Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Former Security Chiefs Advise Caution In Reorganizing Cybersecurity Effort

Powell, Garcia, and Schmidt say wholesale reorganization may not be necessary

WASHINGTON, D.C. -- Fortify Executive Summit 2009 -- The U.S. federal government needs to put seasoned leadership and better coordination around its cybersecurity efforts, but President Obama should think twice before doing any wholesale reorganization, several former top-ranking security officials said yesterday.

While attending an executive forum held here, former military and cybersecurity chiefs Colin Powell, Greg Garcia, and Howard Schmidt each commented separately on the federal government's current efforts to re-evaluate the nation's cybersecurity plans, and the potential reorganization of the government's cybersecurity team.

Powell, the former U.S. Secretary of State and Chairman of the Joint Chiefs, spoke only to the full audience at the event and limited his remarks primarily to broad concepts of leadership. However, when he was asked specifically about the potential realignment of cybersecurity leadership and the potential creation of a new cybersecurity office, he encouraged the White House and federal government to exercise caution.

"I'm not quite sure how it's being envisioned, and I smell a bureaucratic fight," Powell said. "We'll see how it evolves. I'm always nervous when people want to create a new command. What happens is that they often become stovepipes, and the [new and old] commands don't talk to each other.

"The other thing that happens is that sometimes you create an organization to solve a problem, and then over time you forget why you created it. It loses its purpose," Powell stated. "In the past, I've found that reorganization is something you do to somebody, not for somebody."

Garcia, who served as Assistant Secretary for Cyber Security and Communications at the U.S. Department of Homeland Security under President Bush, is now operating his own consulting firm, Garcia Strategies. In a telephone interview yesterday prior to the summit, Garcia encouraged the White House and Congress to leave the cybersecurity effort primarily in the hands of DHS.

"DHS has the capabilities to handle the effort," Garcia said. "What the White House needs to do is ensure that the relationships [between agencies] are well-defined. DHS can take responsibility for .com and .net, [the Department of Defense] can handle .mil, [and the Department of Justice] can handle cybercrime. The challenge is putting all the lego pieces together.

"The problem for some agencies is that we see 'mission creep,' where the scope of their missions go beyond its original boundaries," Garcia said. "When that sort of thing happens, the White House needs to step in and play the role of traffic cop and keep things where they should be. The appropriate role for the White House is as a traffic cop, not as the driver for everything."

Garcia said that in his role at DHS, he did not see mission creep at the National Security Agency that was described by former National Cybersecurity Center (NCSC) Chairman Rod Beckstrom upon his resignation in March. Beckstrom asserted that the NCSC could not achieve its goals, in part, because of turf wars with the NSA over which agency should lead the cybersecurity effort.

"I think that assertion was an overstatement," Garcia said. "The NSA has certain authorities that DHS doesn't have, and DHS has certain authorities that NSA doesn't have. I don't think there was any illusion that the NSA would lead the program to work with the private industry to improve cybersecurity, nor would there be general acceptance of that across the agencies."

Howard Schmidt, former White House Cyber Security Advisor and former CSO at eBay and Microsoft, said in a telephone interview before the summit that much of the road map for the federal cybersecurity effort has already been laid out from past administrations. "The question is, why aren't we executing on it?" he asked.

Schmidt said one of the chief problems is determining who should set federal and national cybersecurity policies, and who should implement and enforce them. "There's been a lot of back and forth," he observed. "One agency says it should be part of the cyberterrorism program. Another says it should be part of our regular infrastructure management. And the disagreements make it hard to get things done. It took two years just to get Greg Garcia into place."

Schmidt said he is concerned that in some circles of government, "there is a fundamental lack of understanding of what the Internet means to our society." He said that the recent discussion of a "kill pill" -- which would allow the government to shut down some or all of the Internet in times of emergency -- shows that some federal leaders don't grasp the full reach of the technology. "I'm not sure that any of us really know what the impact of that would be," he said.

All three of the leaders stressed the need for the Obama administration to appoint a cybersecurity leader who has firsthand experience with the technology. "I think about that pilot who set the passenger plane down in the Hudson River earlier this year," Schmidt said. "In that situation, do you want someone who's been there, who's been trained and had experience directly with the equipment, or do you want someone who's been writing policy about it? I think we need someone who's really been there."

The results of the White House's 60-day evaluation of the cybersecurity situation are expected to be released "in the coming days," according to Melissa Hathaway, who is heading up the review. The report and recommendations were originally supposed to be released in April.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3142
PUBLISHED: 2021-01-28
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2020-35124
PUBLISHED: 2021-01-28
A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.
CVE-2020-25782
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
CVE-2020-25783
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.
CVE-2020-25784
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.