The President of the Intelligence and National Security Alliance Ellen McCarthy spoke briefly with The New New Internet about the readiness of the private sector to forward U.S. cybersecurity. Ellen McCarthy also agrees with Greg Garcia in that an evaluation of current cyber spending is needed as well as Rep. Jim Langevin, in that FISMA must be updated.
TheNewNewInternet: As someone who works with people in the Intelligence Community, where do you think the balance should lie between civil liberties, national security and private networks?
Ellen McCarthy: I have to say as a long-time employee of the Intelligence Community, civil liberties was always something ingrained in me and my colleagues at a number of agencies that I worked at. It is something that has been held quite close. I don’t see any changes in terms of the Intelligence Community’s perspective on the protection of privacy and the individual’s civil liberties. If anything, we will be extra sensitive to the needs to protect privacy as a result of ongoing press and issues that have come out over the last year or so.
TheNewNewInternet: Do you believe the post of a cyber coordinator bridges the gap between public and private cybersecurity?
McCarthy: Absolutely. I was very excited to see the president’s paper and ultimately, the decision to put somebody in that position. The private sector is ready. I can’t think of a time when you’ve got the private sector more engaged and working with the government to come up with solutions to the problem. We’re ready.
“The private sector is ready. I can’t think of a time when you’ve got the private sector more engaged and working with the government to come up with solutions to the problem.” Ellen McCarthy
TheNewNewInternet: How should the cyber czar oversee military cybersecurity?
Ellen McCarthy: It’s my understanding that the cyber czar or the lead for cyber, whatever the title ultimately is, will have oversight of all programs to include military cybersecurity. I think that is going to involve a very close, cordial and open working relationship with the Department of Defense and the structure that they’re establishing to maintain oversight of cyber within the Department of Defense.
TheNewNewInternet: In the INSA policy review, it states that we need to clarify roles to create a better public/private partnership. Greg Garcia has stated that he believes that in order to do this, we should
“cut organizations,” in the context of overlapping jurisdictions. Do you agree?
McCarthy: We need to clarify the lanes of the road. I personally absolutely agree. We need to understand what everybody’s role is and, using the example of the private sector, when a quarter is spent to make a call to report something, they know where that quarter is spent.
TheNewNewInternet: Do you believe a new international organization should be established for cybersecurity or does one alreadyexist?
McCarthy: We are just looking at potential models for an international organization, so whether it’s an existing organization where rules have been clarified or the creation of a new organization, that is certainly an item for discussion. We were trying to provide some clarity to the fact that there are relationships like that today. We don’t need to reinvent the wheel and we certainly have some models to consider as we move ahead.
TheNewNewInternet: INSA recommends developing a national cybersecurity recovery plan. Exactly how vulnerable and how much damage could be done in a broad spectrum cyber attack?
McCarthy: I think it has been well documented that we are currently in a very critical state and is something we have to be highly sensitive to. What we were identifying in the report was not only the need to come up with a plan, but also then to identify an organization whose job it is to implement that plan. It’s easy to develop plans, it’s the implementation part that we seem to stumble over. There has to be two sides to this knife.
TheNewNewInternet: Building on implementation, do you think that more funding should be allocated toward technological innovation or better training for personnel?
McCarthy: That’s a tough question because I will tell you yes and yes. One of the roles of the cyber czar is, as we indicate in our paper, budget oversight and a very close working relationship with the Office of Management and Budget to ensure that resources are going to the areas that are most critical first. In our report we identify that both technology and training are considered critical. I would hope that the cyber czar really looks at that and aligns either an existing budget or additional resources as necessary.
TheNewNewInternet: There is a growing consensus in Washington that the Federal Information Security Management Act is obsolete. How should the cyber czar oversee its update?
McCarthy: Well, I hope that when the cyber czar he or she does update this that they engage with the private sector to ensure that we are actually coming up with standards that are achievable and reasonable. Certainly, associations like INSA and others are standing ready to support them in that effort.
TheNewNewInternet: How do you recommend that the government sync its standards with those of commercial industry?
McCarthy: I think absolutely the expertise and the experience resides in the private sector. The challenge is incorporating those models into the public sector in a way that is uniform across this government and that’s the challenge. This is not going to be an easy job.
TheNewNewInternet: How do we distinguish between an officially sanctioned attack and what is just a “rogue” organization?
McCarthy: Nobody said this was easy; the need to conduct smart, rapid and highly responsive forensics is critical. It has to happen quickly. We don’t have months and months. We need to invest in training. We need to develop our analytics and establish processes and procedures to move information quickly and develop an adequate response in a timely manner.
TheNewNewInternet: Do you have any advice for the cyber czar for recruiting top cyber talent?
McCarthy: In the private sector, there are organizations that have hired hackers who are reformed, maybe even not reformed, but who clearly understand the problem at a level that many of us in government don’t. If I was in the public sector I would take my cues from the private sector and adopt some of their practices and procedures for hiring and recruiting. That may mean looking at personnel policies to ensure that you have the ability to be competitive with the private sector.