Defining New Cybersec Roles for DHSCreating a 24x7 Operational Center of Excellence
Our responses include organizational restructuring, regulation and attempts to centralize decision making all with the intent to reduce the vulnerabilities and minimize the damages of intrusions. We appear to be asking the Department of Homeland Security to take on new cybersecurity roles and missions while it is establishing its basic core competencies.
Is this reasonable? Do we want DHS to become a first party regulator? Do we want DHS to assume an operational role that provides actionable information to the private sector?
We appear to be asking DHS to take on new cybersecurity roles and missions while it is establishing its basic core competencies. Is this reasonable? Do we want DHS to become a first party regulator?
Becoming an operational center of excellence that disseminates timely and actionable cybersecurity threat, vulnerability, mitigation and warning information to improve the security and protection of federal systems and critical information infrastructure is necessary.
Success requires DHS to adopt a 24x7 customer-service business model, where its customers are other federal agencies; state, local, tribal and territorial governments; the private sector; academia and international partners.
It would need to learn from successful customer-service industries and embed the necessary industry partners like the member companies of the National Security Telecommunications Advisory Committee within its operations. It would need to pass knowledge onto its customers that removes the sensitive sources and methods that make it classified and therefore make it more readily available and actionable.
There are many other aspects of a 24x7 information security operation that DHS could take on. Some of these capabilities are outlined in the administration's legislative package (see White House Unveils Cybersecurity Legislative Agenda) and some additional capabilities are outlined in other pieces of pending legislation.
Yet it is important to admit that establishing an effective 24x7 operation is no small task. It requires real specialization and technical expertise, a commitment to providing a 100 percent up-time service, and if an incident occurs, an ability to turn to the private entities that will likely be called upon to operate in a degraded state and restore operations and infrastructures quickly.
While it is possible that the National Cybersecurity and Communications Integration Center could evolve and assume this role, it would require it to become an independent operational unit carved out of the headquarters entity of DHS, akin to United States Secret Service or the Drug Enforcement Agency.
If we are truly interested in setting up a 24x7 operation immediately, then DHS in cooperation with the Department of Defense could call up specialist cybersecurity units within the National Guard or DoD Reserve Forces.
DHS also could turn to outside organizations, such as the Carnegie Mellon Computer Emergency Response Team to further augment its staff.
Congress and the administration also turn to DHS to raise awareness, fund education initiatives, incubate technology and broadly set cybersecurity policies for the critical infrastructures.
At the forefront, DHS is responsible for increasing public awareness. It is currently sponsoring a competition to develop a public service announcement on cybersecurity to augment the October Cybersecurity Awareness Month. It is also conducting a review of the university participation in the National Centers of Academic Excellence in Information Assurance to determine how it can increase the number of universities participating, obtain full 50-state participation, increase the output of students per program and align more closely with the National Science Foundation's Scholarship for Service. Linking these programs to hands-on experiential learning like that of the high-school, university and professional competitions sponsored by the U.S. Cyber Challenge (see Searching for the Good Hacker) would be a natural next step.
DHS's recently released a paper entitled Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action that explores the idea of a healthy, resilient and fundamentally more secure cyber ecosystem of the future. It envisions an environment of cyber participants, including cyber devices, that are able to work together in near-real time to anticipate and prevent cyberattacks, limit the spread of attacks across participating devices, minimize the consequences of attacks and recover to a trusted state.
If DHS were to drive the implementation of this vision, it will require DHS to modify its relationship with industry, consolidate the number of private-public partnerships and drive the development of standards in partnership with the National Institute of Standards and Technology. It will also require DHS to lead the discussion on behalf of the executive branch for the following questions: What are the business drivers that will incentivize the necessary investments? What are the appropriate roles and responsibilities of the public and private sector in delivering the healthy ecosystem? Which elements should be prioritized for early realization?
As a healthy cyber ecosystem emerges, governance questions become salient. Will system owners cede decision making to the community? Who sets policy for inter-enterprise information exchange and deployment of countermeasures? What liability regimes apply for collateral consequences of countermeasure deployment (or the failure to deploy known countermeasures)? What legal authorities should local and national governments, as well as international entities, have to compel action by devices owned by or serving private parties in order to secure the larger cyber commons?
Like the operational role, this policy-based role requires personnel who are steeped with background in policy development and the art of negotiation. It also requires understanding of the technical underpinnings of the next generation hardware and software and knowledge of the standards setting processes. Raising awareness and advocating a new architecture of hardware and software products for industry to build toward is no small task.
If Congress and the administration want DHS to be the national voice for cybersecurity, they cannot necessarily be saddled with all of the operational and regulatory missions that are recommended in the legislative proposals.
Melissa Hathaway is president of Hathaway Global Strategies and a senior adviser to Harvard Kennedy School's Belfer Center. She led President Obama's Cyberspace Policy Review as National Security Council acting senior director for cyberspace and the development of the Board of Advisers. This article was adapted from testimony Hathaway delivered to Congress on June 24.