As the US looks to build increased cybersecurity capabilities, the role the government should play is increasingly coming towards the center of the debate. James Lewis of the Center for Security and International Studies (CSIS) wants to see the government take a more central role in increasing cybersecurity on US networks.
At the 2010 Government Solutions Forum hosted by CISCO, Dr. Lewis said that the government needs to rethink its strategy for cyberspace and look towards regulation in cyberspace. He also sees the US as having a significant military capability that the US is failing to leverage.
Dr. Lewis said that in discussions with foreign nations, he finds they are afraid of the US Cyber Command. However, the US is not currently leveraging that capability and until the US figures out how to leverage DoD’s and NSA’s capabilities, we will continue to be at a disadvantage.
During his remarks, Dr. Lewis discussed the initial model of the Internet, namely that it was viewed as a global commons. However, “cyberspace is not a commons,” he said. “Cyberspace is more like a condominium. We have put the wrong theory in place.”
The principle shortcoming in viewing the Internet in this fashion is that security gets short shrift. “We’ve had market failure when it comes to cybersecurity,” said Dr. Lewis. “Security doesn’t come out of voluntary actions and market forces.”
Dr. Lewis also discussed the threat levels currently facing the US. “I don’t worry about cyber terror,” he said. “I don’t worry about cyberwar.”
He believes the US has several years still to figure out how to fix the problem before it will face a major cyber incident. The only terrorist group in his view with cyber capabilities is Hezbollah. The terrorist groups the US is most concerned about are Jihadis who are also at odds with major cyber capable powers like Russia, China, Israel and France.
Of greatest concern to Dr. Lewis is cyber crime and cyber espionage. The recent incident involving Google demonstrates this problem. The threat against US companies from advanced persistent threat (APT) states is remarkable. “The scope of this is astounding. We don’t realize it,” he said.
The lack of a government role in cyberspace means there are few consequences for misbehavior. “Private action cannot solve the cybersecurity problem by itself,” Dr. Lewis said.
In the same way that the US does not require airlines to defend US airspace, companies should also not be responsible for defending cyberspace. Nevertheless, Dr. Lewis recognizes there are significant challenges to furthering US government involvement in cybersecurity.
“We will have to tackle the issue of regulation. We will have to tackle the issue of international engagement,” he said. “What are the rules, what are the consequences?”