Panelists call for White House to lead cybersecurity efforts

The White House should develop a more comprehensive national cybersecurity strategy and lead efforts to implement it, witnesses told House lawmakers during a hearing on Tuesday.

The Homeland Security Department would be best equipped to continue coordinating cybersecurity efforts among federal agencies and between government and the private sector, with limited authority to set policy, industry and Government Accountability Office officials testified before the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.

"We need to look at a new [governance] structure, greater prioritization and more accountability for those organizations in charge" of federal cybersecurity initiatives, said Dave Powner, director of information technology management issues at GAO.

Developing clear strategic objectives and priorities and establishing a cybersecurity office within the White House to set governmentwide policies and retain power over budgets and resources would help eliminate vulnerabilities, Powner stated.

"If I have access to the president and control over budgets, I will get agencies to do whatever I want," said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "We have to put that [authority] at the White House." Lewis made similar recommendations during a September 2008 hearing.

The current cybersecurity strategy, which the Bush administration developed, places most authority with DHS.

"It's clear [DHS] has not lived up to its responsibilities," Powner said. He pointed to the department's failure to follow GAO's recommendations on improving its ability to get the Internet back up and running after a major Internet disruption. "Do we want to keep working with them as the lead, or designate [DHS] to an operational role and put someone else in charge? We think the latter," he said.

Witnesses were somewhat divided about the ideal "operational role" of DHS. Amit Yoran, chairman and chief executive officer of security software company NetWitness and former director of DHS' National Cybersecurity Division, said the department should be charged with protecting the .gov domain, primarily through the U.S. Computer Emergency Readiness Team that analyzes cyber threats and disseminates warning information. He also said DHS should lead coordination with private sector.

Scott Charney, vice president of Microsoft's Trustworthy Computing initiative, said DHS is well-suited to helping agencies collaborate on implementing the White House's cybersecurity policies. At the same time, he said, agencies that regulate critical infrastructure, such as energy and transportation systems, should work with sector-specific companies and organizations to ensure cyber vulnerabilities are addressed.

"It's important to empower DHS to play the necessary [coordination] role," he said. "There's a difference between developing strategy and coordinating it through the agencies. You need an operational capability," which DHS can provide.