Cyber Security coming to a boil

Posted March 16th, 2009 by

During his campaign, then candidate Obama promised he would, “make cyber-security the top priority that it should be in the 21st century. I’ll declare our cyber-infrastructure a strategic asset, and appoint a national cyber-adviser, who will report directly to me.” Since Obama was elected there has been a great deal of speculation as to what real-life changes in direction and policy that promise would bring.

Last month, President Obama appointed Melissa Hathaway to be a Senior Director of the National Security Council. She immediately launched a 60-day review of security of Federal IT systems. As a result of this effort, there is much speculation that at the end of the 60-day review she will be appointed the National Cyber Advisor–the so-called Cyber Security Czar.

Just this week, the Director of the National Cyber Security Center, Rod A. Beckstrom, over at the Department of Homeland Security resigned. The press reports of Beckstrom’s resignation indicate some frustration on Beckstrom’s part. His frustration seems to be primarily aimed at the National Security Agency (NSA). Beckstrom suggests that the NSA has been subverting his efforts to coordinate cyber security efforts across the intelligence community.

A good friend of mine has suggested that the resignation is simply political and an artifact of the transition from one administration to another. He further suggests that this also signals a shift from leadership in cyber security from civilian agencies toward the Intelligence Community taking its turn at leadership. I think he may be right, too. However, I think there is more history here than just a shift in policy from one administration to another.

In my opinion, this isn’t just about politics. There are two drivers for this move. First, congress and the administration recognize that that the on-going assault on government and commercial networks is a national security issue and an economic security and competitiveness issue too. In today’s economic droop people often forget that two of our greatest economic strengths are our accumulated intellectual property and our hard working human capital. Both of these assests are discounted when criminal and national groups successfully attack our nations IT infrastructure. Recognizing this is a good thing, I’m not going to recount the long history of cyber assault on Federal IT systems by international cyber criminals, and “state-sponsored entities.” Facts and figures concerning this on-going assault and the damage associated with it is just a Google search away.

The second driver for a policy shift is that congress and the administration recognize that the FBI, Justice, DHS approach to cyber security is an utter failure. This failed approach sees cyber security as a criminal problem with industry participating in its own defense on a ‘voluntary’ basis. This has led to comical activities such as FBI delegation going to Moscow with hat in hand asking the Russians for help in tracking down successful Cyber Organized Crime groups based in Russia. The fact that these groups may have had strong official or unofficial connections with the Russian government should have given the FBI an indication of the lack of cooperation they would face –- I believe in Law Enforcement circles this is usually called a “clue”. Likewise, FBI delegations to Russia trying to track down Russian Cyber attackers that may have had some direct level of state support were equally unproductive. To be fair, the FBI was placed in an impossible position when they were asked to organize delegations like this.

So that kind of sums up the civilian or “law enforcement” approach toward national cyber security.

That leaves us to consider the much discussed alternative, specifically a shift in policy toward giving the intelligence community leadership in providing cyber national security. There have been attempts in the past to give the Intelligence Community greater responsibility for cyber security, but while the Intelligence Community seemed to have the technical resources to address these responsibilities, they were often confused by the mission and hampered by legislation and culture. By temperament, the Intelligence Community is about collection and analysis of information. Once you start asking them to do something about a situation that they have studied or understand well, you are often asking them to not just change their mission but also act against the very culture that made them successful. To understand a situation, the Intelligence Community works quietly, secretly, and in the shadows. To take action, they have to emerge for the shadows and act very publically. This transition can be difficult and even disastrous. Such transitions can give you the Bay of Pigs, non-judicial detention at Gitmo, and odd-ball assassinations–all sorts of activities that people hate because the actions themselves were not “peer-reviewed” as best security practices.

It’s not that the Intelligence Community is incompetent (well everyone makes mistakes or hides them), it’s just that that transition from intelligence/information collection to public coordination, and policy leadership, with all of the very public meetings, policy reviews, and planning drives the Intelligence Community from a position of strength and expertise to new ground. Unfortunately, another strong element of the culture of the Intelligence Community is that if the President calls, “they haul…” They just can’t bring themselves to say no, even if it’s a bad idea.

That brings us to the question, who should be responsible for cyber security? Well, every government agency wants the mission because of the funding that goes with it. But, it’s not clear who has the right perspective and culture. I suspect that the right answer is to combine the experience, and technical know-how from several agencies and to develop some new capabilities. This means that leadership of the effort has to be unambiguous. That is precisely why I believe the Obama Administration will keep the leadership on their new approach to Cyber Security right inside the White House itself. That really shouldn’t be a surprise since that is exactly what the Obama as a candidate said he would do.

Enigma Machines Collection at the National Cryptologic Museum photo by brewbooks.

Similar Posts:

Posted in Public Policy, Rants, What Doesn't Work, What Works | 6 Comments »

6 Responses

  1.  Me Says:

    If the cyber leadership does stay with the White House, do you think that a limited four year term will allow the time necessary to enact real change? I worry that by making this change that we put ourselves into a situation where a foundation is laid that is later abandoned as a new administration moves into office.
    I worry from a worker bee perspective that this will mean swings and shifts in policy, paperwork, requirements, that require a huge amount of man-hours to implement just to be “compliant”. Compliance is not secure. This leads our already resource constricted departments into working to fill out a new form and check box while not taking care of security itself.

    Change is a difficult necessity, but I worry that a long road lays ahead with few rest stops along the way.

    Apologies for the rant, but new policy, while good, seems to lead to us killing ourselves rushing to become compliant…but never realizing a positive outcome. Thank you for the article, and please keep it up.

  2.  Matt Johnson's Technical Adventures : Link Clearance – 3/17/2009 Says:

    […] Cyber Security Coming to a Boil […]

  3.  Vlad the Impaler Says:

    Ian does it again!

    I guess my problem with the NSA or anyone in the Intel Community taking control of this initiative is that the IC tends to keep what it knows to itself, and, as a rule, does not share important information.

    I understand the rationale for this in warfare and National security — you have a limited set of consumers of Intel information and all the players wear uniforms or have a Government function. A Good Thing. Need to Know is enforced and necessary.

    This simply is not the case with cyber (there, I’ve said cyber.) Everyone with a computer has a Need to Know!

    You have a situation where every citizen is potentially threatened — not from a well-defined enemy, but by shadowy, well-“armed” predators. In some cases, these are state-sponsored entities. My point is that we’re not just looking at CINCs or Guvvie decision-makers needing intel products for cyber defense — EVERYONE — including Industry, State & Local Governments down to Mom & Pop — needs to benefit from the work of the IC in this scenario.

    Kinda reminds you of the Global War on Terror (that has been officially retired). What’s incredibly ironic is that we’re taking prosecution of that war away from the IC and handing it to civilian law enforcement and putting cyber into the hands of the intel community. …and we expect success from both of these developments?!

    (By my count, we’ve done this switch twice now… one more time and we’re certifiably insane!)

    So what do we need to do? One answer is that we need something new that isn’t FBI, CIA, DOJ or DHS. It’s about time for something like Clancy’s NetForce — quasi-military, quasi-IC, and quasi-civilian-LEA.

    There. I only said ‘cyber” once in context… DOOH!

    I think I need to write a blog post on why I hate the use of THAT c-word…



  4.  Grecs Says:

    Instead of having all the different agencies fighting over the funds … maybe we should build security into every agency.

  5.  Grecs Says:

    Agree on the c-word thing… But it just sounds so sexy. 🙂

  6.  In Response to “Cyber Security Coming to a Boil” Comments…. | The Guerilla CISO Says:

    […] CyberwarEd Bellis’s Little SCAP Project | The Guerilla CISO on Comments on SCAP 2008Grecs on Cyber Security coming to a boilGrecs on Cyber Security coming to a […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: