Amit Yoran, CEO of NetWitness, is the former director of the National Cyber Security Division at the Department of Homeland Security and a longtime veteran of the security industry both inside and outside the Beltway. He spoke with Dennis Fisher recently about the current power vacuum in Washington on security matters and the priorities for the next cyber security coordinator.
Let’s start with what’s going on with cyber security in D.C. right now. What are your thoughts on what’s going on and what you’d like to see happening to get things moving in the right direction.
It’s really interesting and certainly from the outside it doesn’t appear that there’s a whole heck of a lot going on and lot moving in Washington around cyber and that’s really how it looks from the surface. But I’m not really convinced that’s an accurate portrayal of what’s happening. Over the past 3 or four months now we’ve had as the cornerstone of our cyber defense efforts this Comprehensive National Cybersecurity Initiative, or CNCI as it’s commonly referred to in the media. and this initiative as folks have noted in the past is highly classified and it’s a series of programs, which collectively they’re not all 100% perfect, obviously, but collectively they’re pretty significant. I think they move the government’s cyber efforts forward significantly. Some of those efforts are well under way, some of them are still in architecture and design phase and still much more concept than actual initiative. But there’s still a lot of activity on them and progress being made. It’s the sort of challenge that’s plagued CNCI since its arrival and its highly classified state. You just don’t get a whole lot of dialog about it in public forums or in the media to help folks understand what’s being done or what progress is being made. It’s a challenge for the initiative.
I’ve heard people say that maybe it was needlessly too highly classified. Do you sit in that camp?
There are certain things that do need to be kept highly classified, when you start talking about offensive capabilities. which does need to be part of a comprehensive national strategy around cyber. For obvious reasons those offensive capabilities are highly classified. Then you start talking about things which may impede our capabilities in the cyber domain, or perhaps outside the cyber domain that we use in our cyber operations. Those types of information need to be highly classified. But I think the program itself, you can’t have a successful and scalable national framework if the framework is classified as CNCI has been. And it’s not simply base do the costs. It’s a model that doesn’t scale well. Yes you can have a large number of people with clearances dealing with these issues. When you start talking outside the intelligence community the numbers of people that have the appropriate clearance level dwindle very rapidly, especially when you get to the system administrator level to the folks that need actionable information. When you start thinking about the critical infrastructure, the fact that you have the programs classified at such a high level you simply can’t work with the private sector in any meaningful way. And this is not just to share information. Even if you have the right information, you can’t simply put it into your network monitoring or your forensic techniques because the information was classified. So you can’t simply put it on unclassified networks to defend them. So it’s a very very significant law in the design of the overall program itself. But my belief is that over time the level of classification will have to come down if the program is to scale.
Do you have any hopes that will actually happen?
I think it has to happen over time, or versions of the program will have to be declassified. Versions of these initiatives will have to be extended into unclassified venues so that they can be implemented effectively outside of the very specific .mil and .gov constructs and be applicable to the very important infrastructure that our nation relies on. Because you simply cannot scale that in a classified form.
When you were at DHS you were a big proponent of information sharing. What are you seeing from the Obama administration in that area?
The Obama administration has made some very hard hitting statements about their desire to make more information available. And even in a short time they’ve begun putting up Web sites and interfaces to get information our to people who have interest in it. In the specific cyber realm we haven’t seen a broader set of activities beyond the 60 day review which Melissa Hathaway led. The lack of presidential cyber coordinator at the White House means that we have sort of a lull in public interaction points.
Do you still think the White House is the right spot for that coordinator or whatever the title turns out to be?
I do. I’m a big believer that any national cyber effort needs to be actively led by the White House, It can only be effectively led by the White House. Certainly, the intelligence community and NSA have an absolutely critical role in this. The DHS has a role in the federal civilian infrastructure protection efforts and the interaction with critical infrastructure and private sector folks, and other folks across federal governments. There’s a tremendous amount of cyber policy work, cyber legal work, and at the operation and technical levels across federal government. But the competing priorities and intelligence requirement or law enforcement requirement or network defender requirement may in fact conflict with one another. And you need strong leadership at the White House to coordinate programs, to prevent departments and agencies from significant overlap and waste to working to counterproductive ends, so I think strong White House leadership is absolutely required to make this an effective effort.
How accurate is the portrayal that there’s a lot of inter-agency conflicts?
There are clearly some competing priorities between the departments and agencies, There’s also different levels of sophistication, technical and otherwise, that become evident when you look at the protective measures in place across the government. I don’t necessarily think there’s direct conflict between NSA and DHS or between DHS and State. Maybe at a political level you might get some rubbing of elbows and make people are claiming the territory and they have their mission space and they know, this is what we’re responsible for. I think that happens far less frequently than it might be portrayed in the media.
If you got back in that position, what would be the three or four items at the top of the list you’d like to see the coordinator tackle when he got in there?
There’s a couple of things that I would consider very high priority items. One is to look at the existing set of programs and make sure that they’re aligned. I think the government needs to continue to refine at an operational level he protection of its own systems and networks and data, so protecting the .gov and .mil are a first priority for the executive branch. We have a couple of programs, like the TIC initiative, the Trusted Internet Connect program, which can help in that effort, but I think very simple, very logical, here’s how the world’s largest enterprise should protect itself can still be executed a lot more strategically across the enterprise. And better defining and refining your interaction points with the private sector. Right now there are so many public-private working groups and mechanisms out there that are poorly constructed and don’t necessarily deliver the results you’re looking for. They more often have the government affairs folks engaged. We have to really think like the private sector, not just put the government at the center of a PowerPoint chart.
This is an edited transcript of a podcast with Amit Yoran.
