Roles and responsibilities key to making cybersecurity work

Clarification of cybersecurity roles and responsibilities in the federal government remains the most crucial component of bills circulating in Congress, federal and industry executives said during a panel discussion on Thursday.

The most essential provisions included in the cybersecurity bills "would straighten out the authority issue for a more coordinated effort," said Pat Howard, chief information security officer at the Nuclear Regulatory Commission. He participated in a panel discussion at the National Press Club and hosted by Government Executive and Nextgov.

"Often agencies have the wherewithal to make decisions for themselves, but we're not bound together" in terms of priorities or processes, Howard said. "Someone has to manage that."

Although many bills introduced in the House and Senate address roles and responsibilities, the 2010 Protecting Cyberspace as a National Asset Act goes the furthest, calling for establishment of an office in the White House to drive federal cybersecurity policy and review agencies' budget plans. It also would create the National Center for Cybersecurity and Communications at the Homeland Security Department to coordinate cybersecurity efforts governmentwide and with the private sector. The center would regularly evaluate the security of federal networks to determine whether agencies are in compliance with guidelines and isolate federal networks when departments fail to properly address vulnerabilities.

Although White House oversight would create a sense of urgency, Howard said it would also create another layer of bureaucracy.

"What I see in [the bills] is a fragmentation of the role that the Office of Management and Budget has always had. We may not agree with OMB guidance, but it's clear, and comes from a single source," Howard said. "When you talk about layering in the White House and expanding the role of DHS, it starts to get more complicated."

Alan Balutis, director of the business solutions group at Cisco Systems Inc. and a former chief information officer at the Commerce Department, agreed a different model for governance is necessary "to flatten some of the hierarchies," but didn't believe the oversight needed to come from the White House.

"As CIO, I actually felt better working with a colleague in another department or agency, where they might have the functional expertise and responsibilities similar to mine," he said. "The problem with some of the [White House] officials is that they've never run anything. I'd argue that a functional lead belongs in a place like DHS."