On February 6th the Obama administration released the 2015 National Security Strategy (NSS). .
This is the first new/updated NSS since 2010! Think about all that has changed since 2010 and how outdated that previous document must be. A review of the document found that cyber is mentioned 19 times in the 2015 NSS. Let's look at some to the areas that were addressed.
Resource: Download the NSS
"We are shaping global standards for cybersecurity and building international capacity to disrupt and investigate cyber threats."
Are standards the answer? As soon as they are established, accepted and implemented, two things will probably happen. First, between now and the time they are established, accepted and implemented, technology will have changed and significantly impacted the effectiveness of those standards. Secondly, criminals, terrorists and rogue nation states will evaluate those standards, find weaknesses and areas that aren't covered, and change their modus operandi.
"The danger of disruptive and even destructive cyber-attack is growing, and the risk of another global economic slowdown remains."
It appears they finally got the message. Earlier this year a new study from the Pew Research Center stated that 61 percent of experts believe that by 2025 a major cyber attack will cause widespread harm to a nation's security. This is rehashing what we already know and says nothing about addressing the threat.
"We are fortifying our critical infrastructure against all hazards, especially cyber espionage and attack. And we are working hard to safeguard our civil liberties while advancing our security."
This is the big challenge. There is a general distrust of the government when it comes to monitoring the Internet after the Snowden disclosures and other incidents. The delicate balance that must be struck here is one of the top most complex and difficult issues for the government.
"It also creates shared vulnerabilities, as interconnected systems and sectors are susceptible to the threats of climate change, malicious cyber activity, pandemic diseases, and trans-national terrorism and crime."
A subtle but huge indication is embedded here. It clearly states that due to the interconnected nature of these systems, we (the U.S. & international partners) are in this together and need to work with each other to address cyber and the other vulnerabilities identified in the sentence.
"Collective action is needed to assure access to the shared spaces—cyber, space, air, and oceans—where the dangerous behaviors of some threaten us all."
Once again this reinforces the idea that we (international partners) all share in this responsibility of cyber security and must work much closer together then we are now.
"Our military will remain ready to deter and defeat threats to the homeland, including against missile, cyber, and terrorist attacks, while mitigating the effects of potential attacks and natural disasters."
This is a significant commitment to the American people and our allies. Are we really up for this challenge? Technology challenges, human resource (skilled practitioners), budget, political and the list of issues goes on and on.
"We will protect our investment in foundational capabilities like the nuclear deterrent, and we will grow our investment in crucial capabilities like cyber; space; and intelligence, surveillance, and reconnaissance."
If the proposed budget is an indication of support implied in the above statement, the growth rate of the just proposed cyber portion of the national budget (increased $1 billion to $14 billion) does not seem to come close to the growth rate of this massive and rapidly expanding threat.
"We are working with the owners and operators of our Nation's critical cyber and physical infrastructure across every sector—financial, energy, transportation, health, information technology, and more—to decrease vulnerabilities and increase resilience."
While this is what is needed (joint initiatives and efforts), many if not most in the private sector want the government to fund enhanced defenses for our nation's critical infrastructure. Large organizations do not want this to impact their balance sheet, and small operators do not have the expertise or money to spend on this. So where will the money come from?
"The world is connected by shared spaces—cyber, space, air, and oceans—that enable the free flow of people, goods, services, and ideas."
This one goes on to talk about promoting rules for "responsible behavior." While it is reassuring that the importance of the shared commons of cyber and other areas was recognized, one has to wonder what is meant by "responsible behaviors" and the promotion of rules to promote responsible behaviors. Who will set these rules and how will they be maintained given the pace of change in the cyber environment?
"Congress to pursue a legislative framework that ensures high standards [for cybersecurity]."
Again very general and has once again opened up concerns about how these "high standards" will be set and maintained and who will set them? Vagueness is a reoccurring theme here.
"On cybersecurity, we will take necessary actions to protect our businesses and defend our networks against cyber-theft of trade secrets for commercial gain whether by private actors or the Chinese government."
This has implications here and now. The proof is in the pudding that is right in front of us. What will happen to North Korea as a result of the devastating cyber attack that struck Sony? What about the recent attacks attributed to entities in China? Those are the tests that are right in front of all of us NOW.
As with most government (public) documents related to national security, it touched upon most of the hot buttons but was light on details. Each year the threat increases and more and more system, computers and devices become infected or compromised. The time has come for action that is so big the result/impact will be unprecedented. Twice a year, each and every cyber security professional should commit to taking a specific action to improve the overall cyber security of our country. Each individual should write an article that improves the general population's knowledge and security posture. If they are not writers, they should make a public speech before a local (school, social group, elderly community, etc.) group that adds to the audience's knowledge and security posture. If you aren't into public speaking you can help your neighbors with their cyber security. If every professional would contribute, can you imagine the impact?
