Officials urge civilian cybersecurity role

The United States isn't prepared for a major cyber incident and the Obama administration must develop a new national strategy for securing cyber space, experts told a House panel March 10. An outgoing official later stressed that civilian agencies must play a significant role in those efforts.

The experts' statements differ little from recent assessments, but they come during the Obama administration’s ongoing cybersecurity review and a growing debate over the proper role for civilian and intelligence agencies in the government’s efforts.

That debate was recently underscored by Rod Beckström’s resignation as director of the Homeland Security Department’s National Cybersecurity Center (NCSC). In his resignation letter, Beckström said the National Security Agency effectively controls DHS' cyber initiatives and dominates most national efforts, which is not a sound approach.

It is “a bad strategy on multiple grounds,” Beckström wrote, because of differences between the intelligence culture and the network operations or security culture and because the "threats to our democratic processes are significant if all top-level government network security and monitoring are handled by any one organization (either directly or indirectly)."

The House Homeland Security Committee’s Emerging Threats, Cybersecurity, and Science and Technology Subcommittee called the recent hearing to seek guidance from experts as Obama’s top security advisers move into the second half of their 60-day review of the government's cybersecurity efforts. They are expected to scrutinize NCSC — which was launched last year to coordinate cybersecurity efforts conducted by the civilian, military and intelligence domains — and are sure to examine the role that DHS, NSA and other agencies should play in the efforts.

Beckström, who was in the audience for the hearing, said in an interview afterward that he believes the civilian government should have a “very significant and independent role in cybersecurity,” with NSA as a leader in securing classified networks.

“I just believe that there needs to be sort of a separation of church and state, and of course, then the church and state have to relate,” he said, adding that they do so electronically.

Beckström said he would like to see a bipolar structure with federated networks constructed around classified and unclassified centers. He also urged the inclusion of the private sector.

“There are some companies that are very comfortable, for example, working [in] the highly classified domain, but there are many that are not, and they’re just not equipped to because they would never get the clearances,” he added.

Beckström described NCSC as a strategic golden ring that is the connecting point for the government’s networks.

“There was a lot of competition, I would say, at the table for who might have wanted to coordinate and lead that golden ring, and I think that’s natural,” he said. “I think that obviously, for whatever reasons, we didn’t have enough of a forcing function, or it wasn’t present, to get us the funding and the resources that we needed to move out fully.”

Despite NCSC not being as far along as he would have liked and believing that the government missed an opportunity to recruit many talented people to work there, Beckström said he thought progress had been made and he was fortunate to have held the position, which he will officially resign March 13.

“I feel that we did make some progress in baby steps to get this important new organization going,” he said. “It exists now. It’s signed by the president, approved by the Cabinet. I think the new [DHS] secretary wants to have those authorities.”

Rep. Bennie Thompson (D-Miss.), chairman of the Homeland Security Committee, said he also saw a need for a civilian cybersecurity capability that is independent of NSA.

“I want to clearly state that this committee believes that there should be a credible civilian government cybersecurity capability that interfaces with, but is not controlled by, the NSA,” Thompson said in his prepared remarks. “I hope the administration can strike the balance between civilian and military cybersecurity capabilities.”

Several witnesses testified that they, too, saw a need for separate civilian capabilities. 

“Of course, our government should defend our cyber interests, but in the same way [that] we would abhor a military presence at every intersection [of our roads], we must also ensure civilian control over the normal operation of our digital highways,” said Mary Ann Davidson, chief security officer at Oracle, in prepared remarks.

Some witnesses also expressed their dissatisfaction with the progress that DHS, the lead civilian agency for cybersecurity, has made. David Powner, director of information technology management issues at the Government Accountability Office, said that although DHS had developed some capabilities to meet aspects of its cybersecurity responsibilities, it still has not made GAO’s recommended improvements.

Powner said that until GAO’s recommendations are fully addressed and considered, the “nation’s federal and private-sector infrastructure systems remain at risk of not being adequately protected.”

Powner’s testimony included 12 recommendations GAO had gathered from discussions with cybersecurity experts. They advocate the development of a national strategy that clearly articulates strategic objectives, goals and priorities and said DHS’ National Cybersecurity Division (NCSD) has not enabled the department to become the national focal point for the effort.

Amit Yoran, chief executive officer of the network security company NetWitness and former director of NCSD, said, “DHS has a consistent track record for tolerating political infighting, individual egos and shenanigans over prioritizing and executing its cyber responsibilities in a mature fashion.”

“While the tendency would be to migrate the cyber mission to the NSA, that would be ill advised,” he added. “We must enable civil government to succeed at this mission. There is a clear and distinct conflict of interest between intelligence objectives and those of system operators.”

In addition to Powner, all the witnesses have worked with the Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th Presidency. In December 2008, the commission recommended that the White House take the lead role in coordinating cybersecurity efforts.

The Obama administration expects to conclude its cybersecurity review by the end of April and has promised an action plan for further cybersecurity efforts.