Does DHS Have Too Much Cybersecurity Authority?Bruce McConnell Talks About Trust, DHS Responsibilities
U.S. citizens understand the role of government in maintaining security in the real world, but that's not yet the case in the virtual world, says Bruce McConnell, who recently stepped down as the top cybersecurity policymaker at the Department of Homeland Security.
"I'm responsible for locking my house and the police are responsible for patrolling the street," McConnell says in the second of a two-part interview with Information Security Media Group (see transcript below). "We're not there yet in cybersecurity, so it makes sense that there's hesitation about where to assign things to the government and where to leave it to the private sector."
And, McConnell says, that partly explains why some members of Congress are reluctant to give DHS authority to govern civilian agency cybersecurity, a goal of the Obama administration.
"We as a society and even globally have not defined and are not clear or in agreement in any way on the role of government in securing cyberspace," says McConnell, who earlier this summer left DHS after a four-year stint as senior counselor and acting deputy undersecretary for cybersecurity to join the EastWest Institute, a global think tank, as senior vice president.
"This is different than any other area of security where we do understand the role of government," he says.
Still, he says, President Obama has recognized DHS in his executive order and presidential policy directive as being responsible for protecting critical infrastructure (see Obama Issues Cybersecurity Executive Order).
"It would be helpful to DHS to perform that mission if the Congress were able to codify some of those authorities just to make things clear for everybody," he says.
There's also a trust issue surrounding DHS, which McConnell understands. "I think everybody would agree [it's] a mixed bag," he says. "It's a young agency and it's still growing and learning how to be responsible and become more mature."
Yet, McConnell voices confidence in DHS's abilities and responsibilities surrounding cybersecurity. "If you think about where you might want to assign cybersecurity responsibilities in the government, it would be hard to do better than with DHS," he says.
McConnell, in the second part of the interview:
- Addresses the impact of the turnover of top leaders at DHS on the department's cybersecurity mission (see It's Official: Schneck Takes DHS Post);
- Assesses the challenges of getting cyberthreat information sharing legislation enacted by Congress.
In part one of the interview (see Exit Interview: DHS's Bruce McConnell), McConnell discusses the impact of a politically dysfunctional Congress (see Cybersecurity Legislation: What's Next?), the cybersecurity framework being developed under the auspices of the National Institute of Standards and Technology (see Identifying Gaps in Cyber Framework) and the need to create global institutions to improve Internet security governance.
Before joining DHS as senior adviser for cybersecurity in 2009, McConnell served on the Obama-Biden presidential transition team, working on a variety of information policy and technology issues. During the first eight years of the millennium, McConnell worked as a consultant. In 1999 and 2000, he coordinated year 2000 computer remediation programs for 120 nations.
As chief of information policy and technology in the White House Office of Management and Budget from 1993-1999, McConnell led the government-industry team that reformed U.S. encryption export policy, created an information security strategy for government agencies, redirected government technology procurement and management along commercial lines and extended the presumption of open government information onto the Internet.
Information Sharing Legislation
ERIC CHABROW: Please offer your assessment on stalled legislation before Congress that would encourage industry to share with the government cyberthreat information.
BRUCE McCONNELL: I think there are two issues in the current information sharing legislative discussion. One is: Where in the government is information shared? The House decided not to decide and created reporting of cybercrimes to FBI and cyber-incidents to DHS, and actually that can work. In fact, recently, FBI created iGuardian, which is the premier portal for reporting cybercrimes. Of course, if your house or business is on fire, you don't call the investigators first; you call the fire department, and that's what DHS is creating, basically the cyber-911 fire department concept.
It's like the kinds of fire departments we find in many mid-size American communities, where there's a core professional staff, and volunteers who have been trained and skilled from across the community [who] come when there's a major fire. That's what happens today on the operations floor of the NCCIC at DHS. It's a community, a village, including the private sector as well as DHS's partners, the NSA and the FBI. I think there's a way forward in getting that worked out where it's clear that when you need to get things investigated, obviously after the fire has been put out the FBI is the place to go for coordinating money for those investigations.
The second problem with information sharing is the question of how much liability protection should be given to firms for sharing information and other cybersecurity practices, because it gets into the critical infrastructure stuff. The information sharing legislation also looks at what people do with government information that they receive. The privacy questions had to do with the sharing to the government, but there's also sharing from the government to private sector. If firms in the private sector then take action based on information received to the government, such as there's a warning of some sort or a countermeasure of some sort that's promoted by the government, firms take action based on that information and their customers lose service or something like that as a result of it, then are they liable for taking that action? I think the details of that still have not been worked out. I heard there were some good discussions going to get that done, but it's complicated and nuanced. The runway is getting pretty short in this session.
CHABROW: How reliant should businesses be on DHS or on the government in helping them secure their IT infrastructures?
McCONNELL: My experience when I was at DHS is that there are some examples of good government and private-sector collaborations. Last month, during one of the DDoS attacks against financial services companies, DHS turned around indicators that it had received from some of the banks who were being attacked and turned those back around and put them out to the larger community while the attacks were still going on. That was a 100x improvement in speed over six months ago in terms of the time it took us to check those indicators, validate them and then send them back out. When it works well, there's good two-way information sharing between the private sector and the government. I don't think either side of the table can rely on the other to protect them. They all have to work together to make it happen.
CHABROW: Tell me about the cooperative research and development agreements for information security?
McCONNELL: These CRADAs are a tool that we're using to arrange bilateral information sharing with specific companies. The CRADAs allow each company to tailor the conditions and how the information will be used by the government and that kind of thing. They're being used with companies who find value in the information they get from DHS and also find value in sharing information with DHS. DHS I think has signed some four dozen of those, and one of the things that's happening now is that companies who have signed the CRADAs are getting together in DHS-hosted meetings and sharing information on a multi-lateral basis with each other in a very open way. We're starting to create a circle of trust with key security companies and a place for those conversations to happen, which I think is encouraging.
CHABROW: Can you give an example of the kinds of information being shared?
McCONNELL: Absolutely. In one meeting recently, a major aerospace company was talking about specifics about a kind of intrusion it had seen, what the attack vector looked like, what the rest of the tactic techniques were and how it had mitigated it. For other firms in the room who hadn't seen that particular thing or were not perhaps as sophisticated about how to deal with that kind of attack, it was really a good education, rolling up your sleeves into the nuts and bolts of how to address and mitigate an attack like that.
Impact of Mass Departures
CHABROW: You've left the Department of Homeland Security. The secretary is leaving. The deputy secretary has left. The head of the National Protection and Programs Directorate who's serving the deputy secretary at the time we're recording this, he'll be leaving eventually. Mark Weatherford who was deputy undersecretary for cybersecurity, the post that you temporarily filled in before you left, is gone. A lot of institutional knowledge and a lot of advocates for cybersecurity are leaving DHS. What impact are all of these departures having on DHS?
McCONNELL: The great thing about government is that the core work, of course, gets done by the career civil service. They're still there. Political leadership is important. I'm very pleased with the caliber of the nominations that the president and the secretary are making to fill in the cybersecurity slots at DHS, and I think we do go through these transitions every four to eight years, so that's what we're doing this time. But the system seems to survive and continue to move forward.
CHABROW: When you were at your job, what did you do to learn more about cybersecurity? How much time do you give yourself to think about these issues? How do you educate yourself? How do you develop your policies?
McCONNELL: DHS is a challenging place to step back from and think. It's a very operational agency. We're always responding to things, not just in cyberspace but in all parts of the country and all parts of the environment. That operational culture makes it difficult to step back. I had the luxury for most of my service at DHS to be running a small group called Strategy and Policy, and our motto was, "We're responsible for things which are due later than tomorrow." We did have time to step back and, as a result of that, we created the blueprint for secure cyberspace, which basically lays out a long-term plan for the government and for the homeland security enterprise, which includes all the private sector and everyone else showing some of ... the capabilities that need to be built and the actions that need to be taken as a result of that. At this point now, DHS is writing an implementation plan for the strategy that will link the goals of the strategy to actual budgets so it's not shelf wear; it's going to be applied in reality. There's time to do that.
The place where I learn the most is by talking to people in the private sector who are on the front lines of the fight and are on the front lines of the technology. Whenever I can, I try to hang out with smart people from there. There are also a lot of smart technologists at DHS, and so there's a lot of different ways to get the information, but it seems to me in this environment with the technology changing as fast as it is [that] you really have to just talk to people who are working on it.
Too Much Authority?
CHABROW: There are some in Congress ... who feel that there's going to be too much authority given to DHS in overseeing not only the civilian side of government IT security, but also relationships with the private sector. Why are those people wrong?
McCONNELL: It's true that we as a society and even globally have not defined and are not clear or in agreement in any way on the role of government in securing cyberspace. This is different than any other area of security where we do understand the role of government. I'm responsible for locking my house and the police are responsible for patrolling the street. We don't have that. We're not there yet in cybersecurity, so it makes sense that there's hesitation about where to assign things to the government and where to leave it to the private sector. At the same time, DHS does have recognition from the president in an executive order and presidential policy directive that it's responsible for protecting critical infrastructure, and it would be helpful to DHS to perform that mission if the Congress were able to codify some of those authorities just to make things clear for everybody. ...
As to the question of trust - which I think is a big deal, both trusting government generally and trusting DHS in particular - DHS's interactions with the public, at airports and other places in disasters such as Hurricane Sandy, I think everybody would agree is a mixed bag. It's a young agency and it's still growing and learning how to be responsible and become more mature. If you think about where you might want to assign cybersecurity responsibilities in the government, it would be hard to do better than with DHS.