Government

Feds need clarity on cyber structures

The federal government needs to get its act together on cybersecurity, and there needs to be a public debate about the proper role for agencies like the Department of Homeland Security and the National Security Agency, public and private sector leaders said Tuesday.

By Shaun Waterman

October 18, 2016

“We really need to define what we want our government to do in cybersecurity, former Congressmen Mike Rogers told an audience at FedScoop’s FedTalks. “We have lots of capability. The NSA has lots of capability,” he told a packed auditorium in Washington at the annual event.

By giving DHS, rather than NSA, the lead in defending civilian government networks and working with the private sector to protect the nation’s vital industries, the U.S. had “take[n] our best players off the field,” complained Rogers, who chaired the House Permanent Select Committee on Intelligence.

“Candidly,” Rogers said, that decision “was politically driven and not policy driven. People were a little nervous about having NSA … dealing directly with them” and their networks — even companies that had a prior relationship with the NSA or the Pentagon were nervous.

Despite the ongoing furor over the government’s role in protecting the private sector from foreign state-sponsored cyberattacks, speakers said there wasn’t clarity about the respective roles of the intelligence and law enforcement in the cybersecurity space.

There is an inherent difference in — even conflict between — the missions of intelligence, law enforcement, and network defenders in the federal cybersecurity space, RSA President Amit Yoran said in a morning keynote.

Intelligence agencies “watch … and want to keep watching,” malicious actors in cyberspace, Yoran said, whereas law enforcement want to watch only to gather evidence to prosecute them. Meantime network defenders “may not care at all who attacked them,” he said.

“We need more clarity about roles, responsibilities and authorities between agencies,” Yoran concluded.

“We have not yet fully engaged — on the public side — [in a discussion about] what we want our government to do. How engaged do you want the NSA to be in defending private sector networks?” Rogers added.

Is DHS the agency that should be in the lead [in cyber defense] in the US, given the level of threats? We could probably debate that for an hour and a half,” he said.

Rogers said that while working on cyber threat information sharing legislation in the last congress, the intelligence committee had conducted a great deal of outreach to the private sector to see who they would prefer to deal with in the government when it came to cybersecurity.

“Candidly … we did not find one example of someone saying yes, I want to deal with DHS,” he said.

Another example of an unresolved issue, speakers said, is the dual-hatted job that Adm. Michael Rogers has as director of the NSA and commander of U.S. Cyber Command.

“This structure is now over six years old,” Adm. Rogers said, joining the former Congressman of the same name for a cybersecurity chat at FedTalks.

“The reason we got this structure is, we were building Cyber Command and we wanted to harness the … significant investments the Department of Defense had already made in cyber .. at the NSA,” Adm. Rogers said.

There have recently been moves, both in Congress and in the executive branch, to separate the two jobs, and give Cyber Command its own commander.

“My position has always been, this is the right thing to do at the wrong time,” said Adm. Rogers, adding “It’s a reflection of the maturation of Cyber Command that we’re even having this discussion.”

“The challenge is: What’s the right time, what’s the right process, so that [we do it] with minimal risk,” he concluded.

“I have candidly been going back and forth on this issue,” said Rep. Rogers, who chaired the House Intelligence Committee. “The only thing I worry about is [if we split it up] does Adm. Rogers [of cyber command] have to talk to Director X of NSA to perform the same function he does today. If we can’t eliminate that question then I’m not sure I can support it.”

“We probably don’t have this right just yet,” he finished.

Yoran called out the General Services Administration’s FedRAMP cloud security certification process as a successful effort to raise the cybersecurity bar in the federal government.

“It was painful at first, but it is driving security requirements into next generation of [IT] infrastructure,” he said.

Feds need clarity on cyber structures

More Like This

FBI director warns of China’s preparations for disruptive infrastructure attacks

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

Ex-White House cyber official says ransomware payment ban is a ways off

Top Stories

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

Cyber Command’s rotation ‘problem’ exacerbates talent shortage amid growing digital threat

Top cyber feds working toward fresh models of an old mantra: cyber collaboration

National cyber resilience requires closer integration of public and private efforts

A look inside Congress’ biggest cyber bill ever

Cyber Command has redeployed overseas in effort to protect 2020 elections

Mueller report confirms Trump lobbied top intel officials to refute Russia stories

Tenable CEO blasts ‘smoke and mirrors’ of cybersecurity industry

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics