Board urges full funding of cybersecurity initiative

The nation's information infrastructure remains vulnerable to cyberattack and the incoming Obama administration must take immediate steps to improve cybersecurity, the Defense Science Board warned in a report released on Tuesday.

Comment on this article in The Forum.The new administration should place the "highest priority" on the classified National Cybersecurity Initiative that the Bush administration launched in January, according to the report, "Defense Imperatives for New Administration."

The report, released on Election Day, outlined a small, yet complex set of issues that threaten "future military failure" if not addressed, including stopping the development and deployment of weapons of mass destruction and shortening the procurement cycle for Defense Department technology.

The science board focused on the cybersecurity initiative, estimated to cost as much as $30 billion in seven years, as important. The Obama administration should support the cyber initiative with full funding and "highly focused and frequent management attention to ensure that agreed goals are met with the highest sense of urgency," the report said.

The Defense Science Board recommended the new administration dramatically expand the scope of the cybersecurity initiative to include protection of the commercial information infrastructure used by key sectors such as finance, transportation, manufacturing and agriculture "upon which the entire country depends."

It also recommended the department move beyond its current perimeter defense strategy, which puts a digital fence around computers and information systems, because the defenses can be easily breached by unsophisticated hackers.

Defense also needs to protect itself against inside threats from government employees and federal contractors who hack into or steal data from information systems. Protecting systems against insider threats should be the key cyber defense project of the new administration, using what the report called "aggressive" auditing of users who are accessing computer networks.

The report recommended Defense develop new automated tools and algorithms to detect suspicious activity from employees and contractors, a task that will require a significant research-and-development effort, said Mark Orndorff, director of the Defense Information Systems Agency's Program Executive Office for Information Assurance and Network Operations in an interview with Nextgov last month. He said DISA stores terabytes of information in its data centers and the commercial sector has not created a tool that can sift through such a mountain of data to identify suspicious insider activity.

Defense also should include government-created hardware and software in every critical information system to thwart an adversary, the report suggested. Government hardware and software would increase the research and operating cost to critical systems, but also would discourage cyberattacks, the report said.

Computer hardware and software are developed and manufactured globally -- some of it by potential adversaries -- and the report recommended Defense acquire hardware and software in a way that veils end users.

In addition, the report suggested that Defense remove unneeded functionality from its applications and operating systems as every added feature offers an adversary a way to gain entry into a system. Defense also should minimize the time between its decision to purchase commercial hardware and software and its delivery and installation so a hacker has less opportunity to learn how to exploit vulnerabilities in the new equipment.

Finally, the report said, the new administration must prepare itself for a long-term fight with cyberwarfare adversaries. Protection against cyberattacks will require repeated cycles of computer system testing, vulnerability identification and application of new defensive measures, with much of the burden to research and develop the tactics falling on intelligence agencies because they are the primary targets of advanced cyber threats.