Bush's cyber chief calls national security initiative too secret

Greg Garcia says plan to protect major networks was coordinated and effective, but admits DHS could have done more to share information.

Federal officials working to craft a national cybersecurity plan to protect government and corporate computer networks from attacks kept too much of the work secret, which led to criticism from those in government and industry unable to monitor progress, the Bush administration's head of cybersecurity told Nextgov.

Greg Garcia, who was appointed assistant secretary of cybersecurity and telecommunications at the Homeland Security Department in 2006, said the Bush administration plotted out a sophisticated, interagency program that was "extraordinary." But, he added, the White House kept the Comprehensive National Cybersecurity Initiative, which DHS designed to better protect computer networks by improving the way agencies managed information technology, too secret -- a criticism that many IT security professionals and consultants leveled at the program.

"There was too much classified, which was not helpful politically and not helpful in getting the word out," he said in an interview with Nextgov on Tuesday. "We had to walk that line between raised awareness of what was being accomplished and not letting out too much information that could cause us to be targeted. Still, too much was kept secret."

The Obama administration has not detailed a cybersecurity strategy, but on Monday it ordered a 60-day review of the government's cybersecurity programs and initiatives. Garcia doubts Obama will scrap Bush's cybersecurity strategy altogether, but it's not clear if it will continue in its present form.

"Everyone recognizes that we've come a long way in a short period of time," he said, noting that the cybersecurity initiative was developed in six months. "This review may shine more of a spotlight on sub-initiatives to see whether there's any way to modify them before going too far down the road. It's a healthy thing to go through, to do some recalibrating in the early stages."

Garcia said criticism that the Bush administration's approach to cybersecurity was ineffective is inaccurate. "I take issue with those that say there was no strategy, and that [cybersecurity] was not coordinated," he said. "This was a comprehensive strategy that incorporated federal network security, research and development, deterrence efforts, and the supply chain, and [supported] counterintelligence, and private sector engagement. It was very multifaceted."

Garcia said Obama's idea to appoint a a cyber czar who would report to him, a promise he made during the campaign, could improve the government's cybersecurity. But, Garcia said, DHS should lead the effort. "I believe there remains a lot of supporting opinion that DHS needs to be the principal agency leading this because of its crosscutting security responsibilities," he said. "I would see the assistant secretary of cybersecurity working hand-in-glove with the cyber czar as principal implementing authority."

Michael Brown, who was the deputy assistant secretary under Garcia, is now assistant secretary for cybersecurity.

Garcia opened his own information security consulting firm Garcia Strategies in January. He also bikes 200 miles a week with his cycling team. That's a big change from last year, when Garcia was revealing lessons learned from Cyber Storm II, a simulation of a large-scale coordinated cyberattack on networks that operated the nation's financial, transportation and utilities.

"The intensity [of the position] was sometimes energizing, sometimes enervating," he said. "Now I want to continue to contribute to the mission and have an impact. Coming from Homeland Security, the private sector, and [having appeared before] Congress, I understand a lot of the moving parts. I want to now see how I can participate."