The federal government needs to get its act together on cybersecurity, and there needs to be a public debate about the proper role for agencies like the Department of Homeland Security and the National Security Agency, public and private sector leaders said Tuesday.
“We really need to define what we want our government to do in cybersecurity, former Congressmen Mike Rogers told an audience at FedScoop’s FedTalks. “We have lots of capability. The NSA has lots of capability,” he told a packed auditorium in Washington at the annual event.
By giving DHS, rather than NSA, the lead in defending civilian government networks and working with the private sector to protect the nation’s vital industries, the U.S. had “take[n] our best players off the field,” complained Rogers, who chaired the House Permanent Select Committee on Intelligence.
“Candidly,” Rogers said, that decision “was politically driven and not policy driven. People were a little nervous about having NSA … dealing directly with them” and their networks — even companies that had a prior relationship with the NSA or the Pentagon were nervous.
Despite the ongoing furor over the government’s role in protecting the private sector from foreign state-sponsored cyberattacks, speakers said there wasn’t clarity about the respective roles of the intelligence and law enforcement in the cybersecurity space.
There is an inherent difference in — even conflict between — the missions of intelligence, law enforcement, and network defenders in the federal cybersecurity space, RSA President Amit Yoran said in a morning keynote.
Intelligence agencies “watch … and want to keep watching,” malicious actors in cyberspace, Yoran said, whereas law enforcement want to watch only to gather evidence to prosecute them. Meantime network defenders “may not care at all who attacked them,” he said.
“We need more clarity about roles, responsibilities and authorities between agencies,” Yoran concluded.
“We have not yet fully engaged — on the public side — [in a discussion about] what we want our government to do. How engaged do you want the NSA to be in defending private sector networks?” Rogers added.
Is DHS the agency that should be in the lead [in cyber defense] in the US, given the level of threats? We could probably debate that for an hour and a half,” he said.
Rogers said that while working on cyber threat information sharing legislation in the last congress, the intelligence committee had conducted a great deal of outreach to the private sector to see who they would prefer to deal with in the government when it came to cybersecurity.
“Candidly … we did not find one example of someone saying yes, I want to deal with DHS,” he said.
Another example of an unresolved issue, speakers said, is the dual-hatted job that Adm. Michael Rogers has as director of the NSA and commander of U.S. Cyber Command.
“This structure is now over six years old,” Adm. Rogers said, joining the former Congressman of the same name for a cybersecurity chat at FedTalks.
“The reason we got this structure is, we were building Cyber Command and we wanted to harness the … significant investments the Department of Defense had already made in cyber .. at the NSA,” Adm. Rogers said.
There have recently been moves, both in Congress and in the executive branch, to separate the two jobs, and give Cyber Command its own commander.
“My position has always been, this is the right thing to do at the wrong time,” said Adm. Rogers, adding “It’s a reflection of the maturation of Cyber Command that we’re even having this discussion.”
“The challenge is: What’s the right time, what’s the right process, so that [we do it] with minimal risk,” he concluded.
“I have candidly been going back and forth on this issue,” said Rep. Rogers, who chaired the House Intelligence Committee. “The only thing I worry about is [if we split it up] does Adm. Rogers [of cyber command] have to talk to Director X of NSA to perform the same function he does today. If we can’t eliminate that question then I’m not sure I can support it.”
“We probably don’t have this right just yet,” he finished.
Yoran called out the General Services Administration’s FedRAMP cloud security certification process as a successful effort to raise the cybersecurity bar in the federal government.
“It was painful at first, but it is driving security requirements into next generation of [IT] infrastructure,” he said.