New US Cyber Commission Tries to Find a Seat for Government at the Table

At the first assembly of a shiny new U.S. commission on cybersecurity, members were already debating how to thaw the relationship between the federal government and the best minds in data protection.

Silicon Valley firms "think government is the enemy,” said Commissioner Herb Lin, a senior cybersecurity researcher at Stanford University. “They talk about the NSA the way they talk about China,” referring to allegations that the National Security Agency and the Chinese government spy on Americans’ online activities.

The primary task of the members of the presidentially appointed Commission on Enhancing National Cybersecurity is to pen a 5-to-10-year roadmap for strengthening computer defenses across the country. Their deadline is the last month of the current administration and their main audience is the next president.

Some Americans do not want the government involved in network security at all, a sensitivity acknowledged from the get-go by some strange bedfellows at Thursday’s inaugural committee meeting.

The Stanford cyber scholar, the former NSA director, and the chief security officer of ride-sharing app Uber are a few of the 12 commissioners whose names were announced Wednesday.

Lin, who lived in the capital region for decades as a Hill staffer and then a National Academies scientist, described the California high-tech sector’s attitude toward Washington as "incredible antipathy."

That very day, tech associations were apoplectic over a new congressional proposal that would force their members to break encryption on customer devices for federal investigators.

Lin’s reference to domestic surveillance sparked an immediate response from fellow commissioner and former NSA chief, Gen. Keith Alexander.

Because many of the concerned companies are multinational corporations, the U.S. government should coordinate with other governments to come to terms on acceptable cyberspace behavior, said Alexander, now chairman and CEO of cybersecurity firm IronNet.

He added that cyberincident insurance also could help drive standards across industry and the government, the same way lethal fires in 19th-century Chicago prompted an agreement on fire safety requirements for insurance.

Later, Alexander invoked mass surveillance claims by ex-NSA contractor Edward Snowden to explain why the government has a hard time executing what he says is its role in responding to a hack.

To "put it out," the government needs information from the companies themselves about what is happening on their networks, he said.

"Because the government can't see it despite what everyone thinks,” Alexander said. The underlying problem, according to him, is the absence of an arrangement for sharing attack information in a way that assures Americans the U.S. government is not trying to see personal information.

Meanwhile, Commissioner Joe Sullivan, of San Francisco-based Uber, said he would rather see the government act as part bankroller and part public works leader in cyberspace.

The advisory committee is supervised by the Commerce Department, he noted, sitting in the agency’s Washington headquarters.

"We see the government show up in the response mode after something bad has happened," Sullivan said. "We never see the government make a foundation on the road ahead. Because we're so closely aligned with the Commerce Department here, in this committee ... could we be the New Deal for the Internet?"

Just as the Roosevelt-era program spent billions of dollars on highway infrastructure still used today, the commission’s recommendations could lay the foundation for the security of the Internet long into the future, he said.

Uber, Stanford and NSA have each felt the loss of sensitive data. On Tuesday, the Stanford Daily newspaper reported that hundreds of current and former university employees are vulnerable to tax fraud because bad guys compromised their W-2 forms. A 2014 breach of computer systems exposed information on 50,000 Uber drivers. Snowden downloaded classified documents from NSA to share with the press.

The commission plans to hold five more public workshops in locations of topical interest such as Houston, home to an energy industry dependent on grid cybersecurity, and New York City, whose Wall Street institutions have been targeted by hackers in the past.

A draft report is expected to be ready for discussion by the final meeting, to be held in Washington at an undetermined date.

The commission was created Feb. 9 through a presidential executive order, as part of a grander Cybersecurity National Action Plan encompassing short-term and long-term initiatives.

Per President Obama's instructions, the recommendations will focus on, among other things, identity protection, the cyber talent shortage, and decrepit federal IT systems, as well as the incorporation of security into the physical things connected to the "Internet of Things." 

U.S. Chief Information Officer Tony Scott earlier this week, when asked if the Snowden disclosures had made it harder for the government to get top cyber experts, offered up a possible solution to the surveillance angst. 

"There are things that are classified and should be classified," he said. "But we've got to be smart about it and not, as a society, fool ourselves into thinking that we're protecting something when it either doesn't need protecting or shouldn't be protected in other cases."

As an example, Scott shared his own reaction to information-handling rules after coming from software firm VMWare to the White House.

"There were things that I knew in the private sector that when I got to the government were considered classified information," he said. " And you have to look at that and say, 'Why is this classified? Everybody knows this -- or everybody should know this. Why are we doing that?' And that's a cultural thing that we're going to have to work on and certainly continue to have dialogue on."

On Feb. 17, Obama named former National Security Adviser Tom Donilon as commission chairman and Sam Palmisano, the former CEO of IBM, as the vice chairman. Former Liberty Group Ventures President Kiersten Todt was announced as executive director March 23.

In tandem with forming the commission, Obama delivered Congress a $19 billion cybersecurity budget for 2017, about $3 billion of which would go toward rebooting the government's outdated, insecurable IT systems.