RSA 2009: Why the Top U.S. Cyber Official is Losing Sleep

SAN FRANCISCO — The United States’ top cybersecurity official already knew the world’s digital infrastructure needed help before she took on a 60-day cyberspace policy review. With the review now complete, she admits the gravity of the situation seeps into her dreams and disturbs her sleep.

“I worry about [questions surrounding cyber security] every night; they infiltrate my dreams,” Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils, said in a keynote speech at the RSA Conference Wednesday. “I often wake up at 2:30 or 4:30 in the morning having worked the problem in my sleep, and sometimes even develop a good idea.”

President Obama tapped Hathaway, a Bush administration official who helped develop a multi-billion-dollar classified initiative to better secure federal systems and critical-infrastructure networks against online threats, to lead a 60-day review of the government’s cybersecurity efforts in February. [See Obama Taps Bush Aide to Review Federal Cybersecurity Efforts]

She acknowledged what everyone attending RSA already knew: The nation’s digital infrastructure — the world’s, for that matter — is full of security holes that leave us vulnerable to those who would steal personal data for financial gain or to compromise national security. [See Botnets: 4 Reasons It’s Getting Harder to Find and Fight Them]

“Despite all of our efforts, our global digital infrastructure, based largely upon the Internet, is neither secure enough nor resilient enough for what we use it for today and will need in to the future,” she said. “This poses one of the most serious economic and national security challenges of the 21st century.”

She offered several examples: The design of today’s digital infrastructure was driven more by considerations of interoperability and efficiency than of security, she said. As a result, a growing array of state and non-state actors can compromise, steal, change, or destroy information. She cited “countless intrusions that have allowed criminals to steal hundreds of millions of dollars and allowed nation states and others to steal intellectual property and sensitive military information.” Digital miscreants even have the ability to threaten or damage portions of the nation’s critical infrastructure, she said, a recent example being a November 2008 incident where 130 automated teller machines in 49 cities around the world were illicitly emptied in the space of a half hour. These and other risks have the potential to undermine consumer confidence in the information systems that underlie our economic and national security interests, she said.

Hathaway didn’t delve into the meat of recommendations she has prepared for Obama, but she did share these bullet points [taken from the text of her speech]:

• It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and to ensure that the United States and the world can realize the full potential of the information technology revolution.
• This responsibility transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective to match the sweep of the challenges.
• It requires leading from the top — from the White House, to Departments and Agencies, State, local, tribal governments, the C-Suite, and to the local classroom and library.
• The national dialogue on cybersecurity must advance now. We need to explain the challenges and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action.
• The United States cannot succeed in securing cyberspace if our government works in isolation. Cyberspace knows no boundaries. There is a unique opportunity for the United States to work with countries around the world to make the digital infrastructure a safe and secure place that drives prosperity and innovation for all nations.
• The Federal government cannot entirely delegate or abrogate its role in securing the nation from a cyber incident or accident. The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well-being of citizens. The private sector, however, designs, builds, owns, and operates most of the digital infrastructures that government and private sector use in concert. The public and private sectors interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend. Information is key to preventing, detecting, responding to and recovering from cyber incidents. Again, this requires evolving our partnerships together. Government and industry leaders, both here and abroad, need to delineate roles and responsibilities, balance capabilities, and take ownership of the problem to develop holistic solutions. Only through such partnerships will the United States be able to enhance cybersecurity and reap the full benefits of the digital revolution.
• Building toward the architecture of the future requires research and development that focuses on game-changing technologies that could enhance the security, reliability, resilience and trustworthiness of our digital infrastructure. We need to be mindful of how we, government and industry together, can optimize our collective research and development dollars and work together to improve market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services.
• The White House must lead the way forward with leadership that draws upon the strength, advice and ideas of the entire nation.

She concluded that everyone has a role to play in improving cybersecurity, most notably the IT security practitioners seated before her in the Moscone Center keynote hall.

The government’s role in cybersecurity — specifically the amount of control it should have over how the private sector manages it — has been one of the top-of-mind issues for conference attendees this week. The issue has increasingly consumed the information security community in recent weeks because of legislation filed in the U.S. Senate that would, among other things, give the government more power to enforce security in the private sector. [See Federalizing Cybersecurity: Necessary or Nitwitted?]

In the article cited above, most IT security professionals expressed doubts about giving the government more control, given its own troubles in tackling the problem.

Rich Mogull, a former Gartner analyst and founder of security consultancy Securosis, said a deeper government reach into the private sector may make sense under certain circumstances, but not in the broader sense.

“I think it’s reasonable for critical infrastructure and government contractors, but if it extends into general business, it’s doomed to failure,” he said.

For one thing, he said, the government has shown no ability to secure itself. “Perhaps the re-prioritization of a new administration will improve that, but there is immeasurable institutional momentum to overcome,” he said.

While the NSA plays a critical role in cyber-intelligence, Mogull said it is not the right entity to manage our national defensive cybersecurity. “The missions fundamentally conflict,” he said. “If we want to leverage their extensive expertise, a separate agency should be created and charged with the defensive role, reporting to a cybersecurity head outside the intelligence infrastructure.”

Top government officials don’t necessarily disagree. Lt. Gen. Keith Alexander, director of the National Security Agency (NSA), has repeatedly insisted that cybersecurity is too big a job for the government to handle alone. He repeated the point during his RSA appearance Tuesday.

“Clearly, the NSA has a major role to play,” Alexander said. “We’re technical people. We’ll have the lead, I think, for the Defense Department and the intel community, for critical national security systems, but we need partnership with others.”