Whether the White House or the Department of Homeland Security should have the lead role in coordinating U.S. cybersecurity operations was the hot-button question during a Senate hearing today, but securing the nation's infrastructure must start by harnessing the federal government's massive IT buying power, according to the testimony.
Alan Paller, director of research for SANS, told the Senate Committee on Homeland Security and Governmental Affairs that Congress can mitigate the cyberthreat by refocusing the government's cybersecurity from "report-writing" to real-time, automated defenses by strategically deploying the feds' $70 billion annual IT budget.
"The idea of [cybersecurity] leadership isn't if it's the White House or DHS. It's whether you use the $70 billion you spend per year to make the nation safer," Paller told members of the Senate Committee on Homeland Security and Governmental Affairs.
Paller was among three witnesses who testified that a White House official, not DHS, should oversee and coordinate the nation's cybersecurity policy and deployment. James Lewis, director and senior fellow for technology and public policy at the Center for Strategic and International Studies, and Tom Kellermann, vice president of security awareness for Core Security Technologies, concurred. A fourth witness on the panel, Stewart Baker, former assistant secretary at DHS, and now partner at law firm Steptoe & Johnson LLP, was the only one who disagreed.
The feds need to flex their buying muscle to pressure security and software vendors to provide more secure products and versions of products, Paller said. Buying more secure systems "trickles down" because software vendors will then offer more secure products, plus it saves money in the end, he said.
Paller gave the example of the Air Force urging Microsoft to build a more secure version of Windows for its use after the National Security Agency's red team discovered major vulnerabilities in the Air Force's systems. The Air Force saved more than $100 million in procurement costs by deploying a more secure configuration of the Microsoft operating system, he said.
"Microsoft now sells a more secure version to utilities and the defense industry," Paller said. "Once hardware and software get built more securely, there's nothing stopping [vendors] to sell them to everyone."
Paller said Congress' biggest job is to ensure that agencies buy IT products with built-in security. "Technology buyers cannot cost-effectively secure the technology they purchase," he said. "Keep telling agencies to buy security baked-in. That's your great weapon."
Meanwhile, former DHS executive Baker told the committee that creating a new National Office for Cyberspace, as recommended by the CSIS Commission on Cybersecurity for the 44th Presidency, would face the same challenges and problems the DHS experienced in its cybersecurity efforts from the get-go. The Cybersecurity Act of 2009, which was recently introduced in the Senate, also would create a new executive-level office for cybersecurity management.
"DHS's execution of its responsibilities has certainly not been perfect, but it has spent much of the last year improving on its record. It has able new leadership and a head start on creating the capabilities it needs. I would be inclined to build on that foundation rather than starting over," he said.
Core's Kellermann, meanwhile, who served on the CSIS Commission on Cybersecurity for the 44th Presidency, told the committee that a common problem across the federal government is that CIOs lead IT spending decisions, rather than CISOs. "A CIO is focused on productivity and access, whereas the CISO's [perspective] is different," he said.
Kellermann also pointed out that the goal of major cyberattackers is not to disrupt service, but to remain under the radar. "The enemy wants to remain persistent and clandestine, infiltrating your systems. He wants to remain on a mission and to control the integrity of your data and to manipulate you," he said.
And a missing link for DHS thus far, SANS' Paller said, is a "red button," or the ability to pull the plug on agencies that don't implement federal IT security regulations. "If the US-CERT says the Department of Commerce is doing a poor job [in security], and Commerce [refuses to do anything], DHS can't do anything about it," Paller said. "You want them to have the ability to pull the plug on agencies' computers. This is something Congress has not yet wanted to do."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio