recommended reading

Board urges full funding of cybersecurity initiative

The nation's information infrastructure remains vulnerable to cyberattack and the incoming Obama administration must take immediate steps to improve cybersecurity, the Defense Science Board warned in a report released on Tuesday.

Comment on this article in The Forum.The new administration should place the "highest priority" on the classified National Cybersecurity Initiative that the Bush administration launched in January, according to the report, "Defense Imperatives for New Administration."

The report, released on Election Day, outlined a small, yet complex set of issues that threaten "future military failure" if not addressed, including stopping the development and deployment of weapons of mass destruction and shortening the procurement cycle for Defense Department technology.

The science board focused on the cybersecurity initiative, estimated to cost as much as $30 billion in seven years, as important. The Obama administration should support the cyber initiative with full funding and "highly focused and frequent management attention to ensure that agreed goals are met with the highest sense of urgency," the report said.

The Defense Science Board recommended the new administration dramatically expand the scope of the cybersecurity initiative to include protection of the commercial information infrastructure used by key sectors such as finance, transportation, manufacturing and agriculture "upon which the entire country depends."

It also recommended the department move beyond its current perimeter defense strategy, which puts a digital fence around computers and information systems, because the defenses can be easily breached by unsophisticated hackers.

Defense also needs to protect itself against inside threats from government employees and federal contractors who hack into or steal data from information systems. Protecting systems against insider threats should be the key cyber defense project of the new administration, using what the report called "aggressive" auditing of users who are accessing computer networks.

The report recommended Defense develop new automated tools and algorithms to detect suspicious activity from employees and contractors, a task that will require a significant research-and-development effort, said Mark Orndorff, director of the Defense Information Systems Agency's Program Executive Office for Information Assurance and Network Operations in an interview with Nextgov last month. He said DISA stores terabytes of information in its data centers and the commercial sector has not created a tool that can sift through such a mountain of data to identify suspicious insider activity.

Defense also should include government-created hardware and software in every critical information system to thwart an adversary, the report suggested. Government hardware and software would increase the research and operating cost to critical systems, but also would discourage cyberattacks, the report said.

Computer hardware and software are developed and manufactured globally -- some of it by potential adversaries -- and the report recommended Defense acquire hardware and software in a way that veils end users.

In addition, the report suggested that Defense remove unneeded functionality from its applications and operating systems as every added feature offers an adversary a way to gain entry into a system. Defense also should minimize the time between its decision to purchase commercial hardware and software and its delivery and installation so a hacker has less opportunity to learn how to exploit vulnerabilities in the new equipment.

Finally, the report said, the new administration must prepare itself for a long-term fight with cyberwarfare adversaries. Protection against cyberattacks will require repeated cycles of computer system testing, vulnerability identification and application of new defensive measures, with much of the burden to research and develop the tactics falling on intelligence agencies because they are the primary targets of advanced cyber threats.

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.