Former Security Chiefs Advise Caution In Reorganizing Cybersecurity Effort
Powell, Garcia, and Schmidt say wholesale reorganization may not be necessary
WASHINGTON, D.C. -- Fortify Executive Summit 2009 -- The U.S. federal government needs to put seasoned leadership and better coordination around its cybersecurity efforts, but President Obama should think twice before doing any wholesale reorganization, several former top-ranking security officials said yesterday.
While attending an executive forum held here, former military and cybersecurity chiefs Colin Powell, Greg Garcia, and Howard Schmidt each commented separately on the federal government's current efforts to re-evaluate the nation's cybersecurity plans, and the potential reorganization of the government's cybersecurity team.
Powell, the former U.S. Secretary of State and Chairman of the Joint Chiefs, spoke only to the full audience at the event and limited his remarks primarily to broad concepts of leadership. However, when he was asked specifically about the potential realignment of cybersecurity leadership and the potential creation of a new cybersecurity office, he encouraged the White House and federal government to exercise caution.
"I'm not quite sure how it's being envisioned, and I smell a bureaucratic fight," Powell said. "We'll see how it evolves. I'm always nervous when people want to create a new command. What happens is that they often become stovepipes, and the [new and old] commands don't talk to each other.
"The other thing that happens is that sometimes you create an organization to solve a problem, and then over time you forget why you created it. It loses its purpose," Powell stated. "In the past, I've found that reorganization is something you do to somebody, not for somebody."
Garcia, who served as Assistant Secretary for Cyber Security and Communications at the U.S. Department of Homeland Security under President Bush, is now operating his own consulting firm, Garcia Strategies. In a telephone interview yesterday prior to the summit, Garcia encouraged the White House and Congress to leave the cybersecurity effort primarily in the hands of DHS.
"DHS has the capabilities to handle the effort," Garcia said. "What the White House needs to do is ensure that the relationships [between agencies] are well-defined. DHS can take responsibility for .com and .net, [the Department of Defense] can handle .mil, [and the Department of Justice] can handle cybercrime. The challenge is putting all the lego pieces together.
"The problem for some agencies is that we see 'mission creep,' where the scope of their missions go beyond its original boundaries," Garcia said. "When that sort of thing happens, the White House needs to step in and play the role of traffic cop and keep things where they should be. The appropriate role for the White House is as a traffic cop, not as the driver for everything."
Garcia said that in his role at DHS, he did not see mission creep at the National Security Agency that was described by former National Cybersecurity Center (NCSC) Chairman Rod Beckstrom upon his resignation in March. Beckstrom asserted that the NCSC could not achieve its goals, in part, because of turf wars with the NSA over which agency should lead the cybersecurity effort.
"I think that assertion was an overstatement," Garcia said. "The NSA has certain authorities that DHS doesn't have, and DHS has certain authorities that NSA doesn't have. I don't think there was any illusion that the NSA would lead the program to work with the private industry to improve cybersecurity, nor would there be general acceptance of that across the agencies."
Howard Schmidt, former White House Cyber Security Advisor and former CSO at eBay and Microsoft, said in a telephone interview before the summit that much of the road map for the federal cybersecurity effort has already been laid out from past administrations. "The question is, why aren't we executing on it?" he asked.
Schmidt said one of the chief problems is determining who should set federal and national cybersecurity policies, and who should implement and enforce them. "There's been a lot of back and forth," he observed. "One agency says it should be part of the cyberterrorism program. Another says it should be part of our regular infrastructure management. And the disagreements make it hard to get things done. It took two years just to get Greg Garcia into place."
Schmidt said he is concerned that in some circles of government, "there is a fundamental lack of understanding of what the Internet means to our society." He said that the recent discussion of a "kill pill" -- which would allow the government to shut down some or all of the Internet in times of emergency -- shows that some federal leaders don't grasp the full reach of the technology. "I'm not sure that any of us really know what the impact of that would be," he said.
All three of the leaders stressed the need for the Obama administration to appoint a cybersecurity leader who has firsthand experience with the technology. "I think about that pilot who set the passenger plane down in the Hudson River earlier this year," Schmidt said. "In that situation, do you want someone who's been there, who's been trained and had experience directly with the equipment, or do you want someone who's been writing policy about it? I think we need someone who's really been there."
The results of the White House's 60-day evaluation of the cybersecurity situation are expected to be released "in the coming days," according to Melissa Hathaway, who is heading up the review. The report and recommendations were originally supposed to be released in April.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024