Ozment: Cybersecurity can't be centralized

There are few federal officials more central to cybersecurity than Andy Ozment, the Department of Homeland Security's assistant secretary for cybersecurity and communications. Yet Ozment is adamant that cybersecurity responsibilities cannot be consolidated at his agency or any other.

Greater centralization is certainly on the table. DHS is seeking to elevate its National Protection and Programs Directorate (which includes Ozment's office) into a full-blown Cybersecurity and Infrastructure Protection Agency. And Sen. Sheldon Whitehouse (D-R.I.) has called for a governmentwide inspector general for cyber issues.

A true one-stop shop for all things cyber -- something proposed by former GOP presidential hopeful Ben Carson -- is not being seriously considered, but at the Commission on Enhancing National Cybersecurity's final field meeting on Sept. 19, Commerce Secretary Penny Pritzker seemed to think the fundamental idea was serious enough to warrant an explicit pushback.

Ozment, who spoke Sept. 19 at the National Press Club, echoed Pritzker's concerns.

"A lot of people will say, 'Well, I want one cybersecurity agency,'" he said during a panel discussion hosted by the nonprofit organization Center Forward. "The truth is, cyberspace and thus cybersecurity are touching every aspect of American lives."

That means agencies ranging from the Transportation Department to the Food and Drug Administration must play a part, Ozment said -- not just DHS, the military and the intelligence community.

"Every aspect of government has to be dealing with cybersecurity," he said. "There's no way to say this one agency [is] in charge."

Ozment conceded that "there's been a lot of confusion within the government about who does what over the last decade," but he contended that real progress has been made.

"We've laid out the lanes in the road," he said. "I think we've reached a good point where we've laid out those goals and responsibilities, [and] I would urge the next administration not to re-litigate them because we'd waste enormous amounts of time trying to decide who does what."

Microsoft's Chris Krebs, who also participated in the panel discussion, agreed that the next president's staff will find "there's been a whole lot of work done in the last 18 months."

Krebs, a former DHS policy adviser who is now Microsoft's director of cybersecurity policy, said the challenge lies in helping the new policymakers digest and understand all those efforts. And there is an opportunity in fresh eyes and ideas, he said.

"What are we going to do with the federal [chief information security officer] position, for example?" Krebs asked. "We can keep it, we can elevate it, we can move it.... It's tactical questions like that they're going to deal with."

For those beginning to plan for the transition, he offered a reminder: "We all need to be cognizant of the fact that new administrations do what new administrations do. And they change stuff that the last administration did, regardless of the party."