A mixture of private sector and congressional witnesses slammed the US for a lack of cohesion in its cyber security stance this week, calling for better leadership in the defense of the country's "cyber turf".
A hearing held by the Subcommittee on Emerging Threats, Cyber Security, and Science and Technology took testimony from senior executives at Microsoft, Oracle, and NetWitness Corporation. Mary Ann Davidson (blog) , chief security officer at Oracle, called for a cyber security version of the Monroe Doctrine - the US doctrine introduced in 1823, which viewed interference with its territories as acts of aggression and promised retaliation.
"The advantages of invoking a Monroe-like doctrine in cyberspace would be to put the world on notice that the US has cyber 'turf,'" Davidson said. "We will defend our turf. We need to do both. Now."
Bennie G.Thompson, Chair of the Committee on Homeland Security, criticized the Federal Government for a lack of leadership in cyber security. He made particular reference to the recent resignation of Rod Beckstrom as the head of the National Cyber Security Centre. "Mr Beckstrom did not have experience working miracles. And that is the unfortunate position that the previous administration put him in," he said. "Without clear authority or budget, he was placed in a no-win situation. In his resignation letter, Mr Beckstrom candidly described the control that is wielded by NSA over the cyber security mission today."
The hearing - the first of three to take place this month - comes at a critical point in the US cyber security movement. The administration recently made an interim statement halfway through its review of cyber security in the federal Government, which is being overseen by Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils.
The hearing also coincides with the publication of a second document on cyber security by the Center for Strategic and International Studies. The document, which follows on from the original CSIS set of recommendations for the 44th president, published last October, focuses on the implementation of cyber security baseline controls to help enforce cyber security, as requested by the Federal Information Security Management Act 2008.
Jeffrey Carr, founder of cyber intelligence firm GreyLogic, praised the second CSIS document for what he said was a thorough job of creating the baseline for compliance testing, and a roadmap for enterprises to follow to enhance their network security. However, he worries that the recommendations don't go far enough.
"Its stated reliance on the 'offense must inform defense' strategy doesn't go far enough. It's the equivalent of only protecting ourselves from future airline attack vectors after 9/11," he said. He also warned that the recommendation to use 'red teams' - teams whose goal is to try and find holes in an organization's security - is too limited in the document. "It appears that their only purpose is to test compliance with the existing recommendations," he warned. "That type of limited effort wastes the best use of red teaming - to come up with unexpected threats so that defenses can be created for them.