Getting the Cybersecurity Organization RightRSA Panel: Accountability is a Congressional Priority On the eve of Melissa Hathaway's long-awaited public comments on her just-completed overview of federal government cybersecurity programs, a panel of experts agreed on a key point: The nation's cybersecurity has to be headquartered in the White House.
"We've got to get it right organizationally," said Sameer Bhalotra, a Senate Select Committee on Intelligence staff member, adding that means ensuring that the nation's cybersecurity policy starts at the top.
Jacob Olcott, director of the House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology, said organizational structure is paramount. "[Congress] wants to have someone they can hold accountable for action or inaction," he said.
Both Congressional aides participated in an RSA Conference panel on Tuesday assessing the recommendations made last fall by the Commission on Cybersecurity for the 44th Presidency, sponsored by the Washington think tank Center for Strategic and International Studies. Also on the panel - moderated by Randy Sabett, a Washington attorney specializing in Internet, communications and data protection law - were Washington lawyer Bruce McConnell, former chief of information policy and technology at the White House Office of Management and Budget; and Shannon Kellogg, director of information security policy with storage maker EMC Corp.
Each of the panelists were members of the cybersecurity commission, and they came away with a sense that the issue has unique bipartisan support. "This is an issue both sides of the aisle are concerned with," Olcott said. And, the Obama administration clearly recognizes that cybersecurity is a national security concern.
Beyond the organizational challenge - where is cybersecurity headquartered? The panelists express concern about the balance between national security and civil liberties. "When do we absolutely need the government to step in and do things, and when is it best for them to not?" McConnell asked.
This latter issue drew follow-up questions from the capacity crowd, which included security leaders from the private and public sectors. One business executive questioned how government could enforce cybersecurity policy over private industry. "You'd need an audit department that size of the state of California," he said.
Olcott's response: Because private industry has failed to enforce cybersecurity, it's time for the government to step in and do the job. "Traditional market forces may have failed here," Olcott said. "What [does government] have to do to incentivize and regulate this space? Security should not be left to market forces."
The challenge once the administration sets policy, panelists agree, is to figure out how to bring together the Departments of Defense and Homeland Security, as well as private industry, to defend against nation-state cyber attacks.
"What is the role of the federal government?" Olcott asked. "In my mind, that's the $64,000 question."