When Rod Beckstrom recently stepped down as head of the National Cyber Security Center, an already heated debate reached fever pitch: Which agency should take the lead in cybersecurity? Or should any agency take the lead at all? In his resignation letter, Beckstrom argued that the NSA “currently dominates most national cybersecurity efforts,” meanwhile “the threats to our democratic processes are significant if all top level network security and monitoring is handled by any one organization.” On the heels of Beckstrom’s resignation, how should the federal government address the ongoing challenge of cybersecurity? Rob Housman, acting executive director and chairman of the board of The Cyber Security Institute, offers his perspective to ExecutiveBiz.
What’s your take on Rod Beckstrom’s resignation the other week?
Rob Housman: I’m not blaming Beckstrom — so let’s start there. I think Beckstrom is a dedicated civil servant who tried his very best under difficult circumstances. He was operating in a world where he himself said he didn’t have a budget and couldn’t really get a lot done.
How would you describe the government’s current approach to cybersecurity?
Rob Housman: Hack and patch. Somebody hacks, if we’re lucky we find it, we patch. That’s not a good way to approach cybersecurity. Something different needs to happen to shake up the system.
You’ve argued NSA should “shake up the system,” not DHS. Why?
Rob Housman: In a perfect world DHS could do it as well. However, in the real world DHS has become locked in a particular mindset. A transfer of power would compel people to understand that what was being done was not acceptable.
What specific benefits would NSA offer?
Rob Housman: The NSA has a long history of working with the private sector on security matters, communication security specifically. They have the most advanced skills in the world at being able to hack systems.
So, NSA has the technical prowess.
Rob Housman: Yes, here’s the thing. To date, you walk into DHS, they’re not going to regulate you or compel you to do anything; you’re going to sit down, have some coffee, and hopefully exchange some information. It is a very comfortable environment for industry. And comfort has translated into inaction and insecurity. The NSA, by virtue of what they do — by the virtue of the fact that the director [Lieutenant General Keith B. Alexander] has a direct line to the president — has a different aura, a different reputation. These guys mean business.
Speaking of reputation: Many Americans distrust NSA for its role in the Bush administration’s wire tapping program. Will that be an impediment to taking the lead in cybersecurity?
Rob Housman: You’re absolutely right, they have to earn back public trust. It’s important to remember, though, that the problem we faced in the Bush administration didn’t occur at the technical level, it occurred at the policy level. So, I think the distrust to a degree is misplaced. The NSA was following orders. However, right now you have a White House much more respectful of constitutional norms.
What role should DHS play in cybersecurity, then?
Rob Housman: DHS has a lot of institutional knowledge. They need to be a partner in this effort. But the rela problem is one of leadership. Things have gotten way too comfortable. We need someone to drive change—technological change, policy change and behavioral change. We now have technologies that have been certified secure by NSA’s experts, the best in the world, as in essence unhackable. Yet they are not in widespread deployment. Why? No driver has been in place to compel industry and federal agencies to switch.
What role should the commercial sector play in cybersecurity?
Rob Housman: This necessarily has to be a partnership, because 80 to 90 percent of our critical infrastructure is privately-held. But that partnership has to be a “give-and –take” — not just a “take.” The private sector has gotten woefully complacent, and we’re relying upon systems that are insecure for our most important data.
How can the commercial sector shake this “complacency”?
Rob Housman: First of all, think anew. The private sector has for years been resigned to the notion that systems can’t be fully secure. Emerging technologies are vastly superior and inherently secure so you can shift your approach. For example, one of our member companies, Integrity Global Security, has has just received the highest level NSA cybersecurity certification ever. This is the first technology certified against sophisticated, hostile attacks, even with the source code. Second, don’t dismiss what this administration is doing; come with an open mind and work with it. Third, look at the cost benefit analysis here differently. When we look at security, cyber security in particular, it’s always viewed as a drain on the bottom line but look at what insecurity costs you. We just put out a report that shows insecurity will be the single largest impediment to US innovation over the coming years.
A bill was recently introduced to shift cybersecurity to the White House. What are your thoughts on it?
Rob Housman: There is an advantage to being in the White House. That said, a number of things need to happen. First, the office would need to be more than two guys and a dog; it would need to be a fully staffed. Second, you have to insure a White House office has some operational authority; it can’t just be a bully pulpit. Lastly, we face such enormous challenges right now in cybersecurity. At the same time, we’re pushing the smart grid, ehealth, and broadband access. It’s tough to build a car and drive it at the same time. There needs to be cyber czar at the right hand of the president who plays a significant role in either actually driving the car or helping direct it.
Read more interviews here: http://blog.executivebiz.com/category/interviews/