When it Comes to Cybersecurity, the ‘Who is Responsible for What?’ Debate Continues
Generally, the Defense Department is responsible for its own networks, and the Departments of Homeland Security and Justice for the remainder of the nation. The FBI has the duty to investigate Internet-based crimes, espionage and attacks. DHS has made the Internet part of its critical infrastructure protection programs, but it has no regulatory authority to make an electric company, for example, update its computer security protocols.
The U.S. government is serious when it comes to developing its cyber-offense capabilities, “but is lackadaisical” when it comes to defense, said Michael Peters, a former National Security Agency employee, who currently serves as chief cybersecurity advisor to the Federal Energy Regulatory Commission.
An example of the federal disconnect is the growing smart grid movement. These new power distribution systems, designed to more efficiently move electricity to where customers need it most, are being promoted by the Obama administration with stimulus money, but there are no security requirements attached to the Department of Energy grants to ensure that utility companies are building security measures into the systems from the ground up.
“Smart grids are not so smart,” said Stewart Baker, a visiting fellow at the Center for Strategic and International Studies, and co-author of a report sponsored by Internet security provider, McAfee, “In the Dark: Critical Industries Confront Cyberattacks.”
He likened it to the very beginning of the Internet itself, when security measures were not built into the system. This is exactly what is happening with smart grids today, which rely on the Internet for command and control.
Should the government force critical infrastructure in private sector hands to comply with computer security requirements? The report showed that in countries such as Japan and China — where government auditors make sure that companies comply with computer network requirements — there is significantly better security, Baker noted during a panel discussion held in Washington, D.C.
On May 12, President Obama revealed a set of legislative proposals that would make critical infrastructure operators in the private sector list their threats and vulnerabilities, and then address them with a risk mitigation plan. A third-party auditor would then assess the plan.
Kevin Gronberg, senior counsel on cybersecurity matters to the House Homeland Security Committee, said prior to the president’s speech that he was skeptical that legislation would do more than catch the “low hanging fruit.” Forcing companies to “check the box” on certain security requirements may not be effective, he added.
“A compliance regime is extremely important but is unfortunately not the be all and end all” solution, he said. Federal agencies that are 100 percent compliant with network security rules have still suffered massive data losses from hackers, he said.
The Homeland Security committee is in the early stages of writing legislation, he said, but noted that, like the executive branch, there are a lot of players in the cybersecurity realm. Many committees, especially in the House, claim jurisdiction over the matter. “Ensuring that all those players are up to speed, contributing, and are heard, is going to be a gigantic task in and of itself,” Gronberg said.
And he is concerned that if comprehensive cybersecurity measures were to pass, Congress would walk away from the matter and believe that it had been solved.
Meanwhile, retired Marine Corps Gen. Peter Pace, former chairman of the Joint Chiefs of Staff, would consolidate federal network security efforts under one roof. He recommended handing over the Department of Homeland Security’s cybersecurity responsibilities to the head of the newly created U.S. Cyber Command.
“The number of 10-pound brains in any nation is limited,” he said, referring to the difficulties the government has had in hiring cyber-experts. Speaking at a cybersecurity conference in Colorado Springs, Colo., Pace said the United States does not need to “replicate” the National Security Agency.
Army Gen. Keith Alexander wears two hats, one as commander of U.S. Cyber Command under the secretary of defense and the second as the director of the NSA, under the director of national intelligence. He should wear a third hat and answer to the DHS secretary, Pace said.
There would be privacy concerns and misgivings about the U.S. military working in the domestic realm, but “it needs to be done,” Pace said.
Both the NSA and Cyber Command are located at Fort Meade, Md. The NSA specializes in cryptology and eavesdropping but is also responsible for protecting U.S government communication systems.
On the investigative side, evidence of inter-agency turf wars emerged in April with the release of a Justice Department inspector general report, “The Federal Bureau of Investigation’s Ability to Address the National Security Cyber Intrusion Threat.” It described the FBI’s reluctance to share information with other partners on the National Cyber Investigative Joint Task Force, which was specifically organized for that purpose. The redacted report said representatives from non-FBI agencies were routinely asked to leave in the middle of meetings when the FBI didn’t want them to hear specific information. In one case, FBI agents refused to share information with the Naval Criminal Investigative Service.
“Each agency decides the information it will share and not share,” the report said.