2009 had all the makings to be a banner year for cybersecurity: The need had been identified, guidance was promised, appointments were planned and mandates were discussed. Unfortunately, 2009 will be remembered as the year that wasn't, and the challenge facing us now is to make sure 2010 doesn't follow suit.

Many people mistakenly believe that cybersecurity protects only consumers and other civilian uses for the Internet, but today's military is more dependent than ever on the civilian-based infrastructure for connectivity and information. Cyberspace has become a new dimension of the battle space, so cybersecurity is much more than firewalls and anti-virus protection on home or business computers.

From a defense standpoint, ineffective cybersecurity can compromise missions and cost lives. Piecemeal protection measures leave vulnerabilities for our troops and national security and are inadequate in the face of new cyber threats.

Necessary advances in cybersecurity, even during a time when budgets are pressured, will be made only though cooperation and a common purpose among all stakeholders: civilian government, military and commercial industry.

The conditions during an economic downturn favor the attacker. Government agencies keep legacy systems longer and cut back on acquiring patches and other defenses, while attackers have the advantage of being able to work against familiar systems with familiar vulnerabilities. Successful cyber defense will depend on effective intelligence collection and analysis, mission assurance, and education on the evolving nature of the threat. Consider four ways in which cyber defense can move forward:

• Education. The first step to realizing comprehensive cybersecurity is understanding the true connectivity in our nation's data. The responsibility to protect data, whether personal consumer information or troop movements, cannot fall solely on the desks of information technology officers. All users must understand that if they have access to information, they may also inadvertently allow unauthorized access to that information.

Security problems are ultimately human problems, and there are no simple, bolt-on technological fixes. The military understands this for the rest of the battle space; its task is extending that understanding to cyberspace.

• Communication. Conversations must occur between government and industry that clearly communicate the cybersecurity requirements of civilian government and military missions. The Defense Department has done a good job in conducting risk analysis and focused protection, primarily because it understands its mission. But mission understanding cannot provide mission assurance until it is communicated to all stakeholders.

Cybersecurity is a continuous process of monitoring, testing and adapting — a process that hinges on communication. "Need to know" is quickly being replaced by "responsibility to share" because it is a paradigm that can keep up with the emerging cyber threats.

• Partnerships. Private industry owns most of the government's infrastructure, and it needs to be incentivized to protect data and operating environments. Likewise, there should be repercussions when the infrastructure fails. Without proper partnerships, data storage and transmission are only as safe as the weakest link among the instituted cybersecurity procedures.

Government aligns, harmonizes and synchronizes; it enables the establishment of standards within which people and organizations can operate. It can serve as a vital early adopter, or even as an angel investor. The other side of the coin is industry, which provides the rapid innovation needed in a dynamic, distributed marketplace. Without either side of the coin, cybersecurity is left inadequate.

• Mission understanding. This is the most important piece of the puzzle. Without knowing what needs to be done, we cannot know what needs to be protected. Information isn't protected just because it exists, it is protected because it is necessary to a mission.

With mission understanding, all the other pieces fall into place: Education helps illuminate the sphere of operation, and communication and partnerships can bring into place effective, comprehensive protection of information. Such protection is quickly becoming the most important asset in our defense missions.

———

Keith Rhodes is senior vice president and chief technology officer with QinetiQ North America's Mission Solutions Group and former first director for the Government Accountability Office's Center for Technology and Engineering.