“These cyber incidents transcend borders, nations and this is an issue U.S. policy has recognized for years, where we do need to shore up our global cybersecurity,” David Powner, director of Information Technology Management Issues for GAO, who wrote the report, said. “I think both administrations have put more of an emphasis on as cybersecurity in the global aspect as clearly a front-running area we need to focus on.”
Powner’s first recommendation? To construct a “tangible policy, which helps to secure our government and private sector systems. Interestingly if we have an incident today, there are 27 countries that have 54 computer emergency response teams similar to what you see at the Dept of Homeland Security,” Powner said. But they all operate different sets of procedures, and without an understanding of what the other office has done and how they are working to solve the problem, there’s limited scope to work together or trust what the other is doing.
An issue that is further complicated by terrorism. For an example, US companies had been working on the 2009 Conficker worm problem and then found themselves working with countries with terrorist presence. The companies were unsure of whether or not to cooperate with those nations.
“That kind of highlights the reason why we have to have these policies in place of how we sift through that.” Powner said. “So in terms of dealing with the incidences when they occur, that’s one issue when you look at the global aspect.
Standardization extends beyond the immediate response. When one nation is able to ascertain that something criminal has occured, how can they investigate and prosecute? The issue of setting standards also must ensure that varying standards don’t infringe on trade and commerce.
Powner used an standards incident in South Korea in 2009 as an example of how the elevating of the standard for encryption prevented many private businesses from contributing products.
“Those are the types of things that highlight, not only from a national security perspective but also from a United States economic perspective that we need to be on top of these issues and active players in these many organizations that either work through the standard setting process, or incident response, or some of the law enforcement organizations that exist,” Powner said.
The report also recommended that the government develop a inter-agency coordinating committee
“It’s not just a one-stop shop, many departments and agencies play a role in addressing global cybersecurity on a comprehensive basis,” Powner said. “There’s some movement in the right direction with the inter-agency mechanism that currently exists under the National Security Council.”
The report lists 10 next steps, but Powner identified one as key.
“If you can find a way to coordinate that incident response in a more formalized manner going forward, that would really move the ball forward, it’d go a long way,” Powner said. “Appropriate protocols for how you interact with folks, and if there was some gray areas, you’d know who to call and where to go.”