Higher Official Needed to Push Cybersecurity in DHS, Experts Tell Subcommittee

Cybersecurity has evolved independently of physical security and “has not received the attention it deserves,” Cybersecurity Subcommittee Chmn. Lungren (R-Cal.) said. An asst. secy. would have “greater clout” in alerting govt. agencies and the private sector, he added. “The current integration of cybersecurity and physical security is not working,” Information Technology Assn. of America Pres. Harris Miller said: President Bush’s cybersecurity strategy isn’t being implemented quickly enough because “the current organizational structure at DHS allows cybersecurity priorities to be marginalized against other physical security activities considered to have higher priority.” Integration of the 2 areas also has meant cybersecurity procurement practices “are not effective and are rarely enforced with consistency,” said Amit Yoran, the first NCSD dir.

Pre-9/11, cybersecurity responsibility was vested in a White House special asst.; once DHS emerged, the role went to a much lower level, making the job more difficult, panelists said. Miller, noting Yoran didn’t mention why he left the NCSD after a year, offered a reason: “A lot of the ideas and work… simply couldn’t be done” as the position was structured. “This is no slap” at former DHS Secy. Tom Ridge or Secy. Michael Chertoff, but the chief cybersecurity officer needs a “confirmable” position, Miller said. “Unless you're at a certain level, people don’t pay you attention,” Homeland Security Committee Ranking Member Thompson (Miss.) said. “Many of those other [industry] sectors hadn’t even thought about the [cybersecurity] issues” when ITAA raised them because the DHS cybersecurity position has so low a profile, Miller said.

Cybersecurity and physical security strategies have diverged too far to fit under a single office, panelists said. “At the end of the day, people are more afraid of bombs and anthrax than worms and viruses,” but the top cybersecurity official needs to have a “bully pulpit” to tell the public why it should take cybersecurity seriously, Miller said. “Cyberattacks won’t necessarily be abrupt” like physical attacks, and could easily fly under the public radar, Cyber Security Industry Alliance Exec. Dir. Paul Kurtz said. There’s “also a cultural issue,” Miller said: Experts on cybersecurity and infrastructure protection “simply live in different worlds” and won’t work as efficiently together as separately. Federal cybersecurity authority is at a “level far below where most financial institutions handle it today,” said Catherine Allen, CEO of financial consortium BITS.

Panelists cautiously endorsed close collaboration between cybersecurity and physical components as they urge separate assistant secretaries for them. “We have to understand the interdependency” between the 2 and “cascading effect” when one goes down, Allen said. Kurtz described the 2 as “overlapping circles.” At the NCSD’s creation, integrating physical and cybersecurity might have made more sense, but they have developed into “highly specialized” disciplines since, Yoran said.

When Lungren asked if panelists had a “sense of urgency” to pass the bill, all replied “yes.” “The sooner we start getting on the ball, the better,” Internet Security Alliance Chmn. Ken Silva said. Cyberattacks will only escalate, and the longer cybersecurity is vested in a low-level DHS official, the greater the potential for a “digital Pearl Harbor,” Allen said. Kurtz said 2 years had passed since the original cybersecurity strategy was developed, with events overtaking the strategy. On a sour note, Silva said the bill doesn’t address increased funding for research, which he said is desperately needed to update aging and unsecured Internet protocols. Yoran answered Lungren’s request for the top 3 priorities in cybersecurity with: (1) Refining the DHS mission statement on cybersecurity, enhancing specificity and naming “counterparts” at other agencies and private sector groups. (2) Integrating cybersecurity components into all DHS programs and other agencies. (3) Spending more on cybersecurity.

Rep. Pearce (R-N.M.) asked where America ranked internationally on cybersecurity. “The U.S. is light years ahead of regulators in other countries,” Allen said, despite problems with identity theft, viruses and spyware. Miller said though an international cybersecurity conference is occurring now in New Delhi, “this issue simply hasn’t raised itself in most countries.” An asst. secy. “would help elevate the issue” internationally, he said. “We had a big pedestal to stand on” with other countries with the White House special assistant position, Kurtz said, but other countries don’t take U.S. efforts seriously given the job’s existing status. Insurers are spurring security via efforts such as AIG discounts for firms incorporating their best practices, Silva said: “It’s just starting” and will grow more common.

An asst. secy. would coordinate private and interagency efforts more than hand down rules, agreed witnesses and committee members. Lofgren said: “We don’t want a heavy regulatory approach,” lest the govt. retard innovation by the “code writers.” Incentives for market adoption of cybersecurity measures are more fruitful, she said. R&D funding and tax incentives are most urgent, Allen said: The industry “is in dire need of help.”

Though the hearing was largely bipartisan, focusing on conditions years in the making, some specifically criticized the Bush Administration afterward. “It is hard for me to understand how the Administration can be so reluctant on this issue, given the overwhelming support by the private sector, our colleagues across the aisle, and the Democrats” for an asst. secy. position, Thompson said in a statement.