In his keynote speech at Black Hat DC 2009, Paul Kurtz outlines what the administrations needs to do to strengthen our nation’s cyber position. He compares our current situation to that of domestic intelligence pre-9/11. Law Enforcement can’t talk to Intelligence, who doesn’t talk to the Military, all of whom are at arms-distance from private companies. He identified NSA as the logical agency to handle this coordination. It seems to me that CERT would be a better choice as they seem to have experience coordinating public/private/government cyber issues.
On the offensive side, Mr. Kurtz talks about the need to formalize and publicize offensive cyber strategies. Our nation went through this once before with nuclear weapons strategy. I think that a transparent process that outlines our capabilities and intentions would do a lot to deter aggressive actions in the future. This of course assumes that we can identify the real source of cyber attacks. This seems to be where US intelligence agencies have the most to offer. He offers the example of recent presidential candidates. They were advised that they had been compromised, but not much more information had been provided. If we expect to defend against dedicated cyber attacks from foreign governments and sophisticated crime rings, more data sharing will be required.
On the defensive side, he identified the need for an agency to handle a cyber-Katrina. He lists possible agencies including NSA, DOD, Dept of Commerce, FCC, but not FEMA. FEMA has the requisite Emergency Management skills if not the cyber skills. Perhaps the coordinating party could work with FEMA in the event of a digital Pearl Harbor. FEMA is rapidly developing assets in social networking that could prove valuable if traditional communications networks are impacted. In addition, they have experience coordinating multiple actors outside the agency.