Cybersecurity Czar? Instead Place Chief in DHS, Not White House, Contends Sen. Susan Collins
Whether it’s a backlash over the number of so-called czars in the White House or an indication of the importance to homeland security when it comes to computer attacks, there is increased drum-beating to place the
Yesterday, for example, Senator Susan Collins, R-Me., ranking member of the Senate Homeland Security and Governmental Affairs Committee, in a major policy address, said that the
In her remarks, ``Cybersecurity: How to Protect Our Digital Assets,`` she said, ``It is fair to ask: What will it take for the federal government to finally get serious about protecting the vulnerable frontier that we call cyberspace? Will this nation have to endure a ‘cyber 9/11’ before our government finally realizes the importance of protecting our digital resources, limiting our vulnerabilities, and mitigating the consequences of exploitations?
About the potential threats, the specter of a "digital 9/11" is also a focus of the former U.S. acting cybersecurity chief, Melissa Hathaway, who recently spoke at the Carnegie Mellon University's CyLab corporate partners meeting.
"It's not, can it happen? It's when," said Hathaway, the former senior director for cyberspace at the National Security Council. "The Internet's been around for 40 years now. And threats are outpacing defenses with a volume and velocity that we never imagined."
Added Collins, ``We all hope and pray that such an ominous event never occurs. But we also cannot pretend that such a threat does not exist, particularly in an era of global terrorism with enemies sworn to our destruction. Indeed, to ignore the warning signs and to merely hope for the best would be irresponsible and negligent. We must practice vigilance at every turn and that extends to the Internet. Today, I will state what is no doubt obvious to you: It is time to take action. We must move past the planning stage and into the doing stage. A strong defense against a cyber attack is a key component of effective deterrence."
Warned Collins, ``Clearly, the current state of affairs - this laissez-faire attitude toward protecting our nation`s digital assets - cannot continue. The
``Some have suggested that such an effort can be led from the White House. But truly securing our information technology infrastructure will require more than just high-level strategy and coordination. There must be aggressive oversight, evaluation, and testing of systems. There must be constant, real-time monitoring of security and analysis of threats. In short, effectively managing government cybersecurity is going to require more than a few staff crammed into a cubicle in the depths of the White House.
``The National Security Agency and other intelligence agencies possess enormous skills and resources, but privacy and civil liberties demands preclude these agencies from shouldering a leadership role in the security of our civilian information technology systems. The Internet is a critical tool for open, free communication; security in civilian government systems must take that reality into account. The intelligence community must play a critical part in providing threat information, but it cannot lead the cybersecurity effort.
``Logically, any effort to secure our civilian government systems and our critical cyber infrastructure must leverage the mission and resources of the Department of Homeland Security. DHS was tapped for precisely this role in the National Security/Homeland Security Presidential Directive issued last year, and DHS is already the department within the federal government building partnerships with the private sector to secure our critical infrastructure and key resources.
``Some will argue that a single federal department or agency is not muscular enough to direct other federal departments and agencies to actively secure their IT infrastructure. But Congress has dealt with complex challenges involving the need for interagency coordination in the past. We have established strong leaders with supporting organizational structures to coordinate and implement action across agencies, while recognizing and respecting disparate agency missions.
``The establishment of the
Continued Collins, ``I am convinced that a similar construct could improve the security of our civilian information systems and our critical cyber infrastructure.
``A cybersecurity ‘Center,’ anchored at DHS, with a strong and empowered leader will close the coordination gaps that currently exist in our disjointed federal efforts. The Director of the Center could help enforce compliance with cyber security standards promulgated by the Office of Management and Budget and the National Institute of Standards and Technology. For example, the Director would have the ability to ``Red Team`` agency systems, recommend security measures to agencies, and insist that agencies explain the actions taken based on those security recommendations. The Director would also coordinate information sharing on threats and vulnerabilities to our cyber infrastructure from across the federal government.
``The Director of the federal cybersecurity effort at DHS should also serve as the Principal Advisor to the President on cybersecurity. For day-to-day operations, the Center would utilize the resources of DHS, and the Director would report directly to the Secretary of Homeland Security. These dual lines of responsibility would give the Director sufficient rank and stature to interact effectively and directly with the heads of other departments and agencies and with the private sector.
``That is not to say that the National Security Council will not have an important role to play. Indeed, the NSC - performing its traditional coordination role - will need to ensure that our military, intelligence, and law enforcement efforts complement and inform our efforts to protect our civilian networks. But that traditional role does not require a cyber czar. It requires a strong civilian counterpart to the Secretary of Defense, the Director of National Intelligence, and the Attorney General. The Director would serve as that counterpart.
``The Director would work with the National Institute of Standards and Technology to prioritize the development of standards and performance metrics, establishing a baseline for cybersecurity at the various civilian departments and agencies. Working with the intelligence community and infrastructure protection experts at DHS and across the government, the Director would be charged with identifying and warning about cyber vulnerabilities and threats to the federal and critical private sector networks.
``The Director would also work with civilian agencies to establish policies for personnel security assurance, including mechanisms to ensure the integrity of personnel and contractors and recognize changes in behavior patterns, to lessen the cybersecurity threat posed by insiders.
``Departments and agencies would be required to respond to these warnings - implementing security measures recommended by the Director or explaining alternative steps they have taken to secure their systems against identified threats. The Director would be charged with developing a supply chain risk management strategy - promoting a risk-based strategy to secure federal information systems from development to acquisition and through their operational life cycle.
``We should also consider giving the Director authority to review the IT security budgets and IT acquisition policies across the civilian agencies. The Director should not be responsible for micromanaging individual procurements or directing investments. But we have seen far too often that security is not a primary concern when agencies procure their IT systems. Recommending security investments to OMB and providing strategic guidance on security enhancements early in the development and acquisition process will help ``bake in`` security. Cybersecurity can no longer be only an afterthought.
``These improvements in federal acquisition policy should have beneficial ripple effects in the larger commercial market. As a large customer, the federal government can contract with companies to innovate and improve the security of their IT services and products. With the government`s vast purchasing power, these innovations can establish new security baselines for services and products offered to the general public. The rising security tide will lift all boats.
``The Center could serve as a single-point of contact for the private sector, communicating and educating regarding cybersecurity best practices, ensuring the timely communication of threat and vulnerability determinations to critical cyber infrastructure, and promoting the two-way sharing of breach and vulnerability data.
``As the very visible lead for cybersecurity in the federal government, the Director would become the central point of access for small and mid-size businesses that are often at a loss when seeking appropriate guidance on employing industry best practices for cybersecurity. The Director would build on the existing public-private partnership at DHS and work with the relevant lead agency for each industry sector to disseminate best practices and to provide technical assistance to those who request it."