The difficulties of coordinating U.S. cybersecurity efforts between multiple agencies at the federal level could result in grave consequences to the nation's national security, according to a panel of experts that testified at a Senate hearing today.
To get security news and tips delivered to your inbox,
"The primary risk to national security now lies in the espionage losses that we're suffering," said James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS). "In the Cold War it was us versus them, now it's a multiplayer game."
The Department of Homeland Security is failing in its role to oversee cybersecurity, Lewis told lawmakers in front of a hearing held by the Senate Committee on Homeland Security and Governmental Affairs. The agency was given authority in 2003 from the White House, which then oversaw cybersecurity. But Lewis said DHS has had no authority over the U.S. military and doesn't have the ability to hold federal agencies to task for poor security standards.
House cybersecurity advisor calls for public-private cooperation: Melissa Hathaway delivered
precious few details about her 60-day review of the country's cybersecurity policies and structures
during her RSA Conference keynote.
NSA does not want to run cybersecurity, director says: Instead, Lt. General Keith B. Alexander pushed for a collaborative effort among the intelligence communities, government and private industry to secure cyberspace.
Cybersecurity's profile rising under Obama: The Obama Administration is conducting a review of the government's cybersecurity policies and process.
The question before lawmakers is whether to create a new office within the White House to oversee cybersecurity matters or give more authority to DHS. Whatever agency is put in charge would need to coordinate cybersecurity on a massive scale, from ensuring that all federal agencies are meeting security standards to defending against and even conducting counter attacks in the event of a massive cyberattack. Those at the hearing were in agreement that something has to be done, but the issue of how to proceed could be hotly debated, said Sen. Susan Collins (R-Maine).
"The issue of reorganization of cybersecurity efforts involves a discussion of oversight and accountability by Congress as well," Collins said. "Congress' ability to effectively oversee activities directed to the office of the President is severely limited."
A bill introduced today by Sen. Thomas Carper (D-Del.), addresses the issue by introducing a federal "cyber office" reporting directly to the president. The Information and Communications Enhancement (ICE) Act would coordinate cybersecurity response between the Department of Homeland Security, the Department of Defense (DoD), the National Security Agency and the private sector. Similar legislation, called the kill-switch bill, also shifts authority back to the White House, giving the president the authority to shut down the Internet in the event of a massive cyberattack.
Although few details have been released from a 60-day review of the country's cybersecurity policies and structures conducted by the Obama administration, it appears that the White House will play a greater role in organizing and leading cybersecurity policy with greater attention to international engagement and relations with the private sector, Lewis said calling for a strong White House advisor with clear authority to set policy and guide budgets.
"More fumbling among agencies will only lead to disaster," Lewis said. "Too much regulation will damage the economy; too little regulation will damage the economy and also our national security. We need to find a middle course that balances commercial and national security interests."
Speaking at the hearing, Stewart Baker, a former assistant secretary at DHS called on improving existing processes within DHS rather than creating what he described as a new bureaucracy capable of creating a whole new set of problems. He called on legislators to avoid diminishing Congress' ability to conduct oversight.
"I think we have to proceed carefully to make sure that we don't create a whole new round of turf battles and inadequate congressional oversight and unclear lines of authority," Baker said. "I believe that DHS is the logical agency given how much of cybersecurity is in the private sector to coordinate that role."
Tom Kellermann vice president of security awareness, at Core Security Technologies testified in front of the Senate committee, criticizing the inefficient support structure within DHS to support the Electronic Crimes Task Force, the Secret Service, the US-CERT and the federal network security branch. Kellermann said the federal network security branch should have the ability to conduct red-teaming exercises or unannounced assessments of civilian agencies to identify vulnerabilities and better earmark IT spending to correct them.
"This is a common problem across the federal government where you have CIOs and CTOs leading the way on what should be spent on IT and IT security," Kellermann said. "CIOs mindsets are much about productivity, efficiencies and access to services and culturally differ from the defensive perspective of the CISO community."
The review conducted by the Obama administration will also factor in a Bush administration cybersecurity plan called the Comprehensive National Cybersecurity Initiative (CNCI). The $40 billion classified plan trims the number of connections from federal computer systems to outside networks from more than 4,000 to fewer than 100. It also calls for improvements to the Einstein system, a network-monitoring tool used by DHS to monitor and analyze traffic moving through federal networks.
"We have to protect our systems from all those entities that are trying to get in because we're the biggest person on the block," said Sen. Roland Burris (D-Ill.). "It seems like we're on the defensive of all this. We're doing all we can to protect our systems from the would-be hackers or skilled intruders."