Ex-Cybersecurity Czar, Subcommittee Chair Say NTIA-funded Networks Could Have Security Built In

WASHINGTON, March 10, 2009 – Rod Beckstrom, who resigned on March 6 after less than a year as director of the National Cybersecurity Center, said Tuesday that the NTIA could use its rulemaking authority to mandate a baseline of open security standards in stimulus-funded network infrastructure.

Beckstrom spoke with BroadbandCensus.com after he attended, but did not testify at, a hearing before the House Homeland Security subcommittee on Emerging Threats, Cybersecurity, Science and Technology.

He reportedly resigned after equipment orders and leases of office space for his agency were canceled, and his boss, Homeland Security Secretary Janet Napolitano had not had a single meeting with him since she took office in January.

“It’s always easier to bake in security than it is to layer it on afterwards,” Beckstom said when asked if NTIA should include security as a criteria in awarding stimulus grants. The stimulus program is “an opportunity” to try and get things right the first time, he suggested. “When we move into new technologies, we often don’t look at security first.”

While Beckstrom wasn’t familar with the specifics of the NTIA grant process, he said he would support including security in grant criteria: “Obviously there is a benefit if we can get that incorporated into the process.”

Cybersecurity is increasingly important given the nation’s increasing reliance on networks in “every aspect of our lives,” said subcommittee chairwoman Yvette Clarke, D-N.Y. “It is easy to understand why this issue dominates our agenda…too many vulnerabilities exist on two many critical networks,” she said.

And the Bush strategy that “lacked teeth” needs to be replaced with one that places the White House at the top of the chain of command, while using “all of the tools of U.S. power in a coordinated fashion” while holding agencies accountable, she said. Clarke plans to hold two more hearings on cybersecurity topics this month.

The subcommittee hearing was “particularly timely,” given Beckstrom’s resignation, said Rep. Bennie Thompson, D-Miss., who chairs the full committee. While Thompson said he had been optimistic at Beckstom’s appointment, the Bush administration put him in a position without clear lines of authority or a budget, a “no-win situation.” Beckstrom “did not have experience working miracles,” he said – namely overcoming the domination of the National Security Agency in cybersecurity policy formation.

In his letter of resignation, Beckstrom cited the NSA’s incrasing role in protecting both military and government networks as a reason he was returning to Silicon Valley after being hand-picked to head the Bush administration’s “comprehensive national cybersecurity initiative.” The program is meant to protect all government networks against attacks.

In his opening statement, Thompson said there should be a “credible civilian cybersecurity capability” in the government. But it should interface with the NSA rather than being controlled by it, he said. Echoing Beckstrom’s assesment, he said: “I don’t think the answer to our problems in cyberspace comes from giving control of the entire Federal cybersecurity mission to the NSA.”

“Cyberspace should be declared a vital national asset,” said ranking member Daniel Lungren, R-Calif. These critical networks should be protected with a “well-crafted strategy,” he said,  utilizing public-private partnerships “based on trust and cooperation.”

But to date, efforts to protect those assets have not been successful, said Dave Powner, director of information technology management issues at the Government Accountability Office. While then-President Bush initiated several cybersecurity programs, Powner admitted that GAO has “yet to fully satisfy its cybersecurity responsibilities” as prescribed by the Bush strategies. And though GAO is developing new cybersecurity capabilities, Powner said “furher action needs to be taken to address these areas.”

The White House should be at the top of an “accountable, operational  cybersecurity organization,” specifically a new governance structure, Powner said.  Putting the White House will raise the profile of cybersecurity issues and make both public and private sector leaders more aware of emerging threats and problems, he said. And law enforcement capabilities – both national and international – should be improved by increasing cooperation among agencies and other nations, Powner suggested.

“Clearly, NTIA could have a role in [a cybersecurity strategy],” Powner said in an interview. “I think the important thing going forward is with the broadband deployment as it is today, we need to make sure that rollout is secure.” But NTIA’s position with regard to securing networks has been a subject of debate, the agency could certainly help with improving security, he said.

Protecting privacy and providing oversight should be priorities in any cybersecurity strategy, said Microsoft vice president Scott Charney. Before joining Microsoft in 1999, Charney was chief of the computer crime and intellectual property division of the Department of Justice.

“The information age has arrived, but the [U.S.] has not yet built a comprehensive national cyberspace security strategy,” Charney said.  Cybersecurity issues pose unique challenges that “transcend agency boundaries,” he said.

To meet those challenges, a strategy should be coordinated by one organization “responsible for ensuring that the government acts as one government,” Charney said. “If the government wants to use all the instruments of its power…the center of gravity must be in the White House.”

The role of the Homeland Security department should be to set standards – but not mandate specific technologies, he added. Specifying security requirements is “the appropriate role of DHS.”

Further hindrances to a cohesive cybersecurity strategy iinclude law enforcement emphasis on identifying attacks rather than preventing them, and tthe intelligence community’s obsession with classification, secrecy and hiding vulnerabilities rather than defeating them, said NetWitness Corporation CEO Amit Yoran, who helped start the U.S. Computer Emergency Response Team.

Even members of Congress have not been provided with cybersecurity plans developed by the Office of the Director of National Intelligence, “for ill-defined reasons,” he said. “[S]uch a broad overclassification is counterproductive to supporting an effective cyber defense.” And the lack of information sharing among agencies only provides advantages to adversaries, Yoran added.

The U.S. needs to rebuild its cybersecurity procurement systems and technical know-how, beginning at the lowest levels, said Oracle chief security officer Mary Ann Davidson. First, military and intelligence agencies should purchase software that is purpose built, rather than try to adapt and secure ill-designed products.

Congress should enact policy explicitly declaring a “21st century Monroe Doctrine,” Davidson said. Such a policy would encourage development of detection and response mechanisms, and provide a deterrent against all types of attacks against increasingly critical infrastructure, including “smart grid” components, she said.

And as critical infrastructure is built, Davidson said the builders should be trained to “think like a hacker” and assume systems will be attacked. But universities have not been responsive to teaching secure coding practices, she noted.

The lack of built-in security in NTIA-funded broadband networks thatt could become part of the grid is a matter of concern that will warrant additional hearings, Clarke said in an interview after the hearing. “I have been concerned…about our ability to embed some security measures [in broadband],” she said. “Things happen, security can be breached, and we’re at the point where we can understand how to ger that done.”