White House Office Must Coordinate Cybersecurity, Private Commission Says

The report took pains to compliment President George Bush’s Comprehensive National Cybersecurity Initiative, announced in January but often criticized for its secrecy, and to warn President-elect Barack Obama not to “start over.” A DHS official made it clear in September that the effort, which the department leads, won’t go away under the next administration (WID Sept 16 p3). The commission said the Bush effort was “good but not sufficient,” because it stresses protecting the .gov domain, “an approach that skilled opponents will be able to outflank.” The country needs corresponding cybersecurity efforts for strategy, military doctrine, critical infrastructure, regulation and identity -- all covered in the commission report, it said.

Protecting cyberspace has been a federal goal for 20 years, but the U.S. has relied on “industrial-age government and an industrial-age defense” and “deferred to market forces” to protect networks, the report said. Several agencies and even the White House have suffered unidentified intrusions since 2007, and enemies could next tamper with the integrity of military or business data to wreak havoc, it said. Opponents’ challenge simply is deciding “which option to pursue among the wealth of attack opportunities we offer them.”

The nonproliferation push after the Cold War included the creation of new offices in several agencies and new or re-energized multilateral institutions to deal with the threat, becoming one of the most “critical elements” of U.S. national strategy, the report said. The U.S. should use the same approach to inject cybersecurity “into many kinds of bilateral and multilateral projects,” such as Treasury’s work on financial payment systems abroad or U.S. work with developing countries at the World Bank. The government would set norms for international behavior and enforce them with sanctions. The U.S. should work on creating a “cyber regime” similar to the G8’s Financial Action Task Force in which a handful of nations can start work on norms and policies for cybersecurity, the report said.

The new White House office would be brought together from the National Cyber Security Center at DHS and the Joint Inter-Agency Cyber Task Force created by the director of national intelligence. Obama should appoint an “assistant for cyberspace” to lead a new Cybersecurity Directorate in the National Security Council that works with the White House office, the report said. The organizations would have oversight of new authorities under the Federal Information Security Management Act and oversee the Trusted Internet Connections effort and Federal Desktop Core Configuration standards, perhaps setting them up for conflict with the Office of Management and Budget. Agencies also would have to get the organizations’ budget approval for cyberspace elements before proposals go to the OMB.

Current cybersecurity organizations would remain responsible for their activities but would report to the White House office, the report said. Organizations including the U.S. Computer Emergency Readiness Team would continue operating under DHS, but the White House office and National Security Council would directly oversee US-CERT’s Einstein network monitoring program. The president would create an advisory body with senior representatives from “key cyber infrastructures,” and it would incorporate the National Security and Telecom Advisory Committee and National Infrastructure Advisory Council.

Acquisitions policy would be limited to products and services that are already secure, using the federal power of the purse to nudge the industry toward product security, the report said. The White House office would work with the National Institute of Standards and Technology to set certification benchmarks and standards for industrial control systems under the proposal. And though the report advocates “strong authentication” as mandatory for critical infrastructure, it also calls for the FTC to require businesses to take a risk-based approach to deciding which kind of credentials they'll accept online.

Cybersecurity Subcommittee Chairman Jim Langevin, D- R.I., will would push the report in the subcommittee and in the House Intelligence Committee, where he sits, he said at a press conference Monday. Subcommittee Ranking Member Michael McCaul, R-Texas, said leaders were swayed by the string of network intrusions into federal agencies. If a foreign agent were caught with physical files from the Pentagon, it would cause a public “outcry,” he said. Retired Lt. Gen. Harry Raduege, another commission chair, said the U.S. was in an “era of actualization” in finally carrying out long-sought cybersecurity recommendations through the Bush effort and others. “Cybersecurity is not a project -- it’s really a campaign.”

Commission leaders were reluctant to give specific examples of data lost or compromised at agencies and businesses. James Lewis, who led the commission effort at the center, said the intelligence community had found valuable corporate information, including from an aerospace company, on foreign computers, and that the financial industry took especially heavy losses. McCaul said there was a “high level of discussion with respect to Asia,” and specifically China, when asked which countries were the top worry for the commission. Scott Charney, another commission chair who leads trustworthy computing at Microsoft, said it was “nothing more than a wild guess” to gauge how much companies were spending to secure their networks and data -- activities that are largely part of regular business operations. Langevin said some of the recommendations involve more federal spending, but “in many ways it’s reorganization” that the report recommends.

Other agencies with cybersecurity duties aren’t being pushed aside under the recommendations, Charney said. “DHS has an important role to play.” Raduege said DoD, which first examined cybersecurity formally in 1998, sought help from other agencies early on after “trying to do a lot of that on their own.” Under the White House office and National Security Council, agencies will have “great synergy” on cybersecurity, he said. The one word the commission is emphasizing is “comprehensive,” Lewis said. “Just responding to it as ‘hacker versus hacker’… is not enough.”

Some members of the commission, which had several dozen participants, have joined the Obama administration’s transition team, so presumably the report will be welcomed there, Lewis said. There have been “strong expressions of interest” from the Obama advisers that the commission has briefed, he added. McCaul said its work shouldn’t be thought of as one private group making recommendations, because the commission’s “genesis” was in Congress. “I think a lot of membership will support this,” including the commission’s call for a joint cybersecurity committee similar to the Joint Economic Committee.

The commission’s promise not to recommend “prescriptive” regulations drew cheers from industry. The Business Software Alliance said it supports discussions with the government on setting standards for procuring secure products and services. Symantec said there are “some issues that require further deliberation” with industry, such as regulation and “the appropriate framework for collaboration” with the government.