recommended reading

Tension mounts between agencies over cybersecurity oversight

An independent agency that reports directly to the White House should oversee federal cybersecurity efforts, said former government officials, a move that could relieve growing tension between the intelligence community and the Homeland Security Department over who leads such initiatives.

In a March 5 letter resigning as director of the National Cybersecurity Center, Rod Beckstrom expressed frustration over the growing influence of the National Security Agency's efforts, pointing to the agency's high levels of staffing and technology that support cyber initiatives and to the proposed move of two DHS organizations, the National Protection and Programs Directorate and the National Cybersecurity Center, to a Fort Meade, Md. NSA facility. The agency effectively controls DHS cyber initiatives and dominates most national efforts, which Beckstrom called "a bad strategy." The letter lists his last day as March 13.

Former DHS secretary Michael Chertoff established the National Cybersecurity Center in March 2008 to coordinate cyber efforts and to improve situational awareness and information sharing across federal agencies. The center was one of a dozen parts of the Comprehensive National Cybersecurity Initiative President Bush created.

"In order to make real progress, we've got to come up with a mechanism that's not buried within a single department or Cabinet office," said Dale Meyerrose, former chief information officer for the Office of the Director of National Intelligence. He currently serves as vice president and general manager of cyber and information assurance for the information technology consulting firm Harris Corp. "Cyberspace delivers value -- it's the underpinning of virtually everything in our society. The president needs to have an office that is directly accountable to him and responsible for the funding, operation, maintenance and protection of cyberspace." That office should make cybersecurity one component of a larger mission to fully leverage the Internet, he said.

"The [Obama] administration needs to create a cyber defense agency that has far reaching mission," said one former NSA official who asked to remain anonymous. "The agency needs the ability to set strong national policies that can be validated and enforced. And it has to be completely independent, where its only responsibility is cyber; neither DHS or NSA or any other agency can offer that focus."

Beckstrom, however, warned in his letter against a single entity overseeing all cyber initiatives, saying such a strategy would threaten democratic processes. Instead he advocated a cybersecurity model where "DHS interfaces with, but is not controlled by, the NSA." While that is supposed to be the current strategy, Beckstrom indicated NSA actually controls the majority of initiatives. The intelligence community is equipped to focus on counterterrorism tactics, Beckstrom said, while DHS can focus on coordinating civilian agencies and developing partnerships with the private sector.

"There's recognition on both sides that the intelligence community and DHS have different roles," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at DHS during the Bush administration and now runs his own information security consulting firm, Garcia Strategies.

"DHS is primarily focused on defensive protection -- a role that requires a close, integrated relationship with the private sector," Garcia said. "That relationship is not one that the intelligence community should have, or can have; there are a number of privacy and political issues that prevent that." He argued for a coordinated interagency process, where each principal agency manages its own responsibilities. Forming a new agency, while "an enticing idea," Garcia said, would distract agencies from the momentum they've already built in addressing cybersecurity, and eat up too much time and resources.

Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, said an independent agency would solve many problems, but he also acknowledged the practical challenges associated with standing up an independent organization. As program manager of the Commission on Cybersecurity for the 44th Presidency, Lewis has recommended to Congress that the White House lead cyber efforts.

"I don't think it's a tug of war between NSA and DHS, mainly because I think DHS is out of the running," he said.

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.