Anyone looking for candor about the state of the federal cybersecurity mission found it the other week on Capitol Hill. That’s when Amit Yoran, chairman and CEO of NetWitness, gave testimony before the House Committee on Homeland Security on the issue. Backed by his private and public sector work — Yoran was the first director of the National Cyber Security Division — Yoran offered a no holds barred assessment of DHS efforts on the cyber front. “The Department of Homeland Security has demonstrated inefficiency and leadership failure in its cyber efforts,” said Yoran. What’s next for DHS? And who should assume leadership on the cyber front? Yoran recently spoke to ExecutiveBiz on what it will take to re-align DHS and why he thinks handing the cyber mission to NSA would still be “ill-advised.”
At a recent hearing before the Committee on Homeland Security, you offered a candid assessment of DHS. What are your top recommendations to realign the agency?
Amit Yoran: First, refine DHS’s mission with respect to cyber. Instead of trying to be all-encompassing, DHS would have greater success having specific, targeted objectives and programs that execute on those objectives in measurable, value-added ways to other parties. US-CERT (United States Computer Emergency Readiness Team) is a great example — I think programs like this need to be bolstered. Second, better define the roles of other parties: NSA, the Department of Justice, Department of Energy, Department of Commerce, and other folks engaged in the cyber mission. Third, interacting with the private sector and crucial infrastructures is a critical opportunity for DHS.
Let’s turn to NSA. You’ve been quoted as saying that shifting the cyber mission to NSA is “ill-advised,” particularly for securing ordinary commercial networks. Can you expand on that?
Amit Yoran: Sure. Naturally, as part of its intelligence mission orientation, the NSA routinely operates in a highly classified environment. While a high level of classification is necessary for intelligence work, it also makes working hand in glove with the private sector difficult; very few people in the private sector have clearances, as you know. If you have information that’s actionable or relevant to defending all systems, a high level of classification makes it difficult to share effectively with the private sector and help them defend commercial networks.
Which branch or agency should take the lead in cyber security?
Amit Yoran: The White House. We need very active White House involvement with presidential authority and decision making to provide a strategic plan for the nation in cyber. You can’t simply assign the cyber mission, so to speak, to NSA or DHS or the Department of Justice, and expect it to be done effectively. It’s such a broad topic that cuts across so many different aspects of government — national security, national economic policy, etc. — and it affects literally every aspect of our critical infrastructures and daily lives as Americans. It really needs active White House leadership.
What’s your prognosis on the White House taking an effective lead in cyber security?
Amit Yoran: It’s early, we’re still within the 60-day review period. Still, we’ve seen statements from the White House regarding the review that all lead me to be very optimistic that the White House will be actively engaged and provide the appropriate leadership.
Speaking of the 60-day review, how can the commercial sector position itself for the greatest possible relevance in advance of the review’s findings?
Amit Yoran: I don’t think there is necessarily a way to position yourself for business opportunity as a result of this review. I think the review is a precursor to having a plan of action in place. Obviously, a plan of action with specific recommendations would probably reveal more specific opportunity for the commercial market.
What are your hopes for the newly-created federal CIO position?
Amit Yoran: The CIO position is one critical piece of the puzzle. NSA has the responsibility for protecting classified and national security systems. DHS, with US-CERT, has similar responsibilities for handling and monitoring unclassified federal civilian systems. I think the CIO office is intended for broader IT and for answering how the government can use technology to be more efficient. So, when it comes to cyber security the tasks are two-fold for a federal CIO: the protection of government systems as well as helping to engage with the private sector to protect critical infrastructures.
What role will commercial products and offerings continue to play in strengthening cyber security?
Amit Yoran: The path forward requires that the government better leverage commercial products and technologies, particularly as the federal government tries to address some of the challenges versus trying to develop government-oriented solutions. So, I think it’s going to be a combination of leveraging system integrator expertise but increasingly, also, better leveraging innovative commercial products and technologies.