There is a good old-fashioned backroom brawl shaping up in Washington over the cybersecurity issue, and the forces are aligning in some interesting ways on a variety of different sides of the debate. The latest installment in this long-running drama involves not just the fight over which, if any, of the numerous House and Senate bills addressing cybersecurity will ever see the light of day, but also the wisdom of handing authority for federal information security to the White House.
Many government and private-sector experts have recommended that whenever President Obama appoints a new cybersecurity czar, that person should report directly to the president and work in the White House rather than at the Department of Homeland Security. However, not everyone agrees that this is the best option. As Dark Reading’s Tim Wilson reports, Greg Garcia, a former DHS cybersecurity head, has reservations about the idea of taking cybersecurity authority away from DHS.
“DHS has the capabilities to handle the effort,” Garcia said. “What the White House needs to do is ensure that the relationships [between agencies] are well-defined. DHS can take responsibility for .com and .net, [the Department of Defense] can handle .mil, [and the Department of Justice] can handle cybercrime. The challenge is putting all the lego pieces together.
“The problem for some agencies is that we see ‘mission creep,’ where the scope of their missions go beyond its original boundaries,” Garcia said. “When that sort of thing happens, the White House needs to step in and play the role of traffic cop and keep things where they should be. The appropriate role for the White House is as a traffic cop, not as the driver for everything.”
Garcia’s point about defining the agencies’ roles is well-taken. The National Security Agency, DHS, the Department of Justice and the Department of Defense all have roles to play in cybersecurity at the federal level, and in many cases they overlap. Justice handles prosecutions, but many of the other agencies assist in investigations, as does the FBI. But defining those roles isn’t a full-time job. Once that’s hashed out, there is still plenty left to do, and that role is best left to a White House-level official, many experts say.
But regardless of where the cybersecurity czar ends up working, much of his or her work already is laid out. The same problems that faced the country’s critical infrastructure six years ago when the National Strategy to Secure Cyber Space was written are still here. The utilities are still vulnerable, threats and malware are increasing daily and much of federal government seems not to understand the reach and power of the Internet. The good news is, the solutions in the National Strategy probably could still work, as well.
From Dark Reading:
Howard Schmidt, former White House Cyber Security Advisor and former CSO at eBay and Microsoft, said in a telephone interview before the summit that much of the road map for the federal cybersecurity effort has already been laid out from past administrations. “The question is, why aren’t we executing on it?” he asked.
There’s yet to be a satisfactory answer to that question, and it’s unclear when we might get one. Meanwhile, on the legislative side of things, several competing cybersecurity bills are bouncing around both the House and the Senate. Most recently, Reps. Peter King, Bennie Thompson and Joseph Lieberman introduced a bill last week designed to protect the electrical grid. And Sen. Jay Rockefeller is pushing a bill to create the White House cybersecuirty czar position. There also are other bills in the hopper regarding security in the energy sector and other industries.
In true Washington fashion, it’s likely that pieces from each of these various bills will end up in some eventual compromise bill somewhere down the line. But there’s plenty of posturing and arguing to do.
*Image from Blankblankblank’s Flickr photostream.