Sen. Whitehouse proposes cyber IG for civilian agencies

Sen. Sheldon Whitehouse (D-R.I.)

An overarching inspector general for cybersecurity would attract top-notch talent, according to Sen. Sheldon Whitehouse (D-R.I.).

There should be a single inspector general charged with auditing cybersecurity practices across federal civilian networks, according to Sen. Sheldon Whitehouse (D-R.I.). That approach would be a dramatic shift from the current practice of having each agency's IG office handle information security probes.

"A single, specialized office dedicated to federal cybersecurity, with authority to do white-hat tests of agency security, could attract world-class talent and would spur federal agencies to keep pace in the cyber arms race against hackers," Whitehouse said in a June 6 speech at the Center for Strategic and International Studies in Washington.

In an interview after his speech, Whitehouse said he wasn't concerned that appointing a "roving" IG for cybersecurity might lead other IGs to lose sight of cyber issues.

"They may pick up their game a little if they're worried that the roving inspector is going to come and pull their pants down in front of everybody," he told FCW.

Establishing a cybersecurity IG might be done through executive mandate rather than legislation, Whitehouse added.

Chris Cummiskey, former acting undersecretary for management at the Department of Homeland Security, welcomed the idea of a cybersecurity IG.

"Just as the federal civilian agencies are encouraged to view cyber from an enterprise perspective [that is] heavy on information sharing, so, too, should oversight be structured to look across agency boundaries," Cummiskey told FCW.

Ari Schwartz, a former cybersecurity adviser at the National Security Council, said there was some merit to Whitehouse's idea, but Schwartz was concerned that an overarching cybersecurity IG might lack the agency-specific knowledge of networks and IT spending needed to do his or her job properly.

"You're talking about a really specialized set of knowledge" that IGs develop from auditing their agencies, Schwartz said.

Whitehouse's speech outlined a host of policy ideas. He proposed setting up an executive-branch office to better educate the public on cyberthreats by declassifying more information related to hacks.

"We need a good storyteller for cyber if our democracy is to function with the right degree of attention to this problem," he said.

He also broached the controversial issue of whether companies should be allowed to "hack back" against adversaries, which is generally illegal and the sole purview of governments. Policymakers should consider allowing companies to engage in "active defense" of their networks, Whitehouse said.

Asked what that meant, an aide to Whitehouse told FCW that hacking back is just one element of a broader "active defense" that includes, for example, tracking the flow of a company's information across networks. Whitehouse told FCW he was not interested in making it legal for companies to hack back "unless it seemed to make sense in certain, very narrow circumstances."

He said he wanted to set up a dialogue between government and the private sector, likely led by the Justice Department, to explore the parameters of active defense.

Whitehouse also touted a bill he introduced last month that would create a new criminal offense for selling or providing access to botnets, the armies of computers that are hijacked to distribute spam or malware or carry out distributed denial-of-service attacks. He reworked an earlier iteration of the bill to accommodate criticism from cybersecurity professionals that the bill's language was overly broad to the point of potentially criminalizing research in the public good.

Last week, however, a coalition of privacy groups raised the same concerns in outlining their opposition to Whitehouse's Botnet Prevention Act.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Thu, Jul 7, 2016 Jack

More auditing? How about holding program managers accountable for their poor security.

Fri, Jun 10, 2016 Jabberwocki

Well intentioned but thoughtless. Last thing we need is yet another hub of cyber policy and program oversight. Already, organizationally, there is an overgrown patchwork of agencies, positions, and programs in this field. They do not need another chief to clean up this mess. They could use a thinning out and a reduction in the number of stakeholders. All of the orgs and positions just muddies the waters, clouding responsibility and accountability. Just look at the mess in the wake of the OPM debacle. Anyone minding the store? Anyone looking at after effects? Anyone looking at the performance of the contractors hired with low or no competition to soften the blow?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group