Former, current Bush officials battle on cybersecurity
The Bush administration's top information technology official and its former cybersecurity czar locked horns Tuesday over the need for dedicated senior officials for cybersecurity.
"I would ask, 'Who is the highest person who does nothing but cybersecurity in the Department of Homeland Security, and in the [White House] Office of Management and Budget, and how many people in OMB have that as a full-time responsibility?'" said Richard Clarke, former special adviser to the president for cybersecurity. "The answers to those are pretty frightening."
Mark Forman, associate director for information technology and e-government at OMB, said the issue was "thoroughly vetted" when the department's directorate on information analysis and information protection was created. He noted the intention to nominate Robert Liscouski as Homeland Security's assistant secretary of infrastructure protection, with the responsibility for physical and cybersecurity.
Forman said the new department's plan for cybersecurity will become clearer. He added that the federal government is addressing the issue through the chief information officers in the department who are being integrated into cybersecurity activities.
But Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College, said, "The worry I have is that if an official is looking at physical and cybersecurity, cyber is going to get short shrift."
Vatis, the former head of the National Infrastructure Protection Center (NIPC), also predicted that it will take more than a year for the department to get government back to its previous level of cybersecurity. He said less than 20 of the 300 people from the former NIPC actually moved to the department as part of that center's transition.
The experts spoke at a hearing of the House Government Reform Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee.
Clarke said the thought of the federal government's cyber policies "scares me to death." He and Vatis recommended that that the Securities and Exchange Commission require publicly traded companies to list the cybersecurity measures they take on the reports they submit to the agency. Then the companies would get grades from outside auditing firms, he said. That strategy "had a great effect" amid concerns about possible computer malfunctions dubbed the Y2K bug, he said.
Clarke disagreed with Vatis' suggestion that such data be made public, however. Clarke said the focus should be on overall performance, with breaches confidentially reported to a third party.
Forman resisted the idea, suggesting that market forces, in which customers seek companies that have taken cybersecurity measures, are sufficient.
Clarke also recommended mandatory cyber insurance for companies, which he said would require first that the insurance industry set standards. Rates could reflect cybersecurity actions taken, he said. An actuarial database would need to be established as well, he said.
Clarke further recommended that Congress act to secure the Internet domain-name system and the border gateway protocol.
Clarke said cyberattacks are inevitable. "As long as we have major cybersecurity vulnerabilities that would allow someone to screw up our economy, then someone will," he said.