'Cybersecurity commission' to proffer advice to next president

Four members of a group convened by the Center for Strategic and International Studies say the next administration must focus on industry-government collaboration.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read
These 'cybersecurity commission' members spoke at Black Hat on Wednesday evening, from left: Tom Kellermann of Core Security Technologies; Marcus Sachs, Verizon's director of national security policy; Jerry Dixon, director of analysis at Team Cymru; Peter Allor, an IBM security program manager. Declan McCullagh/CNET News

LAS VEGAS--Transitions between presidential administrations are typically influence-peddling, power-consolidating, appointee-vetting exercises run by Washington insiders. Perhaps that's why the quintessential Washington think tank, the Center for Strategic and International Studies, is trying to insert itself into the process.

The private organization, which has close ties to the U.S. military and counts Henry Kissinger on its payroll, has gathered about 35 people and awarded them the official-sounding title of "Commission on Cyber Security for the 44th Presidency." Adding to the formality are some closed-to-the-public meetings and ex-officio members from federal agencies, congressional offices, and the nebulous "intelligence community."

The group's mandate is unusually broad: developing a "forward-looking framework for organizing and prioritizing government efforts to secure cyberspace." But four of its members indicated on Wednesday that the commission is focused on compiling no more than five recommendations and will not be proposing legislation or suggesting dramatic changes.

Marcus Sachs, Verizon's director of national security policy, a former government official, and a commission member, said that stealthy cyberintrusions were a real threat to the security of today's networks.

"In the transition between the Clinton and Bush presidencies in late 2000, there was no group doing what we're doing now...trying to tee up cybersecurity as an agenda item," Sachs said during a panel discussion at the Black Hat security conference here.

"What we're really trying to figure out is how to collaborate" between government and industry, said Peter Allor, an IBM security program manager and a commission member. "Information sharing is broken. It's a one-way send."

Marcus Sachs, who helped create the National Strategy to Secure Cyberspace and now an executive director for government affairs at Verizon, talks at Black Hat 2008 about the origin of the Commission on Cyber Security and the challenges it will face with a new presidential administration.
(Credit: Elinor Mills/CNET News)

Of course, calling for better information-sharing is like promising to clean up Washington: everyone says it's a good idea, but nothing ever seems to happen. (CNET News, for example, published an interview in 2002 in which the head of the Partnership for Critical Infrastructure Security said better "information sharing" was a "strategic area." In a 2004 follow-up, a senator said "we need a complete system of information sharing" between the private sector and the government.)

One panelist said that the FBI's "InfraGard" information-sharing relationships with the private sector shouldn't change.

"We're not recommending to do away with InfraGard," said Jerry Dixon, director of analysis at the Team Cymru research firm, a former Homeland Security official, and a commission member. "That's something that the executive departments have set up... We're certainly not recommending to do away with those different partnerships because they belong to the different departments."

The CSIS panel is composed mostly of industry, government, and ex-government types. Among the other members: Mary Ann Davidson, Oracle's chief security officer; Doug Maughan, a Homeland Security program manager; Will Pelgrin of New York's cybersecurity office; Phil Reitinger, a Microsoft security strategist; and Amit Yoran, chairman of NetWitness and a former Homeland Security official.

The commission plans to publish the final report in "early November" and, perhaps, an earlier draft for public comment.

"It has to be elevated to the highest echelons of this government and internationally," Tom Kellermann, a vice president at Core Security Technologies, a former World Bank security official, and a commission member, said, referring to cybersecurity topics. "We're losing the war. It's essential. That's the key theme of the recommendations that will come out."

The difficulty is making sure a President McCain or President Obama pays attention to them. The ACLU, for example, presented the incoming President Clinton with a briefing book called "Restoring Civil Liberties: A Blueprint for Action." As it turned out, Clinton embraced the notorious Clipper chip, mandatory wiretapping rules, and attempts to ban encryption products without backdoors for government surveillance.

Then again, even if the CSIS commission finds its recommendations ignored, the identities of its members may not be. In Washington, joining commissions like this one serves a convenient secondary purpose: it just happens to circulate your biography to the people who are doing the hiring for the new president.

Click here for full coverage of Black Hat 2008.