Securing the Internet

The Business Roundtable, an association of chief executives from160 of the largest U.S. companies, is clearly concerned with the strategic security of the Internet. The group’s Security Taskforce recently published a report entitled Essential Steps to Strengthen America’s Cyber Terrorism Preparedness, in which it is stated, “The Internet and its communications infrastructure serve as the critical backbone of information exchange that is vital to our nation’s security and our economy. Yet the United States is not sufficiently prepared for a major attack, software incident or natural disaster that would lead to disruption of large parts of the Internet.” Though members of the task force may disagree as to the likelihood of a wide-scale “cyber disaster” they do agree that, “risks and potential outcomes are serious enough to mandate careful preparation and planning.” The report’s purpose, according to its introduction, is not to propose a solution, but to, “identify gaps in our nation’s ability to effectively manage a reconstitution effort following a catastrophe and offer strategic recommendations for filling those gaps.” In an effort to achieve this goal the group highlights what it considers to be the three most serious gaps in the current strategy and points out the need for government and private sector cooperation, both within these groups and between them.

First among the gaps named is the lack of a formal “Trip Wires” system, or an advanced notification mechanism, to alert relevant agencies of a large-scale Internet issue. Some government agencies, such as the National Weather Service, which predicts and alerts necessary agencies to potentially hazardous weather conditions, have such a system in place. None is existent for the Internet. Such a mechanism is crucial, without it, “the government, businesses and citizens lack the ability to anticipate when coordinated mitigation strategies are needed or understand if or how government might intervene.” Implementing such a systems is by no means an easy task; given the “velocity of Internet attacks,” the system would need to respond almost instantaneously; it would not have the relative luxury of the 24-72 hours needed for weather issues.

The second gap is a lack of accountability and clarity in regards to which agencies provide support for Internet reconstruction. The report uses the Center for Disease Control (CDC) to illustrate a properly working model. In the instance of a pandemic, public and private entities in all 50 states know that the CDC is the agency in charge, that it will undertake full responsibility. However, this is not the case with the Internet. “The Roundtable’s analysis found that there are too many institutions, both public and private, with unclear or overlapping responsibilities chartered to manage aspects of Internet reconstitution. This proliferation of security institutions has, ironically, undermined our nation’s ability to restore Internet services.” Not only does lack of consolidation present substantial gray area, but these areas are further muddied by the fact that similar solutions are offered by both the government and private sector and that many of the organizations serving the critical infrastructure, “are steeped in voluntary activities, relying on ‘trust models’ . . . without clearly defined accountability.”

The final gap is simply lack of resources. The National Resource Plan identifies the U.S. Computer Emergency Readiness Team (US-CERT) as the key point of contact for cyber reconstruction, yet “Congress funds US-CERT at approximately $70 million annually, which is less than 0.2 percent of DHS funding.” Similar scenarios exist for private sector entities such as telecom carriers and Internet service providers which lack appropriate funding for handling large-scale Internet disruption.

The report does concede that in the past ten years much progress has been made. The introduction of the National Resource Plan (NRP) and creation of a new organization, the National Cyber Response Coordination Group (NCRCG), represent steps in the right direction taken by the federal government. However, “few outside a small group of government officials know much about NCRCG and its authority over coordinating efforts in government and across the business community.” As for the private sector, “individual companies may have adequate plans for their own business interests, but the private sector as a whole is unprepared to work together on a wide scale.” The idea of cooperation is paramount; not just within the government and the private sector, but between the two, and not just to avert or recover from disaster, but because, “A long-term Internet disruption would undermine the public’s trust and confidence in both the government and industry.”

Failure to respond properly to a large-scale Internet disruption will obviously have a detrimental effect on anything requiring the Internet to be up and running, and this list grows constantly. The Internet is a part of virtually every sector in the U.S.; citizens are increasingly relying on it for critical information, in the private sector institutions such as banks are becoming more dependent on it; and emergency workers, whose work could be of vital importance if an Internet disruption were the result of natural disaster, are increasingly dependent on the Internet for communication. The Business Roundtable’s Security Taskforce sees a need for serious change if the U.S. is to be prepared. “Without these changes, our nation will continue to use ad hoc and incomplete tools for managing a critical, national risk to the Internet.”