Editor's Note:This is the second part of a two-part story on cybersecurity. The first part appeared in the July edition of The Metropolitan Corporate Counsel and can be found at www.metrocorpcounsel.com/ current.php?artType=view&EntryNo=9946.
Cybersecurity Strategy In The Executive Branch
During the week of May 26, the Obama administration also announced that it would combine the Homeland Security Council (HSC) and the National Security Council (NSC) into a new entity called the National Security Staff (NSS). This is important because HSC previously had a significant cybersecurity portfolio. The NSS will comprise approximately 240 staffers who will report to National Security Advisor James L. Jones. This initiative is intended to better coordinate the offices that previously had policy purview over homeland security and national security issues. Both Homeland Security Committee Chairmen Sen. Joe Lieberman (D-CT) and Rep. Bennie Thompson (D-MS) have endorsed this change. Republican reaction to this initiative has been mostly positive, although both Homeland Security Committee Ranking Members Sen. Susan Collins (R-ME) and Rep. Peter King (R-NY) have expressed concerns regarding organizational focus and coordination.
In early 2003, the Bush administration released the "White House National Strategy to Secure Cyberspace." This strategy document indicated that the Department of Homeland Security (DHS) would play a central role in securing cyberspace and serve as the primary federal point of contact for cyber issues - particularly for the private sector and state and local stakeholders. Late in 2003, Homeland Security Presidential Directive (HSPD)-7 established overall policy for securing critical infrastructure and key resources and identified DHS as a central player in cybersecurity. Specifically, HSPD-7 directed DHS to maintain an organization that serves as a focal point for cybersecurity and that facilitates interactions and collaboration between federal agencies and other stakeholders. These documents did not overlook other agencies' core competencies such as the Department of Justice's (DOJ) law enforcement role, Department of Defense's (DOD) national defense role, the CIA's intelligence role, the State Department's international cooperation role and the Department of Commerce's standard setting role (NIST).
Under the previous administration, the Office of Management and Budget (OMB) also had and is expected to continue to have a significant role in securing federal networks in part because it has oversight for implementation of the Federal Information Security Management Act (FISMA). FISMA requires agencies to inventory and implement security controls for federal information technology systems. However, many experts believe FISMA is inadequate to address federal network cybersecurity issues as it is mainly a reporting mechanism. In 2007, OMB took action to secure federal networks with its mandate for a Federal Desktop Core Configuration (requiring standard security settings for desktops) and the Trusted Internet Connections (TIC) Program (requiring efforts to minimize federal external connections and to monitor for intrusions).
In January 2008, the Bush administration launched a classified cyber effort called the Comprehensive National Cybersecurity Initiative (CNCI) that was outlined in Homeland Security Presidential Directive (HSPD-23). CNCI was launched as multi-year $17 billion program, but few details have been released. However, media reports in late 2008 reported senior administration officials saying that the 12 CNCI objectives are:
• Move towards managing a single federal enterprise network;
• Deploy intrinsic detection systems;
• Develop and deploy intrusion prevention tools;
• Review and potentially redirect research and funding;
• Connect current government cyber operations centers;
• Develop a government-wide cyber intelligence plan;
• Increase the security of classified networks;
• Expand cyber education;
• Define enduring deterrent technologies and programs;
• Develop multi-pronged approaches to supply chain risk management; and
• Define the role of cybersecurity in private sector domains.
As part of the CNCI effort and the continuing TIC effort, the Bush administration - in 2008 - spent significant time and resources launching an intrusion detection tool called EINSTEIN. This tool was developed by DHS to monitor and automatically collect and analyze information on agency network security. In addition, the National Cybersecurity Center was established within DHS as part of the CNCI to provide situational awareness on network security across the federal government. The CNCI was intended to serve as a cross-domain awareness platform with at least six different agencies with cyber-related responsibilities providing information to CNCI.
Agency Stakeholders In Cybersecurity
Currently - in terms of organization - the Pentagon and the National Security Agency (NSA) safeguard military networks while DHS is responsible for securing the federal civilian networks and for providing assistance largely through information sharing to the private sector.
Organizationally, DHS has located the cybersecurity portfolio in the National Protection and Programs Directorate (NPPD), which oversees the National Cybersecurity Division and the U.S. Computer Emergency Response Team (US CERT). US CERT is a key operational entity that monitors networks/cybersecurity trends and facilitates information sharing with the private sector. DHS also houses the National Cybersecurity Center.
NPPD also oversees critical infrastructure protection activities-which includes cybersecurity and coordination with the private sector. DHS's infrastructure protection division coordinates the Critical Infrastructure Partnership Advisory Council (CIPAC) which - through a series of cross-sector groups and specific sector groups - facilitates planning and information sharing between the federal government and the private sector. In 2008, CIPAC established a cross-sector cybersecurity working group to facilitate coordination on cross-sector cybersecurity issues.
Other agencies with cybersecurity responsibilities include: DOJ/FBI, Office of Director of National Intelligence (DNI), DOD, NSA, Department of State and Department of Commerce. The DOJ/FBI bring the law enforcement expertise to bear on cybersecurity issues. DNI has the counterintelligence role while NSA is traditionally the owner of the most robust technology within the federal government for cybersecurity. NSA has been developing tools to monitor federal networks.
In late April 2009, the DOD focused its cybersecurity efforts by establishing a new cyber command that will be led by National Security Agency Director Keith Alexander. Initially, this new command will be part of the U.S. Strategic Command and responsible for securing the military networks and initiating cyber attacks. The new cyber command is expected to be operational in October 2009. DOD has also requested significant funding in its FY 2010 budget to hire hundreds of cybersecurity experts. The State Department will continue its international coordination role while the Department of Commerce's NIST will likely play a key role setting standards.
Cybersecurity Legislation In The 111th Congress
At the end of this article is a link to a chart entitled "Cybersecurity Legislation in the 111th Congress," which lists pending cyber-related legislation, demonstrates that Congress is focused on cybersecurity this year and is certain to weigh in on a number of cybersecurity issues. The bills by Senate Commerce Committee Chairman Jay Rockefeller (D-WV) (S.773 and S. 778) and Sen. Tom Carper (D-DE) (S.921) address structural change within the government.
Sen. Rockefeller's bills are the most promising legislative vehicles for enacting cybersecurity structural change in this Congress. This legislation, like the just-released review, would establish a "Cyber Czar." In an effort to combat jurisdictional turf battles, Sen. Rockefeller introduced his proposal into two separate bills. S. 778 creates a new "Cyber Czar" within the Executive Office of the President (EOP) and has been referred to the Senate Committee on Homeland Security and Government Reform. Meanwhile, the Cybersecurity Act of 2009 (S.773), would create a Cybersecurity Advisory Panel that would advise the President and be composed of outside experts from industry, academia, and nonprofit groups. The bill would also create a public-private clearinghouse for cyber threat and vulnerability information sharing, and establish measurable and auditable cybersecurity standards in coordination with the National Institute of Standards and Technology (NIST). Furthermore, S. 773 creates a number of new Department of Commerce-related action items under the purview of the Cyber Czar. The administration reportedly provided support and assistance in drafting these bills and it is worth noting that Rockefeller and Sen. Olympia Snowe (R-ME) have both been very vocal regarding the importance of passing these initiatives.
The United States Information and Communications Enhancement (U.S. ICE) Act of 2009 (S. 921), as introduced by Sen. Carper, would establish a National Office for Cyberspace in the White House, which would oversee the execution of cybersecurity policies and procedures in the federal government. The Office's Senate-confirmed director would be charged with working with industry and developing "lock down" configurations for off-the-shelf products and services used by agencies as well as pre-certifying technologies to the extent practicable. In addition, within 180 days of the bill's enactment, Congress would receive a report describing potential cost savings and security enhancements as well as recommendations for legislative or executive branch actions. Individual agencies would have a range of new security responsibilities, including an annual independent evaluation of their information security programs and practices.
Meanwhile, on the House side, Chairman of the House Homeland Security Committee Bennie Thompson has publicly stated that he believes cybersecurity should be controlled by a government agency (DHS) that interfaces with but is not controlled by the NSA or an office within the EOP. Under this proposal, the Homeland Committee will retain jurisdiction and it will address the strong reticence to place the NSA in a leading role due to perceived civil liberties issues. Senate Homeland Security Committee Ranking Member Susan Collins concurred by saying that putting the cybersecurity program in the White House would lead to "more secrecy and less Congressional oversight."
There are also other legislative vehicles related to cybersecurity that are receiving Congressional attention. The Networking and Information Technology Research and Development Act of 2009 (H.R. 2020), which was authored by Rep. Bart Gordon (D-TN), has passed the House and now awaits consideration in the Senate. The IT Investment Oversight and Waste Prevention Act (S. 920), introduced by Sen. Tom Carper, was marked up and reported favorably from the Senate Homeland Security and Government Affairs Committee last week. In addition, Rep. Bobby Rush's (D-IL) Data Accountability and Trust Act (H.R. 2221) and Rep. Mary Bono-Mack's (R-CA) Informed P2P User Act (H.R. 1319) have been the focus of recent hearings before the House Energy and Commerce Committee.
Please visit http://www.wileyrein.com/ resources/documents/fm14191.pdf for the chart "Cybersecurity Legislation in the 111th Congress."
Published August 5, 2009.
