Sen. Whitehouse proposes cyber IG for civilian agencies

There should be a single inspector general charged with auditing cybersecurity practices across federal civilian networks, according to Sen. Sheldon Whitehouse (D-R.I.). That approach would be a dramatic shift from the current practice of having each agency's IG office handle information security probes.

"A single, specialized office dedicated to federal cybersecurity, with authority to do white-hat tests of agency security, could attract world-class talent and would spur federal agencies to keep pace in the cyber arms race against hackers," Whitehouse said in a June 6 speech at the Center for Strategic and International Studies in Washington.

In an interview after his speech, Whitehouse said he wasn't concerned that appointing a "roving" IG for cybersecurity might lead other IGs to lose sight of cyber issues.

"They may pick up their game a little if they're worried that the roving inspector is going to come and pull their pants down in front of everybody," he told FCW.

Establishing a cybersecurity IG might be done through executive mandate rather than legislation, Whitehouse added.

Chris Cummiskey, former acting undersecretary for management at the Department of Homeland Security, welcomed the idea of a cybersecurity IG.

"Just as the federal civilian agencies are encouraged to view cyber from an enterprise perspective [that is] heavy on information sharing, so, too, should oversight be structured to look across agency boundaries," Cummiskey told FCW.

Ari Schwartz, a former cybersecurity adviser at the National Security Council, said there was some merit to Whitehouse's idea, but Schwartz was concerned that an overarching cybersecurity IG might lack the agency-specific knowledge of networks and IT spending needed to do his or her job properly.

"You're talking about a really specialized set of knowledge" that IGs develop from auditing their agencies, Schwartz said.

Whitehouse's speech outlined a host of policy ideas. He proposed setting up an executive-branch office to better educate the public on cyberthreats by declassifying more information related to hacks.

"We need a good storyteller for cyber if our democracy is to function with the right degree of attention to this problem," he said.

He also broached the controversial issue of whether companies should be allowed to "hack back" against adversaries, which is generally illegal and the sole purview of governments. Policymakers should consider allowing companies to engage in "active defense" of their networks, Whitehouse said.

Asked what that meant, an aide to Whitehouse told FCW that hacking back is just one element of a broader "active defense" that includes, for example, tracking the flow of a company's information across networks. Whitehouse told FCW he was not interested in making it legal for companies to hack back "unless it seemed to make sense in certain, very narrow circumstances."

He said he wanted to set up a dialogue between government and the private sector, likely led by the Justice Department, to explore the parameters of active defense.

Whitehouse also touted a bill he introduced last month that would create a new criminal offense for selling or providing access to botnets, the armies of computers that are hijacked to distribute spam or malware or carry out distributed denial-of-service attacks. He reworked an earlier iteration of the bill to accommodate criticism from cybersecurity professionals that the bill's language was overly broad to the point of potentially criminalizing research in the public good.

Last week, however, a coalition of privacy groups raised the same concerns in outlining their opposition to Whitehouse's Botnet Prevention Act.