Federal agencies must avoid over-centralization and one-size-fits-all mandates when it comes to cybersecurity, Commerce Secretary Penny Pritzker told the President’s Commission on Enhancing National Cybersecurity during its Monday meeting.
“The Commerce Department cannot … meet its critical responsibilities without strong cybersecurity, so consider me very wary of any vast centralization effort that dilutes the authority of the secretary as a manager to hold my team — and my [cabinet] peers to hold their teams — accountable,” she said.
Her remarks came at the opening of commission’s final public hearing, held to gather testimony about any changes to federal government structure or policy that might be needed to improve U.S. cybersecurity. Commission Executive Director Kiersten Todt told Cyberscoop recently they would be assessing whether “authority, responsibility and capability” were properly aligned in the federal government org chart.
Many observers believe that policy makers like the White House cyber czar or the new federal CISO need more authorities, perhaps even budget-setting power, so they can take the steps needed to secure government IT networks from hackers, cyberspies and other foreign adversaries.
But Pritzker pushed back against that idea Monday, telling the commission: “The functional requirements of cybersecurity vary a great deal across federal agencies.” There were vital differences, she stressed, between the steps the Census Bureau, for example, needed to take to secure the vast data lakes it controls and those needed at the FAA, to protect the integrity of its air traffic control operations.
“We must not mandate centralized, one-size-fits-all solutions for every agency,” she said, at the meeting, hosted by the Kogod Cybersecurity Governance Center at American University.
She said the commission should consider whether federal civilian agencies should all be on the same network — “a unified .gov network, similar to .mil” — and whether all two million federal employees should be using the same email system.
“We welcome centralized services,” she said of herself and her cabinet peers, “as a long as department leaders have the flexibility” to deploy them in ways that best suit the mission needs of their own agency.
She said that the cybersecurity challenges departments faced were lack of resources and the inability to recruit and retain a skilled workforce.
“Our current approach is akin to plugging holes in a leaky boat,” she said.
The commission recommendations on strengthening long-term U.S. cybersecurity in the federal government and the private sector are due Dec. 1.