Co-chaired by James R. Langevin, Michael McCaul, and Microsoft's VP of Trustworthy Computing, Scott Charney, the Commission was established in October 2007 with the full name being "the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency". Langevin describes it as being "a non-partisan commission composed of approximately 30 renowned cybersecurity experts, both in and out of government, from across the country.
This is a Two Part posting. In today's Part One we'll be reviewing the "where are we?" - the historical background of recommendations that lead to the need for this Commission and its Recommendations. Tomorrow we'll look at the recommendations themselves.
The Commission briefed the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Committee on Homeland Security back on September 16, 2008. (The Hearings were webcastand the prepared testimony of the various witnesses, as well as reports from David Powner's excellent team at the Government Accountability Office are available on the Committee's Hearings page.)
Homeland Security Committee Chairman, Rep. Bennie G. Thompson, opened his portion of the hearing with a scathing review of previous failures in this area, including the fact that the 2002 "National Strategy to Secure Cyberspace" presented problems, but mandated no changes, the fact that Richard Clarke's position in the White House as Advisor on Cybersecruity was eliminated in 2003, the fact that the position of the Congressionally mandated DHS Assistant Secretary for Cybersecurity was unfilled for more than a year, and then "buried four levels down in the bureaucracy.
Thompson makes it clear in his remarks: "So many years we've been at it, and we're still so far away. As the Chairman of the Homeland Security Committee, with oversight over this Department, I want to state clearly and for the record -- that is unacceptable to me."
For this blogger, I believe that for nearly six years the road to Cybersecurity has crawled forward with many fits, bumps and starts, but that 2008 has been a year where some significant new improvements have begun. I'm VERY excited about the new NCSD, especially his law enforcement background and training and active duty as an "ECSAP Agent" (Electronic Crimes Special Agent Program) for the US Secret Service, and I'm VERY excited about the twelve part National Cyber Security Initiative, especially after hearing more about the details first in Tallahassee at the Florida Government Technology Conference, and then last week as news from the Burton Group briefing keynoted by Steve Chabinsky, Deputy Director, Office of the Director of National Intelligence shared more details of the plan.
These things give me hope.
Back to the Commission though . . . the stage was set at the House Committee on Homeland Security by first reviewing the state of DHS Cybersecurity Initiatives.
David Powner, Director of Information Technology Management Issues for the Government Accountability Office, set the stage for the Commission's report with his testimony (available as GAO-08-1157T, CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Better Address Its Cybersecurity Responsibilities). Powner says that over the years the 30 recommendations made to DHS in this area by his team fell into six key areas:
- Bolstering cyber analysis and warning capabilities.
- Reducing organizational inefficiencies.
- Completing actions identified during cyber exercises.
- Developing sector-specific plans that fully address all the cyber-related criteria.
- Improving cybersecurity of infrastructure control systems.
- Strengthening DHS's ability to help recover from Internet disruptions.
GAO further identified 13 "DHS Key Cybersecurity Responsibilities" (see the full PDF for more detailed descriptions)
- Develop a national plan for Critical Infrastructure Protection that includes cybersecurity.
- Develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector.
- Improve and enhance public/private information sharing involving cyber attacks, threats, and vulnerabilities.
- Develop and enhance national cyber analysis and warning capabilities.
- Provide and coordinate incident response and recovery planning efforts.
- Identify and assess cyber threats and vulnerabilities.
- Support efforts to reduce cyber threats and vulnerabilities.
- Promote and support research and development efforts to strengthen cyberspace security.
- Promote awareness and outreach.
- Foster training and certification.
- Enhance federal, state, and local government cybersecurity.
- Strengthen international cyberspace security.
- Integrate cybersecurity with national security.
The GAO testimony referred heavily to three previous reports where other DHS Cyber recommendations have been made:
GAO-08-588: CYBER ANALYSIS AND WARNING: DHS Faces Challenges in Establishing a Comprehensive National Capability July 2008 (67 page PDF)
GAO-08-825: CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise September 2008 (39 page PDF)
GAO-08-1075R: Federal Legal Requirements for Critical Infrastructure IT Security September 16, 2008 (72 page PDF)