Keeping our nation's computer networks safe from attack, either from hackers or from actual terrorists, has become an even higher priority in recent months. More and more Congress is hearing from witnesses in various settings that we are too vulnerable to let things stay the way they are. This story is about the power struggle over who should be in charge of cybersecurity.
Who should run cybersecurity -- Last year the function was placed within the Department of Homeland Security where it still resides. The Bush administration cybersecurity initiative was started with a National Presidential Directive in January of 2008. A year later President Obama ordered a 60-day review of cybersecurity policy on February 9, 2009
Background -- Steven Aftergood, writing for Secrecy News (3/12/09) headlined: "CRS Views Cybersecurity Initiative." The story explained cybersecurity's background. In the end, the Congressional Research service concluded that the Bush Comprehensive National Cybersecurity Initiative (CNCI) is too opaque and too unknown to the general public. To quote:
. . . the CRS report summarizes what has been disclosed, and illuminates many of the ensuing questions raised by the Initiative. These include the extent of its underlying legal authority; the respective roles of the executive and legislative branches on cybersecurity; the involvement of the private sector; the impact of privacy considerations; and even the possibility that offensive or defensive cybersecurity activities would fall into the category of “covert action.”
The Secretary of the Department of Homeland Security, Janet Napolitano, is appointing Philip Reitinger to the position of deputy undersecretary of the department's National Protections Program Directorate. Critics worry that Reitinger's record for maintaining good security within Microsoft is not a good sign. The story, "DHS Appoints Microsoft Exec to Secure Government Computers," is from Wired-Threat Level (3/11/09). To quote further:
The job requires Reitinger to oversee the protection of the government's computer networks and work with the private sector to help secure critical infrastructures. Reitinger comes to DHS from his job as chief trustworthy infrastructure strategist for Microsoft, a job that required him in part to help develop and implement strategies for enhancing the security of critical infrastructures.
. . . Reitinger at least has a background and an understanding of computer security issues. . . Prior to joining Microsoft in 2003, he was executive director of the Department of Defense's Cyber Crime Center, which includes a computer forensic lab and computer investigations training program. . . for the Department of Justice where he served as deputy chief of its Computer Crime and Intellectual Property Section. One of Reitinger's first tasks in his new job will be deciding what to do with the job that Rod Beckstrom will vacate . . .
Beckstrom resigned . . . his position as director of DHS's National Cyber Security Center, where he was, essentially, the government's cybersecurity czar. Beckstrom expressed frustration in his resignation letter that DHS wasn't taking cybersecurity seriously, and he wasn't being given the resources to do his job. He also complained that the National Security Agency was moving to take over DHS's cybersecurity role.
There is a move underway to transfer the cybersecurity function from DHS to the NSA --In a story from Wired-Threat Level (3/10/09), the former head of the Department of Homeland Security's National Cybersecurity Division, Amit Yoran told a Congressional Committee that National Security Agency/"NSA dominance of Cybersecurity would lead to to 'grave peril.'" The problem, according to officials who worked in te DHS position, is that having an intelligence agency in charge would mean that classification of information and counterintelligence operations would lead to a lack of transparency in cybersecurity. Because so many of the organizations, that need to be protected against cyber attack are in the private sector, they would not have as much trust as needed to work well with the government against a common threat. To quote from the article:
Two weeks ago, Director of National Intelligence Admiral Dennis Blair told the House intelligence committee that the NSA should take over government cybersecurity duties, because the agency has the smarts and the skills for the job.
. . .Yoran, who currently is CEO of cybersecurity firm NetWitness, resigned from his DHS job after just a year in the position amid speculation that the DHS was not making cybersecurity a priority. Beckstrom expressed similar frustrations in a recent interview about the DHS's commitment to its cyber mission, following his resignation.
Yoran said DHS had demonstrated "inefficiency and leadership failure" in its cyber efforts and that "administrative incompetence and political infighting" had squandered its efforts to secure the nation's infrastructure for years.
Finally,proposed cybersecurity legislation in the Senate hopes to bring high-level government attention to the serious problem of cybersecurity. It would mean giving a single White House official, a national cybersecurity adviser, oversight of critical network infrastructure, with the ability to disconnect federal or "critical" networks under some sort of threat of cyberattack. The idea could create more uncertainties than solutions, at least initially, cybersecurity experts warn in this story. "White House cyber adviser--more questions than answers," from CNet News (3/26/09). To quote:
. . . "The irony is people keep on asking for somebody in charge who has this God's-eye view of what's going on in a purposefully decentralized system," said Bob Giesler, vice president for cyber programs at Science Applications International Corporation (SAIC). "This permeates the whole (cybersecurity) debate, which is what can the government do for us. I think you'll find at the end of Melissa Hathaway's 60-day (cybersecurity) review that industry will come back and say the best thing they can do is is share the data so we can be better risk managers," rather than manage risk themselves.
In conclusion -- A chorus of critics of the way the Cybersecurity Initiative has been handled at DHS is going to try to wrest control away from that agency. It looks as if the administration's intelligence apparatus wants to take over control of the initiative. But that possibility does not sit well with civil libertarians and worried IT specialists in the private sector. Those who see a philosophical difference between protecting computer network security in general and casting the vulnerability as coming mainly from terrorists are in a battle for the hearts and minds of Congress. Legislation is proposed to put the office in the White House reporting to the President. It must be a juicy prize to have so many fighting over it. And it is a vitally important issue to all of us sitting here in front of our keyboards. Who should be responsible? And why?
See also Behind the Links, for further info on this subject.
Carol Gee - Online Universe is the all-in-one home page for all my websites.