The technology community must communicate better with policymakers to ensure risks to federal computer networks are addressed quickly, a Homeland Security Department official and Capitol Hill staffer said on Thursday.
Cybersecurity requires not only threat and vulnerability detection and mitigation, but "an element of reflection" to determine how policies need to change to prevent future attacks, said Mischel Kwon, director of Homeland Security's U.S. Computer Emergency Readiness Team, during a briefing sponsored by the Information Technology Association of America. "A lot of our policies remain stagnant because we don't do that reflection."
There should be open dialogue between the information technology workers who understand the threat landscape and the decision-makers who create and enforce governmentwide rules and initiate funding, she said.
"We need to develop a new [cyber] workforce that is not just made up of the people working bits and bytes," Kwon said. "We need more comprehensive [skills]; people who can ... [describe] something technical to a non-technical room."
The gap in communication is perhaps most evident in Congress, said a staffer, who asked not to be named. The House and Senate both have committees that focus on security threats --notably those that endanger the nation's critical infrastructure -- but most members are not technologists, the staffer said. They need IT specialists from the public and private sectors to explain the risks and propose solutions in a way that is easy to comprehend.
"The ability or inability of the technical community to communicate to policymakers -- it's hard to overestimate how important that is, [because] there is really no cyber jurisdiction," the staffer said. Members of Congress don't necessarily recognize cybersecurity as an issue they should care about, until the potential impact is made clear, he said.
He pointed to the Aurora Generator Test, in which researchers from Idaho National Laboratory simulated a cyberattack on a power plant's control system. That got the attention of Congress and the public at large, the staffer said, because it provided something tangible: a video of a smoking generator that the cyberattack caused to self-destruct.
For their part, lawmakers must recognize that cybersecurity requires a comprehensive approach and can't be addressed project by project, the staffer said: "[Cybersecurity] a huge issue going forward. But we need to get beyond named programs -- the big package with the bow on it -- and just get it done."