The White House, not the Office of Management and Budget or the Homeland Security Department, should take the lead role in managing the government's cybersecurity program, according a report for the Obama administration released by a nonpartisan cybersecurity commission Monday.
By placing the primary responsibility for cybersecurity in the White House, federal agencies will take a comprehensive strategy more seriously, said Jim Lewis, the program manager for the Commission on Cybersecurity for the 44th Presidency, who released the report.
"Cybersecurity needs to be integrated into everything we do, both domestically and internationally," he said. "We need to let people know that this is part of what a responsible government does. For that to happen, the White House has to push this. People won't listen to another agency telling them what to do."
Lewis emphasized that agencies should integrate security into all aspects of government when he testified to Congress in September.
CSIS created the commission in October 2007 to provide recommendations in cybersecurity policy for the next administration. It includes four co-chairs: Reps. Jim Langevin, D-R.I., and Michael McCaul, R-Texas; Scott Charney, corporate vice president for Trustworthy Computing at Microsoft, and retired Lt. Gen. Harry D. Raduege Jr.
Among the 25 recommendations included in the report is the establishment of a new National Office for Cyberspace, which would reside within the Executive Office of the President. The White House could create the office by merging the National Cybersecurity Center, now within DHS, and the Joint Interagency Cyber Task Force, now housed within the Office of the Director of National Intelligence. Both organizations were created to develop President Bush's largely classified Comprehensive National Cybersecurity Initiative. DHS announced in September that it would lead the cybersecurity initiative.
The proposed National Office for Cyberspace would be headed by an assistant to the president and assume expanded authorities over cybersecurity efforts currently managed by OMB, including the 2002 Federal Information Security Management Act, the Trusted Internet Connections initiative and the Federal Desktop Core Configuration program. The director also would require agencies to submit budget proposals relating to cyberspace for White House approval prior to submission to OMB.
The Associated Press reported on Monday that "chances are good Obama will be receptive to many of the proposals" because "five members of the panel that produced the report also are working for his presidential transition team. They include former White House official Paul Kurtz, advising Obama on national security matters, and Obama technology advisers Dan Chenok and Bruce McConnell."
The report also recommended that the president work with Congress to rewrite FISMA to focus less on system certification and accreditation and more on performance-based measurements of security. In addition, the president should propose legislation that adopts a risk-based approach to computer security that covers all federal IT systems, rather than distinguishing between technical standards for national security systems and civilian agency systems.
Finally, the cyberspace office would establish a "federated regulatory approach" for agencies that oversee and manage critical cyber infrastructures. Agencies would follow a common set of security standards.
DHS would continue to be responsible for the U.S. Computer Emergency Readiness Team, which tracks and monitors cyber threats and attacks on federal networks, and Einstein, an automated system that monitors and analyzes online activity. OMB would continue to oversee the budget in coordination with the new cyberspace office and the National Security Council.
In addition, the report recommended improving the security of systems that control the operation of critical industries that support the nation's economy, including those in the energy, transportation and chemicals sectors. The federal government also must rebuild its partnership with the private sector and focus more on key infrastructures and cyberattack prevention and response activities.
The report also suggested agencies deploy methods to better identify users on systems and what they have access to on networks, particularly for agencies involved in the management of critical infrastructures. The government should withhold bonuses or awards to managers at agencies that have not fully complied with the changes within the first year of a new presidential term with Homeland Security Presidential Directive 12, according to the report. HSPD-12 requires agencies to issue to federal employees and contractors a biometrically enabled identity card to gain entry to government buildings and computer networks.
"GAO reported a couple months ago that 26 percent of agencies had implemented HSPD-12; that needs to be at 100 percent," Lewis said. "That's where pressure from the White House would be important -- people won't be able to say 'my mission is more important.'"
The report emphasized the need for security guidelines for the procurement of IT products -- with software as the first priority -- and mandates that agencies contract only with telecommunications carriers that use secure Internet protocols. The United States also should work with other nations and international standards bodies to expand the use of secure protocols globally.
While commending the Bush administration for its work to improve cybersecurity, Lewis said efforts have not gone far enough because they have focused on securing only federal networks. "The Comprehensive National Cybersecurity Initiative is very good, but it isn't comprehensive," he said. "The Bush administration in 2007 realized cybersecurity was a big problem. Obama is coming in already realizing it's a big problem. He knows it's an issue and he wants to fix it."