[Infowarrior] - Cybersecurity at midpoint of federal review

[Richard Forno]

http://arstechnica.com/tech-policy/news/2009/03/all-eyes-on-cybersecurity-at-midpoint-of-federal-review.ars

All eyes on cybersecurity at midpoint of federal review

With a comprehensive 60-day review of the US cybersecurity situation  
half completed, an array of public and private sector experts weigh in  
with advice for the new administration.

By Julian Sanchez | Last updated March 16, 2009 9:20 PM CT

Last week was a busy one for cybersecurity mavens as the 60-day review  
ordered by President Obama reached its halfway point. The House  
Committee on Homeland Security held hearings on the state of efforts  
to protect the nation's data infrastructure, even as the Congressional  
Research Service released a report highlighting the shaky legal  
foundations of the Comprehensive National Cybersecurity Initiative.  
The Department of Homeland Security, which came in from many House  
witnesses, appointed a former Microsoft executive to lead the charge  
on cybersecurity. And at the annual FOSE conference, former FBI head  
Louis Freeh weighed in with a contrarian warning that centralization  
provided an "illusory" solution to the problem.

The trouble with DHS

The Department of Homeland Security, home to the National Cyber  
Security Center, proved a popular punching bag at last Tuesday's  
hearing before the House of Representatives. David Powner of the  
Government Accountability Office was relatively restrained, noting  
that the department "has not met expectations and has not provided the  
high-level leadership needed to raise cybersecurity to a national  
focus." Amit Yoran of security vendor NetWitness was more blunt,  
blasting DHS' "inefficiency," and its "consistent track record for  
tolerating political infighting, individual egos and shenanigans over  
prioritizing and executing its cyber responsibilities in a mature  
fashion."

Yet few faulted NCSC head Rod Beckstrom, who resigned last week,  
complaining of inadequate support and funding within DHS, and meddling  
from without by the National Security Agency. (On Wednesday, DHS  
Secretary Janet Napolitano named former Microsoft executive Phil  
Reitinger as the new head of the National Protection and Programs  
Directorate, which houses the NCSC.) Rep. Bennie Thompson (D-MS)  
argued that the previous administration had placed Beckstrom in a "no  
win situation" without "clear authority or budget."

The neglected private sector

A report released last week by the Congressional Research Service,  
however, suggests that the solution to those problems may lie with  
Congress rather than the White House. Their review of the legal basis  
for the (still largely secret) Comprehensive National Cybersecurity  
Initiative found only patchy statutory authority for the CNCI—little  
surprise, given that Congress itself had been largely left in the dark  
about the initiative. CRS concluded that President Bush had relied  
largely on his inherent Article II powers in launching the initiative,  
but questioned whether these provided an adequate basis for an  
ambitious project requiring intimate collaboration with the private  
sector.

Several witnesses at Tuesday's hearing echoed James Lewis of the  
Center for Strategic and International Studies, who argued that the  
"greatest failing" of the CNCI was that the initiative "despite its  
name, was not comprehensive." In part because it was launched under a  
veil of secrecy and without statutory support, the CNCI focused  
primarily on securing the dot-gov domain. But as a report sent to  
Congress last month by the Institute for Information Infrastructure  
Protection stressed, 85 percent of the nation's critical  
infrastructure is privately owned and operated. That report stressed  
the special security problems posed by the process control systems  
that manage vital flows of oil, gas, and electricity—systems often  
comprising a patchwork accretion of legacy components, which are  
particularly difficult to secure because they must operate  
continuously and respond extremely rapidly, with little leeway for any  
processing overhead that add-on security measures might add. Lewis  
suggested that the recent stimulus package had actually compounded  
this problem by providing billions for high-tech infrastructure  
upgrades, such as "smart" power grids, without a clear security plan  
in place.

Microsoft executive Scott Charney zeroed in on insular advisory  
committees as another lost opportunity for greater interaction with  
the private sector. He singled out the Joint Telecommunications  
Resources Board and the National Cyber Response Coordination Group,  
which are charged with coordinating responses to "cyber-based" crises,  
but which serve as forums for government agencies to talk to each  
other, rather than to the operators of the networks that would  
actually be targeted in any such crisis.

Charney and Lewis also made the case that regulation, as well as  
collaboration, was needed to fill "market gaps" in cybersecurity—among  
these the need for stronger authentication systems and "harmonized"  
security requirements across sectors. Charney stressed, however, that  
regulation should also be narrowly tailored and technology-neutral to  
the extent possible. Among the concerns about cybersecurity regulation  
advanced in last month's I3P report was that rules focused on process  
rather than outcome tended to cultivate "checkbox mentality" rather  
than encouraging innovation. The model for security regulation, that  
report suggested, should be the clean-air rules that place limits on  
emissions without specifying the technological means by which industry  
should meet those limits.

Learning to share

The secrecy surrounding the CNCI, most agreed, has seriously hampered  
cooperation with private network owners—who are themselves loath to  
reveal security breaches. Even within the federal government itself,  
the refrain of many witnesses at the House hearing—seconded by former  
FBI Director Louis Freeh in his remarks at the annual FOSE conference  
Friday—was that cybersecurity strategy had become "stovepiped" or  
"siloed," with coordination across agencies haphazard at best. One  
consequence of this, emphasized by Charney and Yoran, has been a  
disconnect between the approach of system designers, who tend to see  
cybersecurity through the lens of defense and prevention, and that of  
intelligence and law enforcement, which place a high premium on  
attribution of attacks.

The Markle Foundation's Task Force on National Security in the  
Information Age provided one model for improved information sharing in  
a report released last week. At the core of the proposal is an  
"authorized use" standard, implementable using commercial off-the- 
shelf technology, designed to "break down agency stovepipes" by  
enabling "discovery without disclosure." On this model, data would be  
relatively easy to locate across agencies in anonymized indices, but  
access would be strictly limited and monitored based on each  
individual's specific purpose and clearance level—ideally encouraging  
agencies to loosen their piranha-grip on information somewhat.

Who's in charge?

That still, of course, leaves the question of where primary  
responsibility for cybersecurity should be located. The witnesses at  
Tuesday's hearing, along with former FBI director Freeh, may have been  
critical of DHS to varying extents, but all rejected Director of  
National Intelligence Dennis Blair's suggestion that the NSA—whose  
track record on that all-important public-private collaboration might  
kindly be described as spotty—should take the lead. While some saw a  
continuing operational role for DHS—which also plays host to the US  
Computer Emergency Readiness Team (US-CERT)—most argued that a  
dedicated executive branch agency within the White House would be  
needed to handle macro-level policy making and intra-agency  
coordination. That was among the more prominent recommendations of a  
cybersecurity report issued late last year by the Center for Strategic  
and International Studies, to which many of Tuesday's witnesses  
contributed

The idea is not without its critics, however. In his Friday remarks,  
former FBI head Freeh argued that the problem of cybersecurity "is too  
large and too complicated to relegate it into a typical bureaucratic  
or statutory pigeonhole." Calling the idea of an independent agency  
dedicated to cybersecurity "illusory," Freeh suggested that protecting  
critical information infrastructure was like "trying to deal with  
weather: where in the United States should we put the responsibility  
to anticipate and control weather? It can't be done." The solution, he  
argued, was to break down agency "silos" so that expertise dispersed  
throughout the government could be brought to bear without excessive  
centralization.

Probably the most important determinant of the approach the  
administration ultimately adopts will be the findings of Melissa  
Hathaway, who is slated to complete her comprehensive review in just  
under a month. Should that review conclude that a more centralized,  
White House-led approach is the way to go, Hathaway herself is widely  
seen as the most likely candidate to head the effort.