The head of the Homeland Security Department on Wednesday warned against moving oversight for cybersecurity operations from the agency to the White House, as suggested by a nonpartisan commission this week.
DHS Secretary Michael Chertoff, in a keynote speech at a conference in Washington, said putting the White House in charge of governmentwide cybersecurity operations could put top officials at risk.
"First, people need to understand [that] the White House plays a role [in] cross-agency coordination in terms of policy-making. It's hard to envision that wouldn't be the case," Chertoff said during his speech at the Armed Forces Communications and Electronics Association's cyberspace conference. "[But] do you want to get the White House involved in operational activity? Traditionally, that is viewed as a risky thing to do. It pulls the White House into areas where it's exposed to legal and oversight issues. Everyone remembers the Iran Contra [Affair]," which exposed Reagan administration officials to using funds from covert arms sales to Iran to finance revolutionaries in Nicaragua.
Chertoff responded to a report released on Monday by the Commission on Cybersecurity for the 44th Presidency, which recommended the Obama administration to place the lead role for managing the government's cybersecurity program in the White House, not the Office of Management and Budget or DHS.
The report recommends the government establish a National Office for Cyberspace, which would reside in the Executive Office of the President and be directed by an assistant to the president for cyberspace. The president also should establish a Cybersecurity Directorate in the National Security Council that would take over existing Homeland Security Council functions, according to the report.
Chertoff also warned that the report creates a "Rube Goldberg schematic," which makes something more complicated than necessary. "I found that organization and reorganization is second only to spending money as a hobby" for the government, he said. "I understand why. The hard work of implementation, which is detail-oriented, doesn't lend itself to elegant discussion. You certainly do want a high-level White House push behind this initiative, and no nonsense [directives] for all agencies to play together, which is what this president has done."
Chertoff generally agreed with the commission's recommendation to strengthen public-private partnerships for cybersecurity by focusing more on preventative and responsive activities that are coordinated. But he warned against issuing mandates that dictate how industries would protect their own networks, which could cause a backlash from a "strongly individualistic" culture. Instead, he recommends performance security standards that private sector companies must meet, with the federal government acting as an enabler.
He did not say that core cybersecurity responsibilities should remain within DHS, but he emphasized the agency has improved protection of federal domains and networks, synchronized federal networks, and begun coordinating activities with the private sector.
"We have launched a strategy that is robust, laid out the major pathways in the right direction, and jump-started the process toward moving toward a more secure cyberspace," he said. "We're a more mature organization now at the department. The next administration will have to see whether they need to integrate [roles] or [subordinate] some areas of responsibility that are sufficiently out of the core of national security. That's' a judgment call."
Chertoff noted he has consulted with the transition team of President-elect Barack Obama on cybersecurity governance.