Followers

Saturday, December 13, 2008

Should cybersecurity be managed from the White House?

In a report released Monday, the nonpartisan Center for Strategic & International Studies served up dozens of recommendations for improving American cybersecurity—but by far the most headline friendly was the call for a new National Office for Cyberspace within the White House, headed by an "assistant to the president for cyberspace," or cybersecurity czar.

Of course, the U.S. arguably has a "cybersecurity czar" already: Rod Beckstrom, who heads the National Cyber Security Center within the Department of Homeland Security. But the experts on CSIS' Commission on Cyber Security for the 44th Presidency argue that DHS is the wrong agency to take the lead on cybersecurity, which should be coordinated by a White House office with a direct line to the president. "Securing cyberspace," they argue, "is no longer an issue defined by homeland security or critical infrastructure protection" but rather "an issue of international security in which the primary actors are the intelligence and military forces of other nations." Under their plan, the existing NCSC would be fused with the Joint Inter-Agency Cyber Task Force to form the NOC. Similarly, a new Cybersecurity Directorate within the National Security Council would absorb relevant functions of the Homeland Security Council.

Cybersecurity Panel at the Heritage Foundation The cybersecurity effort within DHS has, perhaps understandably, focused on hardening the .gov domain against attacks, an approach that the report worries "skilled opponents will be able to outflank." And indeed, on the day of the report's release, Estonian defense advisor Heli Tiirmaa-Klaar gave a talk at the conservative Heritage Foundation, in which she stressed that when her country became perhaps the first victim of large-scale cyberwafare last year, only about 30 percent of the targets of attack were on official government networks. Rather, said Tiirmaa-Klaar, cyberwarriors target elements of the civilian-run critical infrastructure as part of broad-based "destabilization operations."

As everyone now seems to agree, that means effective cybersecurity requires bringing together a dizzying number of players, from the IT heads of government agencies and major private firms to software and hardware manufacturers to diplomats. Because large-scale attacks are often carried out by transnational botnets, Tiirmaa-Klaar argued, a coordinated international legal response will be necessary to prevent them.That might mean, inter alia, developing model legislation for developing nations where low-tech law enforcement allows cybercriminals to thrive.

As far as CSIS is concerned, that means cybersecurity efforts require the sort of bird's-eye view available only from a perch at the White House—and the kind of authority to yoke together disparate actors that only a presidential imprimatur will provide. Yet at the same Heritage event, Frank Garcia, a career staffer with the House Permanent Select Committee on Intelligence, voiced doubts about proposals to shift primary responsibility for cybersecurity away from DHS. "Any new organization or bureaucracy takes a while to get their culture established," said Garcia. "Fix the problems as they may exist at DHS. Don't try to create some supra-group somewhere else that rises above all the other organizations in the executive branch. Because you're still going to have the same problem. Nobody's going to want to give up budget authority to that group; it doesn't matter where you put it."

From Garcia's perspective, the important thing is "top cover"—the sense that whoever is taking the lead on cybersecurity has the backing of the president, and the power to move dollars.

In comments to reporters last week, DHS Secretary Michael Chertoff conceded the need for a "White House mechanism" to harmonize cybersecurity efforts across agencies, but also sounded a preemptive skeptical note. "We've heard you have to have a cyberczar," said Chertoff. "You have to have a czar for this and a czar for that. Just remember — all these things add extra layers."

Extra layers, and in the case of the incoming Obama administration, extra moving parts to track simultaneously. Obama, after all, has already pledged to appoint a cabinet-level Chief Technology Officer, whose admittedly vague job description clearly overlaps with that of the "assistant for cyberspace" envisioned by the CSIS report. In one sense, the proposed CTO's responsibilities are much broader: he or she would be tasked with ensuring that a hodgepodge of government agencies are following best practices for IT, and with promoting greater transparency in government by pushing ever more information online. In other ways, though, they're probably narrower: The NOC envisioned in the report spearheads an effort that involves not only internal standards-setting and procurement decisions, but the deployment of economic and diplomatic pressure on foreign countries, and coordination with the private sector via three new public-private advisory groups envisioned by CSIS.

All of which is to say, the White House post proposed by CSIS is clearly distinct from the CTO that Obama intends to appoint. Yet it is hard to imagine how both new offices could be introduced simultaneously without creating a too-many-cooks problem. At the same time, it may be too much to ask that a CTO take on the sort of big-picture, public-private, international cybersecurity effort CSIS advocates while also transforming government's use of IT.

While big-picture proposals for reorganizing US cybersecurity efforts tend to grab headlines, it's likely to be easier to establish consensus around some of the more specific proposals cooked up by the CSIS commission, such as merging "national security" and "homeland security" advisory functions that bear on network security. Especially while the scope of the new CTO's responsibilities is still being established, it may make sense to focus on these less sexy reforms first.

Original here

No comments: