Cybersecurity Hearing Prompts Calls For Leadership, Laws

Halfway into a 60-day review of U.S. cybersecurity policy, lawmakers and tech industry experts are expressing alarm about the state of the nation's cyberdefenses and hunger for leadership in the unacknowledged cyberwar against America.

The House Subcommittee on Emerging Threats, Cybersecurity, Science, and Technology, part of the House Committee on Homeland Security, held a hearing in Washington, D.C., on Tuesday to assess the state of federal cybersecurity.

In stark terms, hearing participants highlighted the urgency of taking action against cyberattacks after years of unimplemented recommendations, with one participant going so far as to suggest the need for a version of the Monroe Doctrine for cyberspace.

"There is no more significant threat to our national and economic security than that we face in cyberspace," said U.S. Rep. Yvette Clarke, D-N.Y., who chairs the House Subcommittee on Emerging Threats, Cybersecurity, Science, and Technology.

A key issue at the hearing was whether cybersecurity should be overseen by the intelligence and military establishment or whether it should also include a role for civilian agencies and the private sector.

The lack of civilian clout in cyberspace policy was raised last Thursday, when Rod Beckstrom, director of the National Cybersecurity Center, resigned, citing lack of budgetary support and opposition to the National Security Agency's de facto control of federal cybersecurity initiatives.

At the hearing, U.S. Rep. Bennie G. Thompson, D-Miss., chairman of the House Committee on Homeland Security, chided the previous administration for failing to support Beckstrom and stressed the need to strike a balance between civilian and military control of cybersecurity.

"I don't disagree with DNI statement that NSA houses most of the cybertalent in federal government, but I don't think answer lies in giving control to NSA," he said.

That was a sentiment echoed by Amit Yoran, chairman and CEO of NetWitness and former director of the National Cyber Security Division of the Department of Homeland Security. "An effective national cybersecurity effort must leverage intelligence community's superior acumen but is in grave peril if controlled by intelligence community," he said. In prepared testimony, Yoran elaborated on this theme, noting that the secrecy of the intelligence and military communities is fundamentally at odds with the needs of needs of system operators. While acknowledging that secrecy is necessary in certain contexts, he said that the tendency of the intelligence and military community is to overclassify information at the expense of necessary information sharing.

"In recent examples, adversary Internet addresses used in attacks and their various attack methods have been classified to the point they were not broadly available for defensive purposes or provided through channels," said Yoran in his prepared remarks. "In numerous cases, this roadblock prevented information from being used effectively in cyber defense and provided further advantage to our adversaries. If you cannot or will not share useful information with cyber defenders, their job is made far more difficult."

Some suggestions dovetailed rather too neatly with political or industry interests. Republican Congressman Paul Broun of Georgia disagreed with the prevailing sentiment that the White House, now in Democrats' hands, should lead the push for better federal cybersecurity. He'd rather see the House cybersecurity subcommittee set the agenda.

Scott Charney, VP of Microsoft's Trustworthy Computing Group, called for stronger authentication and cited the need for an identity metasystem, something Microsoft has been pushing since the days of its ill-fated Hailstorm project.

And Mary Ann Davidson, chief security officer of Oracle, offered a subtle endorsement of the sort of enterprise software her company sells.

"The Declaration of Independence states all men are created equal, but all information systems are not," she said, noting that software is too often designed for one purpose and deployed for another without regard to the risks. Her message sounded like a veiled dismissal of Oracle's lightweight Web 2.0 challengers, even if it simultaneously served as a fair critique of lax coding practices.

"It was kind of disgusting," conceded Phil Lieberman, CEO of password management company Lieberman Software. "That was neither the time nor the place to sell their technological agenda. They were trying to sell their stuff."

The hearing was mostly focused, however, on the cybersecurity leadership vacuum.

Charney, for instance, said there was need for coordinated national cyberspace strategy and that while broad regulation might not be desirable, some regulatory incentives have to be put forward because "customers will not pay for the level of security necessary to protect national security."

That's something Lieberman, who wasn't at the hearing, agrees with. "The president really needs to put his foot down and dictate to federal agencies who is responsible for what and provide a national policy," he said, adding that new laws are needed to deal with threats because the existing legal framework is inadequate.

Davidson offered the most provocative suggestion of the afternoon: She suggested that the United States should create a new version of the Monroe Doctrine that applies to cyberspace.

The Monroe Doctrine, introduced in 1823 by President James Monroe, declared that efforts by European countries to colonize land or interfere in the Americas would be viewed as acts of aggression and would prompt U.S. intervention.

Revised for cyberspace, the Davidson Doctrine, as one panel participant suggested it be called, would presumably promise an offensive response to online attacks originating from outside the United States

"You can't win a war if you don't admit you're in one," Davidson said. "And you can't win on defense."

But before the United States can think about winning, it has to be prepared to fight. And as several of the speakers at the hearing said, "We are not prepared."

InformationWeek will be highlighting innovative government IT organizations in an upcoming issue. Nominate your agency by submitting an essay on your most innovative IT initiative completed in the last year. Find out more, and nominate your organization by May 1.