Former W.H. Official: In the Event of a Cyberwar, Don’t Call DHS
But in the event of a wide-scale cyber-attack in the United States, don’t call DHS, said one former government insider.
“If we do ever have a cyberwar, it will be won or lost in the private sector,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council. Healey served as the White House director of cyber infrastructure protection from 2003 to 2005.
Most of the Internet is in the private sector’s hands, along with most of the expertise in combating cyber-attacks, suggested Healey, who also worked at the National Security Agency and was there at the founding of the Joint Task Force — Computer Network Defense, the Pentagon’s first joint cyber war-fighting unit. Healey made his comments at the National Press Club in Washington, D.C. Jan. 30 during a panel discussion marking the release of a report, “Cyber-Security: The Vexed Question of Global Rules,” produced by McAfee and the Security Defense Agenda, a Brussels-based think tank.
“Tick through in your heads. How many major incidents have we had that the solution has started at DHS? If you are under attack, who do you really want on your side? DHS, or McAfee or Microsoft, or AT&T?” he asked.
The National Cyber Incident Response Plan names the DHS-run National Cybersecurity and Communications Integration Center as the lead agency for dealing with large-scale cyber-attacks. But Healey has little regard for this organization.
The NCCIC is responsible for the production of a common operating picture for cyber and communications across the federal, state, and local government, intelligence and law enforcement communities and the private sector. It is operated within DHS’ office of cybersecurity and communications, a component of the National Protection and Programs Directorate, according to the DHS website.
The Defense Department, Department of Justice, FBI, Secret Service and the National Security Agency are among the entities that are supposed to share information at the center.
Healey and other panelists decried the lack of information sharing between federal agencies. And that goes for sharing information with the American people as well.
Stewart Baker, a partner at the Steptoe & Johnson law firm, and former assistant secretary for policy at DHS, said for a decade the U.S. government was too secretive about the cyberthreat. So the public and the private sector are just now beginning to grasp the problem.
Healey agreed. “If it weren’t for the press, the American people [and] American companies would not know about the threat,” he said.
He recalled going to a conference last year where he was expected to brief senior leaders involved in national security on cyber-issues, but he didn’t have anything to show them in terms of official reports that could explain the situation. “There is no government document we could use. We used Vanity Fair articles to try and say, ‘here is what the threat is,’”
“When it comes to the government, if you want to convince us of the threat, tell us, don’t leak it. Because right now we are kind of dependent on the press,” he said.
At a separate event at the press club later in the day, DHS Secretary Janet Napolitano touted the department’s cybersecruity accomplishments. At her annual address on the “state of America’s homeland security,” she said DHS is “deploying the latest tools across the federal government to protect critical systems while sharing timely and actionable security information with public and private sector partners to help them protect their own operations.”
Representatives from such industries as financial services, electric power industry and the telecommunications are working at DHS alongside its own cybersecurity experts to prevent, identify, and address cyber-incidents, she said.
“Beyond protecting the computer networks of the civilian side of our government, we are leading the effort to protect our nation’s critical information infrastructure — the systems and networks that support them, to name a few,” she added.
DHS’ computer emergency readiness team responded to more than 100,000 incident reports, and released more than 5,000 actionable cybersecurity alerts to federal, state and private sector partners, she said.