the report says. "The goal for 2011 should be to issue a comprehensive national strategy based on new ideas rather than recycling the 2003 strategy," it says. "This means no appeals to public-private partnerships, information sharing, or unilateral efforts at deterrence, as were made in the 2003 strategy."

The organizational structure has been put in place to protect government and military sites, the report says. "But no one in particular defends private networks, where our policy is to rely on some combination of individual action, encouragement, leadership by example, and faith in market forces. The market will not deliver adequate security in a reasonable period, and voluntary efforts will be inadequate against advanced nation-state opponents."

Stuxnet, the sophisticated worm that destroyed some equipment in the Iranian nuclear program, is just the beginning of similar attacks that private businesses cannot defend against. "The market will not deliver adequate security in a reasonable period, and voluntary efforts will be inadequate against advanced nation-state opponents," according to the report. Federal laws and regulations are needed instead.

Authentication for anyone using critical infrastructure should be implemented. "This would affect fewer companies and no consumers," the report says, making it more palatable. "Some companies do a good job; others (about half) still rely on easily cracked passwords to secure sensitive functions, including control systems."

There is general recognition that educating more cybersecurity experts is key, but lagging. "However as with much else in cybersecurity policy, the problem has been identified, initial steps have been taken, but there has been slow progress in changing the situation from where we were two years ago," it says.

The federal government should set security standards on products it buys to encourage general use of more secure infrastructure, the report recommends.

Laws governing cybersecurity are actually laws written for other circumstances but being applied to cybersecurity, the report says. An overhaul is needed to address the specifics of cybercrime and cyber attacks.

The U.S. needs to sway other nations to embrace cybersecurity. "Other nations with very different political values are challenging the original, U.S.-centric idea of governance by a private, global community," the report says. "The United States needs to articulate a positive agenda of norms, consequences, and cooperation."

Progress has been made, but not enough. "There are still few consequences for malicious activity in cyberspace, and there are no cooperative structures to create such consequences," the report says.

Pushing the authority of the U.S. Cyber Command into civilian areas such as Tier 1 service providers is desirable from a security standpoint but politically volatile, the report says. "Any discussion of an expanded military role in defending civilian networks runs into powerful antibodies that grow out of civil liberty and privacy concerns. Historical precedent also limits the role of the military in civilian affairs," the report says.

Public sensitivity to privacy encroachment that was heightened by a massive communications surveillance campaign initiated during the George W. Bush administration needs to be lessened through use of the presidentially appointed Privacy and Civil Liberties Oversight Board, the report says. Frequent PCLOB reports could rebuild public trust.

"Our 2008 report concluded that cybersecurity is now one of the major national security problems facing the United States and that only a comprehensive national strategy consistent with U.S. values would improve the situation," the report says. "Many in the current administration share these conclusions, but progress has been slow."

The report says there are symptoms that those in charge of cyber defense are behind the times. "Our policies have not kept up with technology or the emergence of the global network," the report says. "Discussion remains wedded to ideas developed when the Internet was smaller, largely American, and much less important for our economic life. These policies are no longer adequate for global commerce and national security, but there is real resistance to change."

Arguments that innovation would be hampered by restrictive measures that would improve security are simplistic, the report says. "It does little to help innovation and growth if foreign competitors can steal by the truckload the results of U.S. investments in research and intellectual property because of weak cybersecurity," it says.

"The process of rethinking cybersecurity will be difficult, but this situation is not new," the report says. "Every time a new technology has emerged to reshape business, warfare, and society, there has been a lag in developing the rules needed for public safety. Cyberspace is different only in its global scope and in its urgency."

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityhardware systemslegalStuxnetData Centercloud computinginternetcybercrime

More about BushLAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts