U.S. Global Cybersecurity Plan Falls Short, Experts Warn

The Obama Administration unveiled a new plan for global cybersecurity that experts say calls attention to key issues but ultimately serves as little more than rhetoric.

Analysts argue the proposal, while admirable in its intentions, is hampered by a lack of specificity regarding actual implementation, making the White House document seem more like a statement of intention than an actual call to action.

The plan emphasizes the need for global cooperation regarding matters of cybersecurity, as well as the importance of protecting freedom, intellectual property and privacy online. According to experts, it reads like a guideline for international strategy, not an outline for legislation or an international agreement.

“It’s a positive first step, but it’s a limited first step,” said Derek Manky, senior security strategist at Fortinet, an Internet security firm. “I would characterize it as having rhetorical value but very little practical value.”

Experts laud the proposal's call for increased communication and collaborative action regarding the pursuit and punishment of cybercriminals, but say it doesn't go far enough to lay out a real strategy for what countries can do when cyberattacks hit.

“This is just a vision,” said Manky. “For this to actually work, everyone’s got to be on board. Whoever’s not on board is going to be a safe haven, and we’ve seen it happen time and time again when it comes to setting up these underground operations.”

Because cyberspace has no national boundaries, the actions of any one criminal can reverberate across the world regardless of where the attack originates. Shoring up the U.S.'s online defenses is directly related to the security of the Internet as a whole, but many doubt it is possible to effectively enforce any kind of universal standard.

“We need stronger legal incentives for good cybersecurity,” said Fred Cate, director of the Center for Applied Security Research at the University of Indiana. “The plan really doesn’t go in any direction towards doing that.”

Experts are most concerned by what they see as a lack of details regarding protocol after sustained attacks. Though the plan references an intention to keep dialogue open between countries regarding procedure, no actual procedures for such actions are given.

“We’d like rapid, ideally real-time information sharing we should be able to contact another country the instant we see an attack coming in,” said Cate. “We dont have a system or a proposal for putting it into place.”

Experts also note that while the nature of cybercrime implies that global agreement is necessary to prosecute such crimes, countries most likely to harbor hostile attackers are also the least likely to agree to the standards outlined in the plan. Most of the observed attacks come from Eastern Europe and China, where governments can be complicit, according to David Koretz, CEO of cybersecurity vendor Mykonos Software.

“There’s an enormous profit incentive. The average monthly income is 600 or 700 dollars a month in these countries and millions can be made through hacking,” said Koretz. “The problem is the government doesn’t have a huge interest in stopping it. Hacking is an industry in a lot of countries.”

Though the proposal states that “when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country,” security experts point out that despite the vigor of the rhetoric, such a seemingly fierce statement leaves much in the air. Eighty-five percent of the U.S.’s critical infrastructure is privately owned, with over 90 percent of hostile attacks coming against private companies, according to Koretz.

“They’re talking about it like they’re attacking our borders, talking about it the way you’d talk about someone bombing your country, and that’s not the way cyberterrorism works,” said Koretz. “How are private corporations going to deal with it?”

Great uncertainty exists over what would distinguish an attack against a privately owned company from an attack against the country itself. If, for example, the U.S. sector of the multinational firm Intel were breached, and secret information about an intellectual property like chip design were stolen, the consequences might be just as harmful on a national level as on a private level.

It's unclear whether such an attack would be considered an attack against the nation or against a private company, Koretz noted, and what the procedure would be following the attack.

Experts agree that without more definite guidelines as to how countries should proceed when confronted with cybercrime, the plan will remain no more than a statement of good intentions.

“It's a very big idea but sorely lacking on details and implementation,” said Koretz. "The challenge that we see is, legislating security is like legislating happiness. It’s useless unless it’s specific about what people are supposed to do."

"It’s light on details," he added of the plan, "and has the same vagueness that comes with something that’s never going to happen in real life.”