Obama 'needs new cyber-security tsar'

The Department of Homeland Security has failed to ensure the nation's cybersecurity, a new report to be released Monday concludes, because the threat of cyberattacks is too vast for any one agency to tackle and must be addressed by a new White House office, as well as revised laws and government practices.

As President-elect Barack Obama fills the remaining cabinet positions in his administration, a Center for Strategic and International Studies commission is recommending Obama create a new office in the White House: the National Office for Cyberspace, headed by an Assistant to the President for Cyberspace.

The Commission on Cyber Security for the 44th Presidency, an independent, nonpartisan group, releases its final report Monday after more than a year of exploring how to address the country's cybersecurity threats.

"America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009," the report says. It is "a battle fought mainly in the shadows. It is a battle we are losing."

The immediate risk lies with the economy, the report concludes, given the widespread use of cyberspace to conduct commerce and store intellectual property. However, the scope of threats is much more far-reaching, the commission said, with the most dangerous threats coming from the militaries and intelligence services of other nations.

President Bush charged the DHS with combating cyberterrorism when he created the department in 2002. The DHS runs the National Center for Cybersecurity, yet it is not prepared to address cybersecurity threats, the Government Accountability Office reported in September. The National Cyber Security Initiative established by President Bush in January has received harsh criticism as well, particularly for being too secretive.

Monday's report acknowledges the next administration will have to strengthen the DHS but concluded that even a bolstered DHS "is not the agency to lead in a conflict with foreign intelligence agencies or militaries, or even well organised international cyber criminals".

One of Obama's earliest actions as president, the commission recommends, should be to make a statement declaring cyberspace a vital national asset that will be protected by all instruments of national power.

That would mean putting in place a national, comprehensive strategy led by a National Office for Cyberspace (NOC) and an Assistant to the President for Cyberspace, the commission said.

The recommended executive office, staffed with 10 to 20 employees, would merge the DHS National Center for Cybersecurity and the Joint Inter-Agency Cyber Task Force (created by the Director of National Intelligence).

The new office should take a "federated approach" to governing across agencies, modelled after the Office of the Director of National Intelligence, the commission said.

Along with the new office, Obama should establish a new cyberspace directorate in the National Security Council that absorbs existing Homeland Security Council functions, the commission recommended.

"The split between 'homeland' and 'foreign' makes no sense for cybersecurity and, in a globalised world, makes little sense for US security in general," the report reads.

The NOC's overarching responsibilities would include issuing security standards for cyberinfrastructure to other agencies and monitoring their compliance. To best achieve this, the commission said, the Federal Information Security Management Act would have to be revised to allow the NOC to more closely monitor other agencies' cybersecurity efforts.

Other new regulations could include a mandatory requirement for agencies to contract only with telecommunications carriers that use secure internet protocols.

As the US reinforces its own cybersecurity practices, it should continue to do so at the international level as well, the commission said. The US should encourage other nations to ratify the Council of Europe Convention on Cybercrime, it said, and can reinforce such international cybersecurity norms with the threat of sanctions for noncompliance.

Original article: Tech commission suggests new cybersecurity post from CNET News.com