Overall, the administration’s vision for DHS can be expressed in two main points: It would like to see the department’s authorities and capabilities in federal civilian cyberspace – the dot-gov world – become equal to those of the Department of Defense in the “dot-mil” world. The department’s authority over the practices of other agencies, for too long, has maxed out at the strongly worded suggestion. While it’s true that agencies are sometimes unable to comply with certain standards because of limited resources, it’s also true that, even if that’s not the case, DHS lacks the authority to compel compliance through concrete means, such as impounding funds. In terms of personnel, DHS has already launched an aggressive workforce development program, combining increased hiring with numerous recruitment and training programs – many of them conducted at the cyber defense training facility at the Idaho National Laboratory – and the recent legislative proposal contains several provisions that would implement additional efforts.
One successful DoD program DHS may hope to emulate is the Defense Industrial Base, or DIB, collaboration, in which the military has been sharing classified information on hacking threats with defense contractors. A similar DHS-led program could do much to protect critical private-sector networks.
Overall, in the private sector – the control systems of critical infrastructure and the “dot-com” world – the administration envisions greater DHS involvement in protection and response. While this desire causes discomfort among skeptics of regulation, the fact is that DHS is often completely excluded from the private-sector decision-making process. For example, cybersecurity standards for the power grid’s critical infrastructure – standards described as insufficient in a January 2011 report from the Department of Energy – are developed through collaboration between private-sector operators and the Federal Energy Regulatory Commission (FERC). DHS has no say in the development of these standards.
According to Lewis, private-sector owners and custodians of critical infrastructure should get used to the idea that the days of writing their own rules are probably coming to an end – but that doesn’t mean DHS should adopt a heavy hand. “You don’t want to increase the regulatory burden if you can avoid it, but you also don’t want to leave the nation vulnerable,” he said. “Just about every test that’s done on control systems finds a connection to the Internet, because people are busy doing repairs or connecting remotely from out in the field. So just leaving cybersecurity to voluntary action isn’t going to work. But that doesn’t mean we want DHS to be the regulator. Let FERC work with DHS and NSA to come up with reasonable standards, and then ask the companies to comply with them.”
Under the regime outlined in the Cybersecurity Legislative Proposal, the performance standards and measures adopted by critical infrastructure operators would be subject to third-party audits whose results would be made available to the public, which would then – theoretically – drive the market by determining whether to use those networks. It’s not clear how well this mechanism would work, however, in areas where such infrastructure, such as power transmission equipment, is owned and operated by a regional monopoly.
Lewis cautions against focusing too much attention on the work of DHS – while it has the lead, he said, it’s only part of a government-wide effort. DHS’ Secret Service and Immigration and Customs Enforcement conduct investigations, as does the Department of Justice, which prosecutes cyber crime; the NSA, in its typical quiet fashion, conducts programs such as the Enduring Security Framework, a public-private partnership aimed at securing the industrial supply chain; the State Department has worked with U.S. allies to place cybersecurity at the forefront of international issues.
Critical to the success of all these efforts, said Lewis, is the legislature. “You have a lot of people in Congress now concerned with this as a problem,” he said. “They may not get it right this time, though there’s still a chance. Either in this Congress or the next, you will see cybersecurity legislation, and it won’t be the ‘Kumbayah’ legislation – meaning everyone crosses their hearts and promises to protect their networks – that some companies want.”
The Human Element
The involvement of every level of government, in transparent partnership with the private sector, seems the only way to go in confronting a threat that is – as the events of the last several years have proved – real and multidimensional, with attacks possible from inside an organization, from remote IP addresses, or from within the vendor/supply chain.
Despite such threats, many experts who warn of the threat posed by cyber attacks also temper their alarm with some perspective. When the Center for a New American Security (CNAS) – a bipartisan think tank founded in 2007, with close ties to the Obama administration – released a two-volume, nearly 300-page report titled “America’s Cyber Future: Security and Prosperity in the Information Age” in May 2011, it opened with a grim assessment by co-editors Kristin M. Lord and Travis Sharp: Government networks currently experience “approximately 1.8 billion cyber attacks of various sophistication targeting Congress and federal agencies each month.”
“Success,” the editors warned, “requires stronger and more proactive leadership by the U.S. government. It requires companies and researchers to innovate faster than criminals and spies. And it requires organizations and individuals across America and around the world to take responsibility for their own security. We must not wait for a digital disaster, intentional or otherwise, to reverse the growing trend of cyber insecurity.”
But the editors also warned against sensationalizing the issue, hyping every term that contains the prefix “cyber.” To think of cybersecurity as mostly a technical problem, pitting one set of geniuses against another, is to miss the most important point of any sound cybersecurity strategy: At the root of every threat is a simple human behavior.
This point was driven home nearly a month after the release of CNAS’s report, when DHS revealed the results of a test it ran to discover how difficult it might be for an outsider to gain access to government computer systems. The test consisted of dropping computer discs and USB thumb drives in the parking lots of government buildings and private contractors and waiting to see what happened. The results: Sixty percent of the people who picked them up took them inside and plugged them into a computer to see what they contained; if the drives or discs were marked with official logos, the percentage climbed to 90. It’s easy to see why CNAS is calling for strong government leadership that, among other aims, “bolsters cybersecurity education and recruitment programs.”
While such results may make an expert, someone who has devoted a career to network security, throw up his or her hands in despair, there is a ray of hope shining through the recent efforts of the U.S. government. “This administration has done more than any other previous administration,” said Lewis, “though there have only been two others, the Clinton and Bush administrations, that had to think about these issues. Our guys have done a lot of good work – but no country is very far along in thinking about its defenses.”
This article first appeared in The Year in Homeland Security: 2011/2012 Edition.
li class="comment even thread-even depth-1" id="comment-31529">
Lorelei Kelly
li class="comment byuser comment-author-chuck-oldham odd alt thread-odd thread-alt depth-1" id="comment-31588">
Chuck Oldham (Editor)
2:32 PM May 26, 2012
Thanks for writing this helpful overview. I think an important point esp. that cybersecurity has with many other globalization/security dilemmas is at the civ-mil intersection…so much institutional capacity and knowledge has migrated to DoD simply because of personnel, resources and pro active “operational” mentality. How to draw some boundaries on that is really key.
7:26 PM May 26, 2012
You’re absolutely right about the key concern being the civilian/military boundary, not to mention the boundary between Constitutional rights and the need for security because of the grave nature of the threat. It’s especially important now because by and large the government is playing catch-up with the civilian sector and has been woefully slow to act on cybersecurity, in contrast to the recent turnaround in cyber attack. The danger is that in rushing to put defenses in place, Americans’ civil rights may be cast aside.