There have been a number of calls lately for the creation of an agency like the Federal Emergency Management Agency (FEMA) focused on the Internet. The theory is that by integrating the currently fragmented cyber-security efforts of the Departments of Defense, Homeland Security, OMB and a half dozen other agencies, that we’ll be better able to respond to cyber-attacks from predators foreign and domestic. While such integration is surely needed and is very effectively documented in the recent report by the Center for Strategic and International Studies (CSIS), I’m not sure that a “Cyber-FEMA” is enough to address the threats now bearing down on the nation’s Internet infrastructure.
While FEMA’s charter is formally defined to be both proactive and reactive, the fact is that it’s core mission is to react when disasters both natural and man-made occur. While it’s easy to build a case that we need an agency with a rapid response capability to respond to cyber-attacks, this only addresses a portion of the problem. The fact is that we already DO have an agency with this responsibility; the U.S. Computer Emergency Readiness Team (US CERT). While US CERT has been somewhat hamstrung in achieving its mission by lack of resources and focus, it’s not completely correct to assert that this role is uncovered in the nation’s current cybersecurity strategy.
It is also incorrect, however, to assume that the current U.S. cybersecurity strategy is complete in either concept or organization. One of the core theses of the CSIS report on cyber-security is that the only effective way to truly protect the nation’s cyber-assets is with extensive public/private partnerships. I would contend that these partnerships must also be international if we’re ever going to truly protect the infrastructure on which all global business now runs. So in addition to creating an ability to respond to domestic cyber-attacks, I think the time has come to also initiate a NATO like organization to fight the growing global cyber-crime gangs and even the emerging cyber-terrorism organizations. NATO was originally founded on the principle of collective defense in which an attack on one member would be considered an attack on all and the resources to provide such a response would be provided by all member nations.
As the recent breach at the FAA demonstrated, federal information assets remain quite vulnerable. However, playing defense alone won’t win this battle any more than it is capable of winning conventional battles. Creating a cyber-NATO would focus our efforts to leverage the data security capabilities in the developed world and allow the developing economies to quickly leverage the best practices already in place in those developed regions. In addition to creating a needed sense of shared dilemma, such an organization would bring the following benefits to the table.
- Venue for Harmonizing Cybercrime Criminal Code: One of the big impediments to the investigation and prosecution of global cybercrime is the relative immaturity of the criminal code globally and material inconsistencies in the way in which existing laws are enforced. It won’t be possible to limit the activities of global cyber-crime gangs until we have global agreement on what is and isn’t a crime and empowered and motivated regional authorities capable of enforcing global laws and treaties.
- Identification and Deployment of Best Practices and Technologies to Protect Internet Infrastructure: It isn’t enough if only a handful of wealthy nations put effective protection measures in place as the criminals will just turn their attention to less developed regions. We really are all in this together. Not only does a coordinated approach work better, it results in lower costs because of the natural economies of scale that develop.
- Definition of Standard Protocols and Procedures: This is where most of the economic leverage cited above occurs. Besides creating an effective sense of collective defense, NATO has been responsible for defining many of the standard weapons systems that allow soldiers from countries with vastly different military histories and traditions to fight effectively side-by-side. There are now nearly 1,300 Standardization Agreements covering everything from bullets to the phonetic alphabet (the one that goes “Alpha, Baker, Charlie”) used by NATO forces. Creating similar standards to secure global Internet infrastructure will enhance global security while lowering the cost of doing so.
I’m sure there are many other benefits to working collaboratively with our allies globally to prevent malicious bad actors from subverting the Internet for their own economic and political gain. The point is that winning this battle will require a comprehensive plan and complement of global bodies to fight both offense and defense.