The top Republican on the Senate Homeland Security Committee is requesting detailed information, including financial figures, from the U.S. Department of Homeland Security to explain why the department has been seemingly unable to fulfill its cybersecurity responsibilities.
Sen. Susan Collins
In a letter sent to DHS Secretary Janet Napolitano on Tuesday, Sen. Susan Collins (R-Maine) said that in light of the recent resignation of National Cybersecurity Center Director Rod Beckström, she would like DHS to send the Homeland Security Committee a number of documents to show how the department spent its $6 million NCSC budget and provided other means of support for the NCSC.
In a resignation letter turned in earlier this month, Beckström said, "the NCSC did not receive appropriate support inside DHS during the last administration to fully realize (its) vital role."
Collins said in her letter to Napolitano that she was very concerned by Beckstrom's assertion, especially given the authority the NCSC has been granted.
"The Committee needs to understand more fully how and why the NCSC was allegedly marginalized in spite of its prominent role outlined in the (Comprehensive National Cybersecurity Intitiative) and described by (former DHS) Secretary (Michael) Chertoff," Collins' letter says.
The letter asks DHS to send Collins the following documents:
* a detailed breakdown of the budgets for 2009 through 2013 for both the NCSC and the the National Cybersecurity Division;
* copies of any and all contracts entered into to establish and operate the NCSC, including any that may have been canceled;
* copies of any documentation related to the cancellation of computers, network equipment, furniture, or office space for the NCSC;
* copies of any and all Department Management Directives related to the establishment and operation of the NCSC;
* copies of the portions of former DHS Secretary Michael Chertoff's schedule that show the dates, times, and duration of his meetings with Beckstrom;
* copies of the portions of Napolitano's schedule, after her confirmation as DHS secretary, that show the dates, times, and duration of her meetings with Beckström;
* copies of documents related to physically locating the NCSC at any facility controlled by the National Security Agency;
* copies of documents related to placing NCSC under the control of anyone other than the Homeland Security secretary.
Collins requested that the information be provided within 14 days, so it can be reviewed before the completion of the government-wide, 60-day cybersecurity review the National Security Council's Acting Senior Director of Cybersecurity Melissa Hathaway is currently conducting for the president. The review is already past its halfway point.
Through commissioning the review in the National Security Council, President Obama may have been indicating he is interested in shaking up cybersecurity jurisdiction.
Two other key senators, Jay Rockefeller (D-W.V.) and Republican Olympia Snowe (Collins' colleague from Maine), are drafting legislation that would move cybersecurity responsibilities to the White House under the auspices of a national cybersecurity adviser.
Despite calls to move cybersecurity away from DHS, Collins said in her letter, "I continue to support giving the Department, and more specifically the NCSC, these authorities."
The NCSC was established in early 2008 as part of the Comprehensive National Cybersecurity Intitiative. In a June response to questions from the Senate regarding the NCSC's role, Chertoff said the NCSC was intended to "serve a principal role as a single location for all-source situational awareness about cybersecurity and security status of the U.S. Networks and systems."
In September 2008, Collins and Senate Homeland Security Committee Chair Joe Lieberman (I-Conn.) introduced broadened NCSC authorities within the 2008-2009 DHS authorization bill.
Collins is not the only member of Congress publicly supporting the current DHS cybersecurity programs.
Representative Sue Myrick (R-N.C.) sent a letter to Napolitano on March 19, asking the secretary to avoid restructuring the department in a manner that would weaken the three components of the Office of Cybersecurity and Communications--the National Cybersecurity Division, the National Communications System, and the Office of Emergency Communications.
"Congress partnered these components under an assistant secretary within DHS precisely because it was understood that each unique mission could leverage each other's skill and authorities to ensure we make most effective use of our homeland security resources," Myrick said in her letter.
U.S. Homeland Security Secretary Janet Napolitano announced Wednesday she is naming a Microsoft executive to be in charge of protecting the U.S. government's computing systems.
Napolitano has appointed Philip Reitinger to be deputy undersecretary for the department's National Protection and Programs Directorate, where he will be responsible for protecting federal computing systems from domestic and foreign threats. Reitinger currently serves as Chief Trustworthy Infrastructure Strategist at Microsoft.
"Phil's background in cybersecurity and computer crime coupled with his experience working across the federal government and the private sector to develop innovative security strategies makes him an asset to our department," Napolitano said in a statement.
In his role at Microsoft, where he is responsible for protecting information technology infrastructure, Reitinger has worked closely with government agencies and other private partners on cybersecurity protection programs.
Reitinger also has experience in the public sector. He formerly served as the executive director of the Defense Department's Cyber Crime Center, which provides electronic forensic services and supports cyberinvestigations. Before that, he was deputy chief of the Computer Crime and Intellectual Property division at the Justice Department. Reitinger also sits on the Federal Emergency Management Agency National Advisory Council, which advises the FEMA administrator on cybersecurity.
Reitinger's appointment comes a week after Rod Beckstrom, director of the DHS National Cybersecurity Center, resigned because of what he perceives as attempts by the National Security Agency to control DHS cyberefforts. The National Cybersecurity Center falls under the jurisdiction of the National Protection and Programs Directorate, so Reitinger will be responsible for replacing Beckstrom, according to DHS spokesperson Amy Kudwa.
Another Microsoft executive with government experience, Microsoft Vice President Scott Charney, echoed Beckstrom's comments on Tuesday telling Congress that the cybersecurity mission does not belong in the hands of the NSA.
"It's really important to empower DHS to take the necessary operational role," he said.
President Obama's proposed 2010 budget includes hundreds of millions of dollars for the Department of Homeland Security's cybersecurity division, programs that have faced significant criticism over the past year.
The budget includes $355 million to support the base operations of the National Cyber Security Division and the efforts of the Comprehensive National Cybersecurity Initiative. The money will largely be used to secure the nation's public and private information networks, although $36 million will support ongoing projects to improve surveillance technologies that detect advanced biological threats.
The DHS cybersecurity initiatives have been criticized for poor leadership and for being too reactionary. Earlier this month, Obama appointed Melissa Hathaway, who worked for the director of national intelligence in the Bush administration and was director of an multi-agency "Cyber Task Force," to conduct a two-month review of DHS cybersecurity efforts. Hathaway is conducting her review as part of the White House's National Security Council, indicating authority over cybersecurity efforts may shift to other federal offices.
Earlier this week, Director of National Intelligence Dennis Blair told the House Select Committee on Intelligence that the National Security Agency should have more oversight of cybersecurity (PDF).
"The National Security Agency has the greatest repository of cybertalent," he said. "I think that capability should be harnessed and built on as we're trying to protect more than just our intelligence networks or our military networks (and) as we expand to our federal networks and to our critical infrastructure networks."
Blair acknowledged that there is a great deal of distrust of the NSA because of its warrantless wiretapping program and asked the committee for help in restoring the agency's reputation so it could take on initiatives that go beyond the scope of intelligence, such as cybersecurity.
The president's 2010 budget proposal also indicates the administration's intention to enhance the intelligence community's role in overseeing cybersecurity. Funding for the national intelligence program is not detailed, but that portion of the budget says the government "will take an integrated and holistic approach to address current cybersecurity threats, anticipate future threats, and continue innovative public-private partnerships. These efforts encompass the homeland security, intelligence, law enforcement, military and diplomatic mission areas of the U.S. Government."
U.S. Homeland Security Secretary Janet Napolitano announced on Thursday she is appointing attorney Mary Ellen Callahan as the department's chief privacy officer.
"Homeland security and privacy are not mutually exclusive, and having a seasoned professional like Mary Ellen on the team further ensures that privacy is built in to everything we do," Napolitano said. "Our Privacy Office is viewed as a leader in the federal government in public outreach and as model for Privacy Impact Assessments. I look forward to the skill and experience Mary Ellen will bring to this robust and important office."
Callahan currently serves as a partner at the law firm Hogan & Hartson, where she counsels online companies, trade associations, and other corporations on antitrust, e-commerce, and privacy-related issues. She has helped companies draft their Web site privacy policies and terms of use and counsels corporations on developing legally compliant e-mail marketing campaigns.
The new privacy officer has also helped consumer-health Web sites develop standards for self-regulation and, as co-chair of the Online Privacy Alliance, has helped the network advertising industry develop its own self-regulations--something the Federal Trade Commission is closely watching. She has represented numerous companies before the FTC and the Justice Department on antitrust issues and possible violations of the FTC Act.
In January, Callahan co-published an article (PDF) in the "Privacy & Data Security Law Journal" about how the Internet Explorer 8 InPrivate feature "could substantially impact both the business models and the current practices of third-party ad servers, behavioral marketers, web traffic analytics services, and content providers." Callahan wrote the article with her Hogan & Hartson colleagues Mark Paulding and Christine Varney, who was recently nominated to be the Obama administration's antitrust chief.
Callahan also serves as vice-chair of the American Bar Association's Privacy and Information Security Committee of the Antitrust Division.
When the U.S. Department of Homeland Security was created, it was supposed to find a way to respond to serious "cybercrises." "The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the legislation in November 2002.
More than six years later, and after spending more than $400 million on cybersecurity, DHS still has not accomplished that stated goal. "We need to have a plan tailored for a cybercrisis," DHS Secretary Michael Chertoff said on Thursday.
Chertoff told a conference in Washington, D.C., that creating such a plan first requires "a clear awareness of exactly what the dimension of the threat was," meaning the ability to detect intrusions in real time, and probably means taking some of the existing plans for physical attacks and "adapt them and some of the basic principles" to electronic threats.
"I do think that we have work to do in figuring out how to tailor something specific for cybersecurity in the same way that we've done it for natural disasters or terrorist attacks or things of that sort," he added.
Because only a few weeks are left in the Bush administration, any further work will be left to the administration of President-elect Barack Obama.
The Bush administration has spent $115 million on DHS's National Cybersecurity Division for the 2008 fiscal year. Totaling the budgets for the previous four years yields approximately $300 million, or approximately $415 million over five years including 2008.
The cybersecurity division has been plagued by a lack of leadership, with industry representatives unsure of who to contact. The revolving door of leadership within the division prompted a cybersecurity commission to recommend that leadership be moved to the White House, something that DHS opposes.
"There's no one place in charge," said Andy Singer, principal of the cybercampaign team for Booz Allen Hamilton, one of the sponsors of Thursday's conference. "Who does Bank of America go to if they're having a problem?"
Even by Washington standards, the turnover of various cybersecurity "czars" has been remarkable: Richard Clarke, a veteran of the Clinton and first Bush administrations, left the post with a lucrative book deal. Clarke was followed in quick succession by Howard Schmidt, then Amit Yoran and Robert Liscouski. Another DHS cybersecurity official, Jerry Dixon said after he left that "nothing is happening" in the department in this area.
Secretary Michael Chertoff
(Credit: Department of Homeland Security)Along the way, DHS was regularly receiving poor grades--including an F--on computer security report cards released by a congressional oversight committee.
Not helping was what Chertoff once described as "initial concerns" about raising the profile of cybersecurity in a bureaucratic culture that was focused on physical threats, and the decision to leave the top DHS cybersecurity post open for over a year. Greg Garcia got the job in September 2006 and is still there, as is Undersecretary Robert Jamison, who oversees "infrastructure protection."
Part of the problem for DHS, though, is out of its immediate control. The commercial Internet has been built by private companies, who constantly monitor their systems for attacks and know the status and performance of their networks much better than a Washington bureaucracy ever could. Moreover, monitoring of private networks by government agencies raises serious security and privacy concerns.
This is what Chertoff said on Thursday:
I want to begin by saying that I'm very sensitive to the fact that the culture of the Internet, as well as the actual architecture, is one which does not lend itself to government regulation and mandates... We are willing to provide capability to those who want us to provide that capability, but we don't make you do it. And if someone doesn't want to have the government involved and they want to live outside of any kind of government assistance or cooperation, I don't know that we would necessarily be wise to try to make them do it...
And that's why I'm really emphatic about the need to not make this a mandatory system but rather a system where we create opportunities for people. I actually think most people in the private sector will take those opportunities and will accept our invitation. But I also know if we try to make it something that we push onto people, the backlash we are going to see will dwarf of the controversies that we've seen with respect to what we've done in the communications field over the last eight years...
And then we're behind the eight ball because we're explaining that we're really not Big Brother. A classic example, before my time, was a search engine--I think it was called Carnivore, which the FBI came up with. And I think it made a lot of sense, but the word "Carnivore" was the absolute wrong thing to have in that program.
Chertoff also said that Bush is has been briefed on these topics as recently as the last week--"he's very, very concerned about making sure this vulnerability is adequately reduced and protected"--and said that the next generation of DHS' early-warning system for cyberincidents, called Einstein 3, would go live in the next six months.
Part of the purpose of arranging this week's cyberthreat simulation conference was to help all the relevant parties develop a plan of response in the event in a cyberattack--something that the DHS National Cyber Response Coordination Group has not accomplished.
Booz Allen Hamilton's Singer said it's too early to tell whether DHS will be able to sufficiently manage cybersecurity.
"If you look at some of the constructs in DHS--they have Undersecretary Jameson and the NCSC, the NCSD--it's a pretty tough task to make sure all of those pieces fit together," he said. "Whenever there's people involved, you always have the potential for seams, for things to fall through the cracks. On the first day of the simulation, people were looking for government to solve problems, but by the end of today, people were saying government can't save everything."
CNET's Stephanie Condon contributed to this report
The Department of Homeland Security has failed to ensure the nation's cybersecurity, a new report to be released Monday concludes, because the threat of cyberattacks is too vast for any one agency to tackle and must be addressed by a new White House office, as well as revised laws and government practices.
As President-elect Barack Obama fills the remaining cabinet positions in his administration, a Center for Strategic and International Studies commission is recommending Obama create a new office in the White House: the National Office for Cyberspace, headed by an Assistant to the President for Cyberspace. The Commission on Cyber Security for the 44th Presidency, an independent, nonpartisan group, releases its final report Monday after more than a year of exploring how to address the country's cybersecurity threats.
"America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009," the report says. It is "a battle fought mainly in the shadows. It is a battle we are losing."
The immediate risk lies with the economy, the report concludes, given the widespread use of cyberspace to conduct commerce and store intellectual property. However, the scope of threats is much more far-reaching, the commission said, with the most dangerous threats coming from the militaries and intelligence services of other nations.
President Bush charged the DHS with combating cyberterrorism when he created the department in 2002. The DHS runs the National Center for Cybersecurity, yet it is not prepared to address cybersecurity threats, the Government Accountability Office reported in September. The National Cyber Security Initiative established by President Bush in January has received harsh criticism as well, particularly for being too secretive.
Monday's report acknowledges the next administration will have to strengthen the DHS but concluded that even a bolstered DHS "is not the agency to lead in a conflict with foreign intelligence agencies or militaries, or even well organized international cyber criminals."
One of Obama's earliest actions as president, the commission recommends, should be to make a statement declaring cyberspace a vital national asset that will be protected by all instruments of national power.
A new White House office, new regulations
That would mean putting in place a national, comprehensive strategy led by a National Office for Cyberspace and an Assistant to the President for Cyberspace, the commission said. The recommended executive office, staffed with 10 to 20 employees, would merge the DHS National Center for Cybersecurity and the Joint Inter-Agency Cyber Task Force (created by the Director of National Intelligence).
The new office should take a "federated approach" to governing across agencies, modeled after the Office of the Director of National Intelligence, the commission said.
Along with the new office, Obama should establish a new cyberspace directorate in the National Security Council that absorbs existing Homeland Security Council functions, the commission recommended.
"The split between 'homeland' and 'foreign' makes no sense for cybersecurity and, in a globalized world, makes little sense for U.S. security in general," the report reads.
The NOC's overarching responsibilities would include issuing security standards for cyberinfrastructure to other agencies and monitoring their compliance. To best achieve this, the commission said, the Federal Information Security Management Act would have to be revised to allow the NOC to more closely monitor other agencies' cybersecurity efforts.
Other new regulations could include a mandatory requirement for agencies to contract only with telecommunications carriers that use secure Internet protocols.
Criminal laws, like the Wiretap Act and the Stored Communications Act, also need to be reviewed, the commission said, to reflect modern realities like the potential need for rules for remote online execution of a data warrant.
Partnerships abroad and in the private sector
As the U.S. reinforces its own cybersecurity practices, it should continue to do so at the international level as well, the commission said. The U.S. should encourage other nations to ratify the Council of Europe Convention on Cybercrime, it said, and can reinforce such international cybersecurity norms with the threat of sanctions for noncompliance.
Better communication and trust also needs to exist between the public and private sectors, the commission said. It recommended the next president create three new public-private advisory groups dedicated to cybersecurity, including a presidential advisory committee to provide a line between the White House and executives from critical cyberinfrastructure companies.
The commission's report identified four critical cyberinfrastructures: energy, finance, the converging information technology and communications sectors, and government services.
"They form the backbone of cyberspace," the report says.
- prev
- 1
- next
