Security experts debate federal approach to cybersecurity

A panel of experts testifying before a Senate committee today agreed that the country’s cybersecurity is inadequate and needs to be fixed.

What they did not agree on — and subsequently left for the senators to resolve — is how to organize and oversee the protection of the country’s cyber infrastructure.

The question is whether primary responsibility for civilian cybersecurity should lie with the White House or the Homeland Security Department, where it has resided for the past five years under several laws and presidential directives.

The Commission on Cybersecurity for the 44th Presidency, organized by the Center for Strategic and International Studies, recommended last year that the responsibility be assigned to the Executive Office of the President.

“We need a comprehensive strategy with someone in charge of it” who can cut across agency boundaries, said James Lewis, director of the center’s Technology and Public Policy Program. “Policy must be led from the White House,” with agencies retaining responsibility for operational activities.

Alan Paller, director of research at the SANS Institute, agreed. DHS lacks the authority to pull the plug on insecure, noncompliant systems, and no amount of legislation would give it the clout it needs to set and enforce cybersecurity policy across government, he said.

But Stewart Baker, a former assistant secretary of homeland security who helped form the department, favors leaving the responsibility at DHS rather than creating a new office to handle it. Imagining that a new agency or office could do the job better is the problem, not the solution, he added.

“We would be much better off building DHS’ capabilities,” he said. “If they are given the opportunity to do it, they will succeed.” If the department is moved aside, the country will be setting itself up for another failure, he added.

“DHS has done a successful job,” said Tom Kellermann, vice president of security awareness at Core Security Technologies. But it has been hindered by a lack of continuity among politically appointed managers and a lack of resources, and it has ceded its leadership role to the Office of Management and Budget.

The experts shared their opinions during a hearing before the Senate Homeland Security and Governmental Affairs Committee. Chairman Sen. Joseph Lieberman (I-Conn.) called the hearing in anticipation of the release of results from the Obama administration’s cybersecurity review. He said he expects the committee to take an active role in responding to the report’s recommendations.

Lieberman opened the hearing by saying that U.S cyber defenses are inadequate. “Our enemies in cyberspace seem too often to be one step ahead of our efforts to deter them,” he said. “That gap must be closed.”

Although the panelists disagreed about the roles of the White House and DHS, all of them said the president will play an important role in setting policy and DHS will have a role in overseeing cybersecurity. None of them expects DHS to do everything, especially because the department’s responsibility extends only to civilian agencies. Military, intelligence and other national security systems fall under the oversight of the Defense Department and the National Security Agency.

The experts also agreed that the Federal Information Security Management Act is inadequate and needs to be updated or radically changed. Paller had some of the harshest criticism.

“FISMA is not just not working for us, it is working against us,” he said. “It is antagonistic to security.”

Currently, agencies focus on paperwork compliance under FISMA and not on real IT security, he said. The government could solve the problem “by authorizing and empowering agencies to move to continuous monitoring of critical controls,” he added.

Several panelists said one of the problems with U.S. cybersecurity is that defensive and offensive activities have been separated. The people in charge of defense do not fully understand attacks, and the people who understand offense should be involved with designing defensive requirements.

Paller and Kellermann advocated capitalizing on the government’s $70 billion IT budget by requiring industry to provide more secure technology for federal acquisitions. Agencies should require auditable service-level agreements for information security that assign liability and provide for legal recourse, Kellermann said.

“If you want to change things, use the laws of procurement,” Paller said. He cited Air Force contract requirements for Microsoft to provide securely configured software, which has improved security and reduced costs.

For a major customer like the federal government, “companies will be glad to build secure technology, if you tell them what secure is,” Paller said. “That’s where the NSA comes in. You can’t leave it to” the National Institute of Standards and Technology because it does not understand offensive capabilities the way NSA does.