TASC, Inc., yesterday issued a report that identifies the 21 key cyber security challenges it believes the nation, including the Departments of Defense and Homeland Security, is facing and suggests and provides general resource allocations and recommendations to address them.
The 21 challenges, which include things such as deterrence, the cyber skills shortage, situational awareness and intrusion detection, are “based on the major pain points we think our nation is facing,” says the report, Understanding Today’s Cyber Challenges. The report was authored by Steve Winterfeld, cyber technical lead at TASC, and was supported by the Univ. of Virginia.
“Before 9/11, no one imagined an attack of such magnitude could happen anywhere, especially on U.S. soil,” Winterfeld said in a statement. “The threat of a cyber calamity of similar proportions is real, and such an attack would have far-reaching impacts at every level of our society. We urgently need to reach a common understanding of what those threats are and do what we can to mitigate them.”
In the report the challenges are categorized into three areas based on whether they are being primarily driven by psychology, that is human nature, processes, that is organizational concerns, or technology, that is technical concerns.
For example, challenges associated with deterrence, policy and legal, and information sharing, are psychologically driven, the report says. For deterrence, the report says today’s cost-benefit ratio has to change from “high benefits and low cost or risk in which the costs outweigh the benefits.” A way to do this is to charge spammers by each email they send, it says.
Key challenges driven by process issues include insider threat, situational awareness, skills shortage, a lack of exercises to test cyber mission awareness, and more, the report says.
Each challenge listed contains a general idea of the resources needed to address it. For example, deterrence and insider threat are seen as costing less than $1 billion to address while cyber mission awareness exercises and cyber attack attribution are seen costing up to $9 billion to address each.
The report’s recommendations include tackling challenges in the near-term that don’t cost as much to address such as insider threat and cyber rules of engagement. The report also calls for more education and training to address the cyber challenges and identifies attribution and cyber supply chain challenges as areas requiring high-priority long-term commitments for addressing.
Finally, the report recommends a central authority to collect all cyber attack incidents “to facilitate forensic analysis of attacks, identify best practices for handling and deterring them, and establish universally accepted cybersecurity standards.”