Agency Leaders Should Be Accountable for Protecting Data, Former DHS Chief Says

Former U.S. Homeland Security Secretary Michael Chertoff

Former U.S. Homeland Security Secretary Michael Chertoff Seth Wenig/AP File Photo

George W. Bush's homeland security head weighed in on data sharing.

President Donald Trump's long-awaited cybersecurity executive order is expected to shift away responsibility for information security from agency chief information officers to agency heads. Michael Chertoff, homeland security secretary under President George W. Bush, thinks that's the right move.

Within federal agencies, "a significant failure of security that causes a lot of damage is ... a really fundamental problem. It's not just going to be, 'Here's a technical problem, fire the technical guy,'" Chertoff said at an Adobe Government event, which was produced by the events division of Government Executive Media Group, Nextgov's parent company.

Chertoff said he hoped "handling sensitive data of all kinds" will become an "accountability issue" in the incoming administration.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Chertoff, who co-founded security advisory firm the Chertoff Group after leaving government, noted the Edward Snowden revelations made data sharing between federal agencies more complicated. One solution he suggested could be to analyze every data set to understand which ones should be shared outside the owner agency.

During the 9/11 terrorist attacks, when Chertoff served as a federal judge, "one of the obvious imperatives ... was sharing information and connecting the dots. And we move[d] very much more in the direction of fighting the resistance to sharing, to actually making sharing an affirmative obligation," he said. After the Snowden incident, he said, "everybody goes, 'Whoa, wait a second, sharing is bad.' ... You've got to calibrate, at the data level, what degree of sharing is appropriate."

For instance, he suggested, an official might say, "'Here's something you need to know about, because it's relevant, but you're not privileged to look at it until you go to your originating agency and you get permission.' Or, you might want to say, 'If something moves out of a certain space, it no longer exists.'"

What's most important in today's information security landscape, replete with insider threats, is the "ability to be nimble and tailor security around what the needs of the data user are," he said.