White House, DHS Should Handle Cybersecurity, Subcommittee Told

The subcommittee will “continue to sound the alarm bells” about the danger to cybernetworks, said Chairman Yvette Clarke, D-N.Y., noting Beckstrom’s presence in the audience. Two more cybersecurity hearings are scheduled this month. The Bush administration’s cybersecurity strategy “stopped short of mandating security changes,” she said. “Without teeth the strategy was never implemented.” Clarke said she fully supports a White House-led cybersecurity effort as recommended by the Center for Strategic and International Studies’ cybersecurity report (WID Dec 9 p2). The government should set the standards and goals but “not the means to get there,” said Ranking Member Dan Lungren, R- Calif. “I don’t want anything to depress the creativity” of business in protecting its own infrastructure.

Beckstrom’s hiring nearly a year ago made Hill leaders “optimistic” about clarifying what had been a murky organizational structure with poorly defined roles, said Homeland Security Committee Chairman Bennie Thompson, D-Miss. But sadly, Beckstrom “did not have experience in working miracles.” There’s no doubt that the NSA has most of the “cyber talent” in the government, but it shouldn’t have control over the whole cybersecurity mission, Thompson said.

The government needs a specific organization to handle cybersecurity beyond simply the White House, said David Powner, GAO director of information technology management issues. “DHS-led hasn’t cut it.” The problem is that no one has agreed on where a “cyberdefense organization” should reside, he said. GAO made several recommendations in a new report, including the development of a national strategy that defines cybersecurity roles and holds organizations accountable for failure and creation of a White House cybersecurity office. There should be a “board of directors,” made up of senior officials and executives from relevant agencies and from business, to evaluate the government’s performance, Powner said. The U.S. should acknowledge that it’s in a “cyberwar” with other countries and “raise awareness that we're constantly under attack.” Making priorities must be stressed, he said. “We have created many plans that largely go unused.” The U.S. should use international agreements like the Council of Europe cybercrime convention and improve coordination on R & D between the government and private sector, he said.

Creation of an “identity metasystem” for the Internet that doesn’t harm privacy or free speech should be a government goal, said Scott Charney, the vice president of trustworthy computing for Microsoft and a participant in the CSIS review. Information-sharing between the government and business isn’t enough, and it should be expanded so infrastructure owners get “actionable” information that can be used to take “meaningful actions,” he said.

The U.S. spends billions of dollars on cybersecurity that don’t actually protect sensitive systems, said Amit Yoran, who was the first director of the National Cyber Security Division at DHS and also in the CSIS review. The Centers for Disease Control, for example, suffer “ongoing cyber incidents” and the agency’s cyberbudget has been slashed by more than one-third, he said. The intelligence community has “superior technical acumen” but presents “insurmountable hurdles” as a location of cybersecurity authority. Outside IT staff probably won’t have the clearances to work with the NSA, and after the warrantless wiretapping scandal, the NSA may provide “ineffective legal vetting” of programs, Yoran said. DHS shows “pockets of progress” despite its political infighting and should be wary of working with the NSA on any activities that aren’t “explicitly articulated.” Charney agreed that the public won’t trust the nation’s cybersecurity effort if NSA is in charge. The U.S. Computer Emergency Readiness Team should also report directly to the Homeland Security secretary, Yoran said.

The U.S. needs a “21st century application of the Monroe Doctrine,” said Mary Davidson, Oracle’s chief security officer. The doctrine was the U.S. stance of viewing European involvement in the Western Hemisphere as “acts of aggressions” that the U.S. reserved the right to fight. Even IP addresses map to physical devices, she said. The U.S. doesn’t have to militarize cyberspace but simply “put the world on notice that the U.S. has cyber turf,” Davidson said. Jim Lewis, who led the CSIS review, said Davidson’s new doctrine could be enforced only through the White House, by scaring agencies into complying at the risk of losing control of their budgets.

But the U.S. can’t be perceived as “militarizing the Internet,” Lewis said. It should instead work with foreign countries and use its regulatory powers to set goals and oversee compliance while leaving the door open for business input. The federal stimulus package foresees the building of new secure infrastructure, but historically that has been difficult to do quickly, he said. Smart-grid meters are vulnerable to hacking if they aren’t built with security in mind, Lewis said. Leaders in the CSIS review are trying to schedule a meeting with Hathaway’s review team, he told Clarke.

Lewis said he was wary of tasking a new organization to handle cybersecurity on the electric grid, the subject of the subcommittee’s March 24 hearing. He told Clarke that the Federal Energy Regulatory Commission, Nuclear Regulatory Commission or just Department of Energy should be in charge of defending against grid attacks. “The last thing you want is someone new charging in in a crisis,” Lewis said. Lungren said DHS was “starting to get its sea legs, and frankly doing a much better job today” than a few years ago, so it might be ready for such responsibility. Charney said DHS should serve in an “operational” capacity, simply carrying out White House policy.