A panel chartered by Congress to review long-term threats to the United States has reopened a hotly contested debate on how the government should counter cyberattacks by calling for the Defense Department to expand its authority by defending all federal and key commercial computer networks.
The recommendation, included in a report released on July 30 by the Quadrennial Defense Review Independent Panel, encroaches on the Homeland Security Department, which has responsibility for overseeing cybersecurity at civilian agencies. The panel, chaired by William Perry, secretary of Defense in the Clinton administration, said, "[Defense] should be given clear authority to support DHS for cybersecurity of both the .gov and .com domains so that DHS does not have to replicate the capabilities now resident in U.S. Cyber Command and the National Security Agency."
Perry discussed the report at a hearing of the House Armed Services Committee on July 29 and at a hearing of the Senate Armed Services Committee on Tuesday, where he raised the possibility of a key role for Defense in protecting networks operated by its commercial suppliers.
Because the mission-critical systems that Defense relies on are designed, built and often maintained by private contractors and 80 percent of military logistics requirements are handled by commercial firms, the report said, "it is vital that the Department of Defense ensure the networks of our private sector partners are secured."
But the report added, "the U.S. government remains poorly organized and prepared" to defend itself against cyberattacks and observed the United States still lacks legal authorities for the Information Age, and capabilities and responsibilities are misaligned within government.
The report continues the long debate over which federal agency has responsibility for protecting cyberspace. "The boundaries in the cyber domain will be forever squishy," said Bernie Skoch, a technology consultant and a retired Air Force one-star general with extensive experience in cybersecurity. While Defense is responsible for the security of the .mil domain, the details of defining "authority to support DHS" will be the challenge, he added.
Skoch said he had little doubt of the need to protect private networks that Defense suppliers and partners use. But he said it requires a balancing act that presents an enormous challenge. "We can make our systems fully accessible to our industrial and commercial partners, but they won't be secure," Skoch said. "And we can make our systems fully secure, but they won't be accessible. The challenge is how to balance those two interests -- access and security -- in a way that meets our needs for both, and the tools, tactics, techniques and procedures are just now emerging to make that doable."
Trey Hodgkins, vice president of national security procurement policy for TechAmerica, a technology industry trade group in Washington, said the Perry report fits in with what he called the "Defense octopus," an effort to expand the department's cyber mission. It's an example of the push and pull between DHS and Defense over cyber roles and missions, he said.
Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists, said the language in the Perry report on defending private networks was ambiguous. The report did not say Defense should secure private networks, only that it should ensure those networks are secure, he said. "In other words, the networks might be secured by someone other than Defense. But one way or another, they say, it needs to be done," Aftergood said.
The report also said Defense lacked resources to carry out its cyber mission: "Defense faces a tension between supporting the warfighter in overseas contingencies and protecting the homeland with limited cyber resources," it noted. "The panel believes the department's role in cyberspace must be fully resourced. Indeed, an increase in resources to the cyber mission is warranted," but it did not detail what is needed or how much it will cost.
The panel suggested Defense tap in to the cybersecurity talent in Silicon Valley and called for establishing a reserve unit there to support the cyber mission.