The protection of cyberspace is essential to ensure that the critical infrastructures a nation relies on are not corrupted or disrupted. Government efforts generally focus on securing cyberspace at the national level. In the United States, states and communities have not seen the same concentrated effort and are now the weak link in the security chain. Until recently there has been no program for states and communities to follow in order to establish a viable security program. Now, however, the Community Cyber Security Maturity Model has been developed to provide a framework for states and communities to follow to prepare for, prevent, detect, respond to, and recover from potential cyber attacks. This model has a broad applicability and can be adapted to be used in other nations as well.
In the introductory letter contained in the National Strategy to Secure Cyberspace, the President of the United States made the following statement concerning the challenge the nation faces in securing cyberspace:
Securing cyberspace is an extraordinarily difficult strategic challenge that requires a coordinated and focused effort from our entire society—the federal government, state and local governments, the private sector, and the American people. (White House, 2003)
The vision embodied in this statement, that securing cyberspace is an effort that an entire society must be part of, is extraordinary. It also, however, is a vision that has often been overlooked by the various federal agencies involved in securing the nation’s cyberspace. Entities such as the US-Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security (DHS), have been formed to address significant attacks on the nation’s Internet infrastructure. The US-CERT and DHS have worked diligently to develop the channels necessary at the national level to address cyber attacks or significant cyber events that could impact the nation’s cyber infrastructure. The issues are formidable – what information should be shared between organizations and how? Who is responsible for responding to the various types of threats/attacks that could occur? When does an event change from a criminal activity to a national security event and who makes that decision? Developing a construct that addresses these issues at the national level is difficult but a framework capable of addressing the national-level concerns is slowly evolving.
What has been slower to evolve is the rest of the picture as described in the President’s statement. How state and local governments, the private sector (at and below the national level), and the American people participate in securing cyberspace has not been fully addressed (White House, 2003). Organizations, such as the Multi-State Information Sharing and Analysis Center (MS-ISAC), have been created to serve as focal points for the cyber security efforts at the state level but their complete roles in serving states and communities have not been defined. (MS-ISAC, 2008) Alternatively, some states have turned to their fusion centers to help organize their cyber information sharing and incident reporting functions. “A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to fight crime and terrorism by merging data from a variety of sources” (DHS, 2008). Fusion centers are generally staffed with individuals who have either a law enforcement or an intelligence background. Exercises have demonstrated that most states and communities have little to no experience in cyber security and the processes they are to use to fight cyber crime and cyber terrorism are not developed. Local organization to defend against cyber attacks is similarly non-existent in other countries as well. National-level entities exist for incident response (e.g. the AusCERT in Australia (AusCERT, 2008)) but community response capabilities are lacking.