A bill introduced in the Senate on Wednesday would make major changes to the way that cybersecurity is handled both within the government and in the private sector, including giving the federal government more control over private networks.
But the provision that is getting the most attention, and rightly so, is the establishment of the Office of the National Cybersecurity Advisor in the White House. The office’s head would report directly to President Obama, a step that security experts and Washington insiders have been saying for years is a key to making real progress on this issue. For a cybersecurity chief to have any chance to succeed, experts say, he or she must have a direct line to the president, and not be relegated to the depths of the Department of Homeland Security or any other agency.
The nominal head of federal cybersecurity has been inside DHS for the last several years, and that has gotten us exactly nowhere. The position was buried several layers down the org chart and given no power to ride herd on other federal agencies. This, of course, led to the other agencies ignoring DHS and doing their own thing, frustrating a long line of men who tried unsuccessfully to change the insular and inefficient culture inside the Beltway.
Some observers have suggested that any sort of cybersecurity chief is doomed to failure because other so-called czars in charge of large federal programs like the drug war and health care haven’t succeeded. In other words, because the war on drugs hasn’t completely eradicated narcotics from the U.S., a federal cybersecurity chief can’t help improve secure software development or cooperation between the public and private sectors. Makes perfect sense.
In an excellent essay on the question of who should be in charge of federal cybersecurity, Bruce Schneier argues that transparency and accountability are the keys in the process, and that, whatever else happens, the National Security Agency should not be put in charge, as some federal officials have suggested.
Maybe the NSA could convince us that it’s putting cybersecurity first, but its culture of secrecy will mean that any decisions it makes will be suspect. Under current law, extended by the Bush administration’s extravagant invocation of the state secrets” privilege when charged with statutory and constitutional violations, the NSA’s activities are not subject to any meaningful public oversight. And the NSA’s tradition of military secrecy makes it harder for it to coordinate with other government IT departments, most of which don’t have clearances, let alone coordinate with local law enforcement or the commercial sector.
The reality is this: Cybersecurity needs to be a top priority for the federal government and if that means putting it inside the White House, then so be it. We’ve seen where the other approach gets us, and it’s nowhere good. Ignore all of the laughable hyperbole about a “cyber-Katrina” and hackable stoplights from Sen. Olympia Snowe and Sen. John Rockefeller, who introduced the bill, and focus on the task at hand.
“The need for a cyber advisor is paramount,” Tom Kellermann of Core Security told me recently. “It’s very much tied to that person. There’s a recognition that we’ve been losing and we need to assess our vulnerabilities as our enemies do. If [the cybersecurity czar position isn’t returned to the White House] I’ll be completely shocked. That would very much be a good sign, not only for eliminating turf battles, but providing one voice who can advise the president on these critical issues on a regular basis.”
That’s what Snowe and Rockefeller are proposing, and it’s a big step in the right direction.