Should NSA take over federal cybersecurity efforts?
A commission of intelligence experts tells Congress on Thursday that governmental agencies have a critical role in maintaining cybersecurity, but are too secretive to lead the effort.
Political pressure is mounting to eliminate the U.S. Department of Homeland Security's lead role over cybersecurity, a move that that would effectively admit the agency's failure to adequately perform its assigned duties.
But that invites the obvious question: Who should take over? One option would be, as we heard earlier this week, the White House itself. Another choice would be the more shadowy world of intelligence agencies such as the CIA or National Security Agency, which already is responsible for protecting government computers through its "information assurance" arm.
All week, members of a cybersecurity commission forming recommendations for the next administration have been telling Congress that cybersecurity requires senior level policy and program coordination from the White House.
Even though Homeland Security claims that cybersecurity is one of its top priorities, the department is not equipped to handle cyberthreats, says the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency, a private effort that includes representatives of the so called "intelligence community."
A new White House program on cybersecurity, the commission says, should have clear authority over all the agencies and departments that help keep the country's networks secure. At a hearing on Thursday, members of the commission specifically warned the House Select Committee on Intelligence against letting too much authority fall into the hands of intelligence agencies.
It might be easy for politicians to hand over power to agencies like the CIA or NSA since they already can claim to have critical expertise needed to maintain cybersecurity. "The intelligence community has a vital supporting role," said Paul Kurtz, a partner and COO for Good Harbor Consulting,
In the case of a cybersecurity breach on a critical network, intelligence agencies can be useful in dissecting and analyzing the code found to determine the threat level of the breach as well as the source. Once the enormity and source of a cyberattack is determined, the intelligence community can help the rest of the federal government weigh its response options.
"It doesn't necessarily have to be a response in cyberspace," Kurtz said, adding that the White House could consider military action in response to a cyberattack.
However, cybersecurity "will fall prey to over-classification" if too much authority is given to the intelligence community, said Suzanne Spaulding, an attorney with Bingham McCutchen.
"The intelligence community operates in an environment of secrecy," she said, and "secrecy has significant costs," such as weakening the trust the government has with the private sector and the international community.
The White House has already been inexplicably secretive about its DHS-led National Cyber Security Initiative, Kurtz said. The Defense Department, FBI, Office of the Director of National Intelligence, and other departments have discussed the initiative with the CSIS commission "despite White House wishes," he said.
The CSIS commission is still considering how much authority should be left to the DHS, Kurtz said, such as oversight over certain cybersecurity domains like the U.S. Computer Emergency Readiness Team.
Committee Chairman Silvestre Reyes, D-Texas., said he found it interesting the White House had put the DHS in charge of the initiative in the first place. He called it "the equivalent of somebody drowning and tossing him an anchor."
Congress should step up its oversight of the cyberinitiative, Kurtz said, and form a joint cybersecurity committee. He also suggested the House Intelligence Committee request briefings from the intelligence agencies about how they communicate with the private sector.
He suggested that Congress should implement a common authentication system for critical infrastructure networks, rather than continuing to let states maintain their own.
The federal government also needs to encourage other countries to ratify the Convention on Cybercrime, said Martha Stansell-Gamm, former chief of the Justice Department's Computer Crime and Intellectual Property Section. The convention, she said, gives countries "the permission and capabilities to put their (cybercrime) laws to the service other countries."
CNET's Declan McCullagh contributed to this report