US government needs cybersecurity doctrine, experts say

A comprehensive doctrine could define how the U.S. government will respond to cyberattacks, book authors say

The U.S. government needs a comprehensive doctrine addressing cybersecurity instead of the current patchwork of policies and agencies dealing with cyberthreats, according to a group of experts.

The lack of an overarching cybersecurity doctrine inhibits the ability of the U.S. and its allies to work together and provides little deterrence for groups that attack the U.S., the experts said during an event to unveil a new book, "#Cyberdoc No Borders -- No Boundaries" at the Potomac Institute for Policy Studies, a technology and science think tank.

Without a doctrine defining the U.S government's response to cyberthreats, the U.S. will "lurch from crisis to crisis," said Timothy Sample, co-author of the book, and vice president at the Battelle Memorial Institute Special Programs Organization, another tech and science think tank.

A doctrine could define several aspects of cybersecurity, including defense against attacks, steps the U.S. will take to deter attacks and ways to safely use the Internet, said Michael Swetnam, co-author and CEO and chairman of the Potomac Institute. The authors wrote the book with the hope of opening a dialog on U.S. cybersecurity doctrine, he said.

The U.S. government needs to define what kinds of attacks it will respond to, added David Smith, director of the Potomac Institute Cyber Center. While U.S. officials say their networks are attacked thousands of times a day, phishing emails promising to share millions of dollars from a Nigerian bank may not qualify as national security threats worth responding to, he said.

But attacks leading to physical damage, or espionage that leads to large intellectual property losses, may require responses, Smith said. The U.S. government should be concerned with the sheer volume of economic espionage that happens during cyberattacks, he said.

"We're talking about a massive robbery of American intellectual property," he said. "We're basically funding the research and development for the People's Liberation Army and the armies of the Russian Federation and a few others. That's serious if that's what's really going on."

The U.S. needs to start thinking about measures to deter those kind of attacks, Smith added. "Deterrence works on a declaratory policy: 'If you do these things, we will do bad things to you,'" he said. "You don't have to be explicit: 'If you do this, we will do exactly that,' but you need to be pretty firm."

A U.S. doctrine should include the development of capabilities for a "full range" of deterrence, ranging from diplomacy to military options, Smith said.

Smith discounted concerns that it's hard to identify the attackers in many cases. Computer forensic methods work better than many people seem to think, he said, and investigators can also look for actions by a country or group outside of cyberspace to find clues.

Other governments should have responsibility for hacking done inside their borders, he added. "At some point, you have to say: 'I'm not going to worry about attribution. I'll do the best I can, but I'm going to hold countries responsible for what's going on inside their borders,'" he said.

While a doctrine is needed, it needs to balance security with the economic benefits of the Internet, said Ronald Marks, president of Intelligence Enterprises, a security consultancy, and a former CIA officer. "If we try to do anything heavy-handed at this point, we're going to basically step on a market that has developed quite well over the years," he said.

But the U.S. continues to have major security vulnerabilities, he added. "We've had now a market that is really not interested in dealing with security," he said. "It's a cost center in any organization."

It will be difficult for the government to get people to change their cybersecurity behaviors, he added. "How do you, as a government make people behave?" he said. "Do you want to make a law? Do you want to tell people what to do? You know how successful that's been over time."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the PC World newsletter!

Error: Please check your email address.

Tags securityregulationIntelligence EnterprisesBattelle Memorial Institute Special Programs OrganizationRonald MarksDavid SmithgovernmentPotomac Institute for Policy StudiesTimothy SampleMichael Swetnam

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?