One lawmaker thinks it's time for a dedicated inspector general with the authority to do penetration testing of federal agency networks and systems.
Sen. Sheldon Whitehouse (D-R.I.) is looking to establish a cybersecurity inspector general with the authority to probe federal networks for weaknesses. A cyber IG, Whitehouse argues, would be a way to recruit cybersecurity experts who would prefer to focus on penetration testing and other white hat activities, rather than toil in one of the more than 70 IG offices around government.
"This could be the sexy place to work for cyber experts," Whitehouse told FCW in an interview before a keynote at a Nov. 1 conference.
Whitehouse also noted that among the 72 inspectors general, none has "clear white hat penetration authority."
"It would have been nice to have known that [the Office of Personnel Management] was totally open to the Chinese by having somebody go and have a hack at them," Whitehouse said.
The senator's suggestion comes as others on Capitol Hill are looking for ways to test and evaluate cybersecurity risks across the federal enterprise. One House bill, which would have given cybersecurity audit powers to the National Institute of Standards and Technology has been revised to allow for NIST experts to work with IGs but not be responsible for audits.
While Commerce Secretary Wilbur Ross hadn't staked out a public position on the bill in the House Science Committee, many NIST insiders had problems with the bill.
"We already have enough that we're not doing that we have to do," Matthew Scholl, chief of NIST's Computer Security Division said at an Oct. 25 meeting of NIST's Information Security and Privacy Advisory Board.
In a July 20 letter to the NIST director and the director of the Office of Management and Budget, ISPAB chairman Chris Boyer, a vice president for public policy at AT&T Services, said the bill could have a negative impact on NIST.
"Recent proposals to expand NIST's purview with audit authority over federal agencies could compromise NIST's hard earned reputation as a trusted and effective honest-broker in the cybersecurity community. Even if this authority were restricted to federal agencies, private sector stakeholders might be less inclined to collaborate with NIST if they suspect its guidance could later become a regulatory standard with compliance requirements," Boyer wrote.
Whitehouse has his own concerns about the NIST Cybersecurity Framework forming the template for cybersecurity compliance across the federal enterprise and among critical infrastructure providers. He noted a recent Senate event where an electrical company executive said the NIST framework was not sufficient as a base to secure the grid. Whitehouse's concern is that the framework has not been stress tested, and he sees the cyber IG role as a way to accomplish this.
"It is possible in this world for participant in a process to be happy with the process because they are being asked so little. And it is possible for participants in a process to be happy with the process because it is so robust and meaningful and effective," Whitehouse said. "We need to sort out which is which."
Whitehouse wants lawmakers to look back to a bipartisan report he led along with Rep. Michael McCaul (R-Texas), the chairman of the House Homeland Security Committee. At the same time, Whitehouse is not optimistic about the current state of the administration when it comes to providing support to legislative efforts. He complained at an Oct. 19 hearing of the Senate Judiciary Committee that Attorney General Jeff Sessions couldn't name a contact at the Department of Justice who is working on cybersecurity legislation.
While Whitehouse appreciates the commitment and expertise of White House advisors Tom Bossert and Rob Joyce, he said he sees bigger problems when it comes to policymaking.
"At this point, I think it's very hard for the agencies to get meaningful direction from the White House when it's so dysfunctional and when it's so wrapped up in tweets and investigations," Whitehouse said.