The Department of Homeland Security (DHS) is not up to the task of protecting the nation's cybersecurity , and a comprehensive, coordinated strategy for cybersecurity should instead be run out of the White House, public and private sector experts told lawmakers Tuesday.
The hearing before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee comes half-way through the National Security Council's 60-day review of the federal cybersecurity mission ordered by President Barack Obama.
If the hearing today is any indicator, the review conducted by the NSC's senior director Melissa Hathaway will not be favorable.
Witnesses roundly criticized the federal government’s effectiveness under the Bush Administration in protecting the country’s cyberinfrastructure from crime, espionage, and cyberattacks.
Microsoft's Scott Charney, corporate vice president for trustworthy computing, said that “The sheer number of extremely important issues that transcend agency boundaries suggests that coordination of any national cybersecurity strategy must reside within the one organization responsible for ensuring that the government acts as one government.”
Amit Yoran, who served as head of DHS's National Cyber Security Division from 2003 to 2004 and is now CEO of IT security firm NetWitness Corp., said that his former employer "has repeatedly failed to either attract or retain the leadership and technical acumen required to successfully lead in the cybermission space."
Underlining DHS's inefficiencies, David Powner, director of the Government Accountability Office’s (GAO) Information Technology Management Issues, told lawmakers that the GAO had previously made 30 recommendations to DHS to bolster cybersecurity in key areas, of which many have not yet been fully satisfied.
“Where are we today in cybersecurity?” asked Jim Lewis of the Center for Strategic and International Studies. “From one perspective, we are in remarkably bad shape,” he said, noting the many government network intrusions that have occurred over the past year, including U.S. Central Command and various federal agencies.
Mary Ann Davidson, chief security officer at IT giant Oracle, called the United States' ability to protect its cyberinfrastructure “mission critical” to its overall national security.
“[The Department of Defense] continues to invest in network centric operations, which is all about getting the right information to the right warrior at the right time in the right battlespace,” Davidson said. “Therefore, the network is the battlefield because the network is what our enemies will attack if they want to deny us the ability to use our own technology.”
Witnesses also recommended strategies to better protect the country’s cyberinfrastructure.
The White House, Davidson recommended, should create a 21st century version of the Monroe Doctrine, which warns any meddling with U.S. cyberinfrastructure will be viewed as an act of aggression. The doctrine enunciated by President James Monroe in 1823 stated that the United States would not tolerate European influence in the Western Hemisphere.
CSIS's Lewis agreed, stating that the United States should publicly declare that it will protect its cyberinfrastructure “using all instruments of national power.”
While arguing that DHS should not lead the country’s cybersecurity posture, Yoran said DHS's U.S. Computer Emergency Readiness Team (US-CERT) should protect the government’s “dot-gov” Web sites and should take the lead in developing private-public partnerships to help sow greater understanding of cybersecurity concerns within the private sector.
The hearing came after the March 5th resignation of National Cyber Security Center director Rod Beckstrom, effective Friday. The DHS office is responsible for protecting the nation’s civilian, military, and intelligence networks from cyberattack and intrusion.
Homeland Security Chairman Bennie G. Thompson (D-MS) blamed Beckstrom’s resignation on the Bush administration.
“Without clear authority or budget,” said Thompson, “he was placed in a no-win situation.”
In his resignation letter published by The Wall Street Journal, Beckstrom criticized the National Security Agency’s mission creep into DHS territory on cybersecurity.
Beckstrom said the essential task of protecting the nation’s cyberinfrastructure should be handled by a civilian agency and not a secretive intelligence agency.
“The intelligence culture is very different than a network operations or security culture,” he said. “In addition, the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization.”
Yoran agreed with Beckstrom's description, telling lawmakers that if NSA is put in charge of the nation's cybersecurity mission, the country's network security will suffer "in favor of the intelligence mission."