When the U.S. Department of Homeland Security announced last summer that it could seize anyone's laptop, mobile phone, or camera at the border to analyze them for an indefinite period, the criticism was immediate.
Sen. Russ Feingold, a Democrat, called the move "alarming," and the ACLU denounced it as "surrendering your Fourth Amendment rights at the border."
It didn't help that the U.S. Ninth Circuit Court of Appeals already had blessed the practice--meaning that anyone, even U.S. citizens, can have their tangle of gadgetry seized at borders or at international arrivals even if there's zero evidence of illicit activities. (It won't happen to everyone in practice, of course, but DHS nevertheless reserved the right to do it.)
On Thursday, Homeland Security Secretary Janet Napolitano announced new guidelines for searching and seizing electronic devices at the border. In a press release, DHS said the guidelines will "enhance and clarify oversight for searches of computers and other electronic media at U.S. ports of entry."
Rhetoric aside, in reality, not much has changed. Laptops and electronic gear can still be seized and held indefinitely; there's no requirement that they be returned to their owners after even six months or a year has passed, though supervisory approval is required if they're held for more than 15 days. The complete contents of a hard drive or memory card can be perused at length for evidence of lawbreaking of any kind, even if it's underpaying your taxes or not paying parking tickets.
This kind of open-ended scanning should worry anyone who travels internationally, not just privacy advocates. When we have laws like the No Electronic Theft Act, which makes sharing a sufficient number of MP3 files a federal crime, how many college students are unindicted felons? File this under the show-me-the-man-and-I'll-show-you-the-crime department.
Harvey Silverglate, a criminal defense attorney in Boston and co-founder of the Foundation for Individual Rights in Education, has a forthcoming book on this point called Three Felonies A Day. "When a statute is so broad that it catches so much ordinary activity, it's very problematic," Silverglate told me in an interview for CBSNews.com this week.
Here's an excerpt from the Homeland Security directive (PDF) to U.S. Customs and Border Protection: "An Officer may detain electronic devices, or copies of information contained therein, for a brief, reasonable period of time to perform a thorough border search. The search may take place on-site or at an off-site location, and is to be completed as expeditiously as possible."
Once the examination is complete and you have not been deemed a criminal, according to Homeland Security's privacy impact assessment (PDF): "CBP will contact you by telephone when the examination of the electronic device(s) is complete, to notify you that you may pick-up the item(s) during regular business hours from the location where the item(s) was detained. If it is impractical for you to pick up the device, CBP can make arrangements to ship the device to you at our expense." (Who's responsible if it's damaged in transit is anyone's guess.)
Homeland Security said Thursday that it performed approximately 1,000 laptop searches from October 1, 2008, through August 11, 2009.
One way to protect yourself from these searches is to use whole disk encryption from a company like PGP and make sure your laptop is completely powered down when crossing the border.
It's true that under the Obama administration, Homeland Security is trying to discourage agents from adding copies of your digital photos or other private files to their personal collections, and it has warned that trade secrets, journalists' notes, and medical records should be handled carefully. These are improvements over the Bush administration's policy.
But a better rule might be a simple one: require some evidence of wrongdoing--at least some suspicion of illegal activity--before agents start to poke through your PC and assorted gadgetry. This is what a bill introduced last year by Feingold would have done. The problem the Wisconsin senator wanted to address still exists; let's hope his desire to fix it does as well.
Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.
They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.
The new version would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.
"I think the redraft, while improved, remains troubling due to its vagueness," said Larry Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board. "It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill."
Representatives of other large Internet and telecommunications companies expressed concerns about the bill in a teleconference with Rockefeller's aides this week, but were not immediately available for interviews on Thursday.
A spokesman for Rockefeller also declined to comment on the record Thursday, saying that many people were unavailable because of the summer recess. A Senate source familiar with the bill compared the president's power to take control of portions of the Internet to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.
When Rockefeller, the chairman of the Senate Commerce committee, and Olympia Snowe (R-Maine) introduced the original bill in April, they claimed it was vital to protect national cybersecurity. "We must protect our critical infrastructure at all costs--from our water to our electricity, to banking, traffic lights and electronic health records," Rockefeller said.
The Rockefeller proposal plays out against a broader concern in Washington, D.C., about the government's role in cybersecurity. In May, President Obama acknowledged that the government is "not as prepared" as it should be to respond to disruptions and announced that a new cybersecurity coordinator position would be created inside the White House staff. Three months later, that post remains empty, one top cybersecurity aide has quit, and some wags have begun to wonder why a government that receives failing marks on cybersecurity should be trusted to instruct the private sector what to do.
Rockefeller's revised legislation seeks to reshuffle the way the federal government addresses the topic. It requires a "cybersecurity workforce plan" from every federal agency, a "dashboard" pilot project, measurements of hiring effectiveness, and the implementation of a "comprehensive national cybersecurity strategy" in six months--even though its mandatory legal review will take a year to complete.
The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco. "As soon as you're saying that the federal government is going to be exercising this kind of power over private networks, it's going to be a really big issue," he says.
Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)
"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."
Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.
The Internet Security Alliance's Clinton adds that his group is "supportive of increased federal involvement to enhance cyber security, but we believe that the wrong approach, as embodied in this bill as introduced, will be counterproductive both from an national economic and national secuity perspective."
Update at 3:14 p.m. PDT: I just talked to Jena Longo, deputy communications director for the Senate Commerce committee, on the phone. She sent me e-mail with this statement:
The president of the United States has always had the constitutional authority, and duty, to protect the American people and direct the national response to any emergency that threatens the security and safety of the United States. The Rockefeller-Snowe Cybersecurity bill makes it clear that the president's authority includes securing our national cyber infrastructure from attack. The section of the bill that addresses this issue, applies specifically to the national response to a severe attack or natural disaster. This particular legislative language is based on longstanding statutory authorities for wartime use of communications networks. To be very clear, the Rockefeller-Snowe bill will not empower a "government shutdown or takeover of the Internet" and any suggestion otherwise is misleading and false. The purpose of this language is to clarify how the president directs the public-private response to a crisis, secure our economy and safeguard our financial networks, protect the American people, their privacy and civil liberties, and coordinate the government's response.
Unfortunately, I'm still waiting for an on-the-record answer to these four questions that I asked her colleague on Wednesday. I'll let you know if and when I get a response.
The U.S. president has announced a comprehensive cybersecurity strategy for the federal government, saying Internet-based threats have risen "dramatically" and the country "must act to reduce our vulnerabilities."
A 76-page White House document calls for a new way of looking at Internet and computer security, saying that private-public partnerships are necessary, collaboration with international organizations will be vital, and privacy and civil liberties must be respected in the process.
Sound familiar? The year was 2003, and the president was George W. Bush, who wrote the introduction to what he called a "National Strategy to Secure Cyberspace."
On Friday, President Obama announced his 76-page "Cyberspace Policy Review"--with precisely the same number of pages as his predecessor's--at an event at the White House.
While the Bush document discusses centralizing cybersecurity responsibilities in the Department of Homeland Security and the Obama document shifts them to the White House, the two reports are remarkably similar. Perhaps this should be no surprise: Obama selected Melissa Hathaway, who worked for the director of national intelligence in the Bush administration and was director of an Bush-era "Cyber Task Force," to conduct the review.
To test your political acumen, we've taken excerpts from both and placed them side by side in the following chart. Can you tell which quotations come from which administration? (An answer key is at the end.)
| #1: Privacy and civil liberties | "The United States needs a partnership between government and industry to perform analyses, issue warnings, and coordinate response efforts. Privacy and civil liberties must be protected in the process." | "Work with the private sector to explore how best to apply technical capabilities to the defense of the national infrastructure and what legal framework would be required to ensure the protection of privacy rights and civil liberties." |
|---|---|---|
| #2: Sophisticated attacks | "The attack tools and methodologies are becoming widely available, and the technical capability and sophistication of users bent on causing havoc or disruption is improving." | "The growing sophistication and breadth of criminal activity, along with the harm already caused by cyber incidents, highlight the potential for malicious activity in cyberspace to affect U.S. competitiveness." |
| #3: Public-Private partnerships | "The federal government invites the creation of, and participation in, public-private partnerships...The government will continue to support the development of public-private partnerships." | "The federal government should examine existing public-private partnerships to optimize their capacity to identify priorities and enable efficient execution of concrete actions." |
| #4: Crisis responses | "Providing crisis management in response to attacks on critical information systems...In wartime or crisis, adversaries may seek to intimidate by attacking critical infrastructures and key economic functions or eroding public confidence in information systems response." | "The Federal government's obligation to protect the American people and to provide for the common defense includes a responsibility to ensure that the Nation can communicate and respond in times of crisis. The communications system itself might bear the brunt of such events and must have resilience or the capability to recover." |
| #5: Coordination | "The United States must improve interagency coordination between law enforcement, national security,and defense agencies involving cyber-based attacks and espionage..." | "The United States (must) achieve a more reliable, resilient, and trustworthy digital infrastructure for the future.... It presents the need for greater coordination and integrated development of policy." |
| #6: Critical infrastructure | "Our nation's critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance..." | "They have also become essential elements in the operation and management of a range of critical infrastructure functions, including transportation systems, shipping, the electric power grid, oil and gas pipelines, nuclear plants, water systems, critical manufacturing, and many others." |
| #7: Terrorists | "Malicious actors in cyberspace can take many forms including individuals, criminal cartels, terrorists, or nation states...The speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult." | "A growing array of state and non-state actors such as terrorists and international criminal groups are targeting U.S. citizens, commerce, critical infrastructure, and government...Exploitation of information networks and the compromise of sensitive data...leave the United States vulnerable." |
| #8: International cooperation | "Enabling our ability to do so requires a system of international cooperation to facilitate information sharing, reduce vulnerabilities, and deter malicious actors." | "Only by working with international partners can the United States best address these challenges, enhance cybersecurity, and reap the full benefits of the digital age." |
| #9: International organizations | "We are also ready to utilize government-sponsored organizations such as the Organization of Economic Cooperation and Development (OECD), G-8,the Asia Pacific Economic Cooperation forum (APEC), and the Organization of American States (OAS), and other relevant organizations to facilitate global coordination on cybersecurity." | "More than a dozen international organizations including...the Group of Eight, NATO, the Council of Europe, the Asia-Pacific Economic Cooperation forum, the Organization of American States, the Organization for Economic Cooperation and Development...address issues concerning the information and communications infrastructure." |
| #10: Catastrophic attacks | "Providing continuity of government requires ensuring the safety of its own cyber infrastructure and those assets required for supporting its essential missions and services." | "The Federal government's obligation to protect the American people and to provide for the common defense includes a responsibility to ensure that the Nation can communicate and respond in times of crisis." |
Answer key: All of the excerpts from the left column are taken from Bush's National Strategy document from February 2003. The right column represents excerpts from Obama's Cyberspace Policy Review document from May 2009.
President Obama on Friday said the U.S. government is "not as prepared" as it should be to respond to disruptions caused by computer or Internet attacks and announced that a new cybersecurity coordinator position would be created inside the White House staff.
The still-to-be-named coordinator will oversee a new bureaucracy tasked with digital infrastructure protection, which had previously been handled by the Department of Homeland Security. "We will ensure that these networks are secure, trustworthy and resilient," Obama said. "We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage."
Obama's announcement, which was expected, came as the president released the outcome of a 60-day review that sought to rethink how the federal government should address cybersecurity. Business groups had sought to raise cybersecurity's profile in the administration but remained wary about regulatory mandates from Washington; security hawks would prefer the new bureaucracy to have more authority over the private sector.
The final report represents a political compromise. It suggests "intrusion detection and prevention systems" and "warning of cyber intrusions and attacks," while stressing that collaboration with privacy groups and industry is vital. New laws compelling companies to share more information with the federal government about intrusions may be necessary, it says, but only "as a last resort."
During his remarks in the White House's East Room on Friday, Obama also seemed to seek a balance between warning of the dangers of terrorists or other miscreants using the Internet and saying the government will not go too far. "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic," he said.
The report also goes out of its way to recognize the civil liberties concerns that could arise by a greater focus on private networks: the word "privacy" appears no fewer than 69 times in the document.
In a cybersecurity "crisis," the plan is for the coordinator to become the "White House action officer for cyber incident response." That's a similar role to the White House officials who help to monitor terrorist attacks or natural disasters. (The new coordinator's fiefdom will be shared between the National Economic Council and the National Security Council.)
While there has been some private grumbling that the new coordinator will not report directly to the president -- a prized symbol of access in Washington circles -- reaction to the administration's announcement was generally positive.
Senators John Rockefeller (D-W.V.) and Olympia Snowe (R-Maine), members of the Commerce and Intelligence committees, said in a statement that "no other president in American history has elevated this issue to that level and we thank (Obama) for his leadership." The Center for Democracy and Technology said it "is evident that the report's authors listened to the concerns of privacy and civil liberties groups."
Cybersecurity headaches
The origin of many of the feds' cybersecurity headaches can be traced back to the process that led to the creation of the Department of Homeland Security nearly seven years ago. Politicians in Washington, D.C. decided to glue together a medley of federal agencies to create a massive bureaucracy that would, as one of its new goals, provide a better focus on cybersecurity.
"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."
Some tasks might benefit from centralization in one of the world's largest bureaucracies. But it soon became evident that cybersecurity was not one of them. By 2005, government auditors concluded that the department failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies; as recently as last fall, DHS Secretary Michael Chertoff said his agency needed to develop a plan to respond to a "cybercrisis."
That led some outside groups to argue that cybersecurity efforts should be taken over by the National Security Agency, which already is responsible for protecting government computers through its "information assurance" arm, or perhaps the White House staff.
Lending an unusual spice to what would normally be a quiet, internecine power struggle was March's resignation of Rod Beckström, director of Homeland Security's National Cybersecurity Center. In his farewell letter, Beckström blasted what he said was an NSA power grab, saying the secretive military agency "effectively controls DHS cyber efforts through detailees, technology insertions."
The week before Beckström's resignation, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying "there are some wizards out there at Fort Meade." But a few weeks later, after a congressional hearing that was hardly enthusiastic about the idea, NSA director Keith Alexander denied his agency had any interest in the job.
In February, Obama ordered a 60-day review of the federal government's cybersecurity efforts, and appointed Hathaway -- who had worked for the director of national intelligence in the Bush administration -- to lead it.
In addition, The New York Times reported on Friday that the Pentagon is preparing a new military command for cyberspace that would operate in parallel with the civilian effort that Obama is expected to announce. He is "expected to sign a classified order in coming weeks that will create the military cybercommand" and recognize "that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use," the newspaper said.
During Friday's remarks, Obama noted that his campaign had been the subject of a cyber intrusion in which hackers accessed policy papers and travel plans but not fundraising data.
President Obama on Friday is expected to unveil his administration's plans to deal with cybersecurity threats to federal agencies and the private sector, including the creation of a White House "cyber czar."
It's not yet clear who that person will be, or even whether Obama will name someone during his announcement. As part of a political compromise, the new position is expected to be folded into both the National Security Council and National Economic Council.
The announcement, which is scheduled to take place at 10:55 a.m. ET in the White House's East Room, caps years of criticism of the Department of Homeland Security's efforts and months of speculation about what form the replacement cybersecurity bureaucracy will take.
"It provides the president with recommendations for a White House organizational structure that can effectively address cyberspace-related issues," Melissa Hathaway, acting cyberspace director for the White House's National Security and Homeland Security councils, said recently.
No bureaucratic mandate will satisfy everyone: Security hawks would like the "czar" to have authority -- which may mean new laws -- to direct both federal agencies and private businesses on cybersecurity matters. Business representatives, on the other hand, like the potential for increased high-level attention but remain wary of mandates from Washington.
In February, Obama ordered a 60-day review of the federal government's cybersecurity efforts, and appointed Hathaway -- who had worked for the director of national intelligence in the Bush administration -- to lead it. Two months later, Hathaway announced the report had been submitted to the president along with recommendations; it's expected to be made public on Friday.
Earlier this week, the White House offered a hint about how the restructuring would proceed, and indicated that the "czar" would not report directly to the president. Obama's statement on Tuesday said the national security and homeland security staff would be integrated and new positions inside the National Security Council and Homeland Security Council would "deal with new and emerging 21st Century challenges associated with cybersecurity."
In addition, The New York Times reported on Friday that the Pentagon is preparing a new military command for cyberspace that would operate in parallel with the civilian effort that Obama is expected to announce. He is "expected to sign a classified order in coming weeks that will create the military cybercommand" and recognize "that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use," the newspaper said.
Bureaucratic roadblocks
The origin of many of the Feds' cybersecurity headaches can be traced back to the process that led to the creation of the Department of Homeland Security nearly seven years ago. Politicians in Washington, D.C. decided to decided to glue together a medley of federal agencies to create a massive bureaucracy that would, as one of its new goals, provide a better focus on cybersecurity.
"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."
Some tasks might benefit from centralization in one of the world's largest bureaucracies. But it soon became evident that cybersecurity was not one of them. By 2005, government auditors concluded that the department failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies; as recently as last fall, DHS Secretary Michael Chertoff said his agency needed to develop a plan to respond to a "cybercrisis."
That led some outside groups to argue that cybersecurity efforts should be taken over by the National Security Agency, which already is responsible for protecting government computers through its "information assurance" arm, or perhaps the White House staff.
Lending an unusual spice to what would normally be a internecine power struggle conducted in secret was March's resignation of Rod Beckström, director of Homeland Security's National Cybersecurity Center. In his farewell letter, Beckström blasted what he said was an NSA power grab, saying the secretive military agency "effectively controls DHS cyber efforts through detailees, technology insertions."
The week before Beckström's resignation, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying "there are some wizards out there at Fort Meade." But a few weeks later, after a congressional hearing that was hardly enthusiastic about the idea, NSA director Keith Alexander denied his agency had any interest in the job.
If any of this sounds familiar, it should. About a year after President George W. Bush took office, his administration announced a highly-anticipated, 76-page document called the "National Strategy to Secure Cyberspace" (PDF). Few of its bullet points calling for immediate "response" have been enacted; even fewer people remember what they were.
In the wake of recent reports describing the electric grid's vulnerabilities to hackers, two members of the U.S. Congress have introduced legislation giving federal regulators more authority to combat that possible threat.
The electric grid system that keeps the United States humming is worth more than $1 trillion and keeps the lights on for more than 300 million Americans. Federal regulators have complained they do not have enough authority over the electric grid networks, which recent reports have suggested may be vulnerable to infiltrations by Chinese and Russian spies--a new concern as utilities tie grid-monitoring control systems to open networks like the Internet.
Matching bills were introduced in the House and the Senate on Thursday to increase the authority of the Department of Homeland Security and the Federal Energy Regulatory Commission to secure the electric grid. The bills were introduced by Sen. Joe Lieberman (I-Conn.) and Rep. Bennie Thompson (D-Miss.), who chair the Homeland Security committees in their respective chambers.
"Our cybersystems are under constant attack," Lieberman said in a statement. "We rely on cyberspace for so much of what is at the heart of our way of life, and our systems are not protected. We are focusing on the electricity cyberstructure today because electricity is what so many critical sectors of the economy depend upon."
Utilities are already expected to comply with mandatory cybersecurity standards, but regulators have reported that utilities are likely downplaying the critical nature of their infrastructure to avoid compliance with the rules.
The legislation addresses that by giving FERC, DHS, and other national security agencies the authority to determine which physical or cyber assets should be deemed "critical electric infrastructure." The bill clarifies that "critical" infrastructure should refer to networks that are so vital to the United States that their incapacity would cause significant harm to the country's security, the economy, or public health at a national or regional level.
It also would enable FERC to issue rules or orders to protect critical electric infrastructure against threats--including emergency orders, which could be issued without prior notice if FERC determines an order is needed immediately to protect the grid from an imminent threat. Emergency orders would remain in place for 90 days, unless FERC opened them up to public comment.
In addition, the legislation calls for FERC and the DHS Secretary to establish within 120 days of its enactment interim measures to protect the electric grid.
The DHS would also be responsible for more oversight of grid protection programs. The legislation would require the department to conduct research to determine if the security of critical electric infrastructure has been compromised and to report its findings to Congress. The department would also have to produce regular reports with recommendations for creating a collective domestic response to a cyberattack by a terrorist, nation-state or person.
The legislation comes as the Obama administration is pushing through stimulus spending smart-grid development, which would connect the electric grid to more networks.
Acting White House Cyberspace Director Melissa Hathaway addresses the cybersecurity issue during the RSA computer security conference on Wednesday.
(Credit: James Martin/CNET)SAN FRANCISCO--The federal official overseeing a 60-day review of the U.S. government's cybersecurity efforts indicated Wednesday that the final report recommends shifting more responsibilities to the White House.
"It provides the president with recommendations for a White House organizational structure that can effectively address cyberspace-related issues," Melissa Hathaway, acting cyberspace director for the White House's National Security and Homeland Security councils, said at the RSA computer security conference here.
At the moment, a division of the U.S. Department of Homeland Security coordinates nonmilitary cybersecurity activities and is responsible for building a national "response system" for online attacks and creating a "risk management program" for critical infrastructure.
Hathaway said her report--which has not yet been made public--was finished on Friday and has been sent to President Obama for his approval.
"This responsibility transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective to match the sweep of the challenges," Hathaway said.
The announcement of the review led to speculation that the White House's National Security Council or the National Security Agency would be handed more cybersecurity responsibilities, along with a larger budget to carry them out. Although the 2002 law creating DHS centralized cybersecurity responsibilities, it has been repeatedly criticized by government auditors who concluded that DHS failed to live up to its responsibilities and may be "unprepared" for emergencies.
On Tuesday, NSA Director Keith Alexander downplayed reports of a power grab by his agency, saying, "We do not want to run cybersecurity for the U.S. government." The NSA has cybersecurity responsibilities for the U.S. military.
Alexander's remarks appeared to be a response to Rod Beckstrom, former director of Homeland Security's National Cybersecurity Center, whose resignation letter last month blasted what he described as an NSA power grab that could threaten "our democratic processes." That led some members of Congress--including the Democratic chairman of the House Homeland Security Committee--to object to NSA control, which Clinton-era FBI director Louis Freeh echoed a day later.
The RSA conference was punctuated by news reports of a discovery of $1.9 million infected zombie computers in a botnet and a report that hackers stole some specifications from the $300 billion Joint Strike Fighter project. (The Pentagon and Lockheed Martin, the primary contractor, said Wednesday that the report was incorrect.)
Any effort by the Obama administration to reshuffle cybersecurity responsibilities will face a significant challenge: the protocols and hardware that make up today's Internet are created and maintained by the private sector. Companies like Cisco Systems, Microsoft, Google, AT&T, and Verizon--not Washington bureaucracies--operate today's Internet, and it's not clear that outside help will be useful.
"Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law," Hathaway said. "Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society."
Forthcoming legislation would wrest cybersecurity responsibilities from the U.S. Department of Homeland Security and transfer them to the White House, a proposed move that likely will draw objections from industry groups and some conservatives.
CNET News has obtained a summary of a proposal from Senators Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) that would create an Office of the National Cybersecurity Advisor, part of the Executive Office of the President. That office would receive the power to disconnect, if it believes they're at risk of a cyberattack, "critical" computer networks from the Internet.
"I regard this as a profoundly and deeply troubling problem to which we are not paying much attention," Rockefeller said a hearing this week, referring to cybersecurity.
Giving the White House cybersecurity responsibility was one of the top recommendations of a commission that produced a report last year to advise President Obama on cybersecurity issues. However, the Homeland Security Department, which currently has jurisdiction over cybersecurity, has insisted the reshuffling of duties is not needed.
Given the enormity of cybersecurity threats, the responsibility is a natural fit for the White House, said James Lewis, a director and senior fellow at the Center for Strategic and International Studies, which issued last year's commission report.
"The Obama administration has an adviser on energy and climate change, and that's good and important," Lewis said, "but we're still in the mode that cyber is less important."
While the bill is still in draft form and thereby subject to change, it would put the White House National Cybersecurity Advisor in charge of coordinating cyber efforts within the intelligence community and within civilian agencies, as well as coordinating the public sector's cooperation with the private sector. The adviser would have the authority to disconnect from the Internet any federal infrastructure networks--or other networks deemed to be "critical"--if found to be at risk of a cyberattack.
The private sector will certainly speak out if this provision is included in the final draft of the bill, a member of the technology industry who spoke on condition of anonymity said.
"You can be assured that if that idea is put into legislation we would certainly have views on it," he said. "It's not trivial."
While the person did not take a stance on whether the White House is the appropriate place to put cybersecurity jurisdiction, he said, "cybersecurity is a cross-cutting issue, across all government agencies, so leadership at the top is useful."
The bill could also make the proposed cyber adviser responsible for conducting a quadrennial review of the country's cybersecurity program, as well as for working with the State Department to develop international standards for improving cybersecurity.
The draft version of the bill also establishes a clearinghouse for the public and private sectors to share information about cyberthreats and vulnerabilities. It also creates a Cybersecurity Advisory Panel consisting of outside experts from industry, academia, and nonprofit groups to advise the president.
Because many federal contracting officers do not currently include security provisions into federal procurements, the bill could also establish a "Secure Products and Services Acquisitions Board" to review and approve all federal acquisitions.
At Thursday's hearing, Edward Amoroso, AT&T's senior vice president and chief security officer, said the federal procurement process "needs to be upgraded to implement sufficient security protections."
Some industry groups are warning, however, that adding customized requirements to the government's procurement process may inhibit the government's ability to take advantage of the innovations and cost benefits available from commercial technology.
"Simply put, the government cannot reach its security goals by compromising its access to commercial solutions and processes, nor can it technologically or financially afford it," the Business Software Alliance wrote in a memo to Melissa Hathaway, the acting senior director for cyberspace at the White House National and Homeland Security Councils, who is conducting a 60-day review of cybersecurity programs for President Obama. "Rather than imposing overbroad security requirements, government needs to be selective and limit them to high-criticality systems."
The bill may also subject both government and private sector networks to cybersecurity standards established by the National Institute of Standards and Technology. It may also provide for a professional licensing and certification program for cybersecurity professionals.
The senators also want to create greater general awareness of the importance of cybersecurity, so the legislation would expand scholarships for students studying cybersecurity, create an annual cybersecurity competition and prize for students, and initiate a cybersecurity awareness campaign. It would also increase cybersecurity research and development funding for the National Science Foundation.
Lewis said he is very pleased with the Senate's work on this bill so far.
"Having a knowledgeable and powerful group of senators that are willing to pick up the ball and run with it is really encouraging," he said.
Given the broad nature of the legislation--which spans intelligence and homeland security issues, as well as commerce issues--Rockefeller may have to work with the leaders of the Senate Homeland Security Committee and other leaders in the Senate to shape the final version.
An industry insider said, though, that Rockefeller's previous experience chairing the Select Committee on Intelligence will improve the bill's chances of advancing.
"His personal credibility and experience allow him to play a role that another chairman might necessarily have been able to play," the source said.
It's easy to criticize government failures. But as the U.S. Congress is learning in the case of the executive branch's cybersecurity efforts, fixing problems and crafting improvements is a little more difficult.
The U.S. Department of Homeland Security's cybersecurity arm has been under fire practically since its inception, flunking tests by outside auditors and receiving letter grades of "F" from congressional overseers. That invited speculation last year about whether the National Security Agency or the White House should take over responsibility for cybersecurity tasks.
Both ideas met with a lukewarm reception during a congressional hearing on Tuesday. "The mission should not reside in NSA," said Microsoft Vice President Scott Charney, a onetime Justice Department computer crime chief. Charney said if you want the public to trust its government, "it's really important to empower DHS to take the necessary operational role."
Subcommittee Chairman Yvette Clark (D-NY) says the Bush administration failed on cybersecurity because it "stopped short of mandating security changes."
The chairman of the full House Homeland Security Committee, Bennie Thompson (D-MS), felt the same way. "I don't think the answer to our problems in cyberspace comes from giving control of the entire federal cybersecurity mission to NSA," he told the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
There are "pockets within DHS showing signs of improvement," Thompson added.
And the idea of a White House takeover wasn't wildly popular. "I want to respectfully disagree with those of you who think the White House is a place to put this," said Rep. Paul Broun, a Georgia Republican. He added: "I think this committee, not the White House, should be setting policy."
Making the hearing more lively than usual was last week's resignation of Rod Beckstrom, director of Homeland Security's National Cybersecurity Center. In his farewell letter, Beckstrom blasted what he said was an NSA power grab, saying the secretive military agency "effectively controls DHS cyber efforts through detailees, technology insertions." (The week before, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying "there are some wizards out there at Fort Meade.")
"It's pretty clear (DHS) have not lived up to those responsibilities," said Dave Powner, a director at the Government Accountability Office, who testified at the hearing. "The question is: do we want to keep working with them...or do we just designate them an operational role and put someone else in charge of coordinating with the private sector and the intelligence community?"
Part of official Washington's dissatisfaction with DHS involves disagreements with not just who should handle cybersecurity topics, but what should be done. Security hawks would like the government to have the authority to order around the private sector. Defense hawks would like more focus on offensive "cyberattacks." Privacy advocates worry about Homeland Security's expansive mission, and remember how the NSA and FBI fought for many years to restrict domestic use of encryption.
"I don't think DHS can effectively lead offensive capabilities we need in cyber," said Amit Yoran, the CEO of monitoring firm NetWitness and a former DHS cybersecurity official. DHS's "key role" should be to protect government networks, he said.
Any significant legislative effort to rethink federal cybersecurity efforts is likely to wait until a two-month review ordered by the Obama administration in February is complete. Rep. Yvette Clark (D-NY), chairman of the cybersecurity subcommittee, said that review is crucial because the Bush administration's "strategy stopped short of mandating security changes. Without teeth, the strategy was never implemented."
CNET's Stephanie Condon contributed to this report.
A top federal cybersecurity official resigned this week in a letter sharply critical of what he described as a power grab by the National Security Agency.
Rod Beckström, director of Homeland Security's National Cybersecurity Center, said in his letter that NSA "effectively controls DHS cyber efforts through detailees, technology insertions," and has proposed moving some functions to the agency's Fort Meade, Md., headquarters.
Rod Beckstrom, director of the National Cyber Security Center, gives a keynote at Black Hat last year.
(Credit: Elinor Mills/CNET)Beckström was picked for the job in March 2008 and reported to DHS secretaries Michael Chertoff and Janet Napolitano. His letter also took aim at DHS, saying the center "received only five weeks of funding" in the last year because of "roadblocks engineered within the department" and by the White House. (DHS has claimed that cybersecurity was one of Chertoff's "top four priorities for '08.")
The idea of the NSA taking over governmental cybersecurity efforts is not exactly new: it was discussed by a commission organized by the Center for Strategic and International Studies last fall, and the agency already has some related responsibilities. Last week, Director of National Intelligence Admiral Dennis Blair suggested (PDF) to a House of Representatives committee that the NSA would be an appropriate body to take over cybersecurity efforts, saying "there are some wizards out there at Fort Meade who can do stuff."
But Beckström warned that would be a mistake and could significantly threaten "our democratic processes...if all top level government network security and monitoring are handled by any one organization."
Before taking the job at DHS, Beckström co-founded CATS Software, a derivatives and risk management software company, and co-founded Twiki.net, a company that supports open-source wikis. A DHS undersecretary is responsible for the agency's overall cybersecurity efforts.
The National Cyber Security Center has remained partially shrouded in secrecy, with the Bush administration last summer refusing to release information about its budget, what contractors will run it, or how its mission relates to Internet surveillance--on the grounds (PDF) that disclosure could endanger "operations essential to the interests of our nation."
Initially, the White House went so far as to claim (PDF) that the mere existence of the NCSC was classified.
Beckström's resignation takes effect next Friday. Meanwhile, President Obama has assigned Melissa Hathaway, who worked for the director of national intelligence in the Bush administration and was director of an multi-agency "Cyber Task Force," to conduct a two-month review of related federal activities.
