Who’s Really in Charge of Federal Cybersecurity and Is It Time for a White House CISO?
High-profile cyber incidents haven’t led to a grand rethink of the government’s cyber org chart.
In the wake of devastating breaches of sensitive government data, is it time for the White House to appoint a high-level official whose sole responsibility is hunting down cyber intruders in federal agency networks?
That’s what Richard Bejtlich, chief security strategist for FireEye, told members of the House Armed Services Committee during a hearing Wednesday.
For more than a decade, the federal government has had a federal chief information officer, and President Barack Obama fulfilled a campaign by appointing the first U.S. chief technology officer in 2009.
But high-profile cyber incidents at the Office of Personnel Management, the Postal Service, the State Department and even the unclassified networks at the White House haven’t led to a grand rethink of the government’s cyber org chart.
“This is similar to the situation of many private sector businesses before a breach, but after a breach they quickly change,” Bejtlich said. “Thus far, the government has not changed. We still don't have a U.S. CISO.”
Bejtlich was one of several outside experts asked to evaluate the Pentagon’s April 2015 rewrite of its cybersecurity strategy. Bejtlich said his proposed federal CISO would have oversight of civilian networks but stay out of DOD’s way. DOD and the intelligence community are already doing fairly well at continuously probing their networks for intruders, he said.
"This is a culture shift that needs to take place in the rest of the government, in the civilian side of the government,” Bejtlich testified. “And that would be my initial mandate to the federal CISO . . . to bring that culture of going out there and looking for intruders in the federal networks as opposed to continuing to build higher walls.”
The proposal envisioned by Bejtlich would put the U.S. CISO in charge of a “Federal Computer Incident Response Team,” or FedCIRT, according to his prepared testimony. The team’s goal “would be to hunt for intruders in nonintelligence, nondefense networks, and conduct joint incident response and recovery operations with the affected departments and agencies.”
The federal government’s cybersecurity duties are notoriously Balkanized.
Current federal policy puts the Department of Homeland Security in charge of securing the dot-gov domain. DHS also operates a governmentwide 24-7 cyber watch floor and deploys its U.S Computer Emergency Management Team when agencies detect a breach.
But the White House’s Office of Management and Budget also oversees agencies’ compliance with the Federal Information Security Management Act.
The White House cybersecurity coordinator, or “cyber czar,” sits on the National Security Council and advises the president on cybersecurity matters but does not set policy or control a budget.
Lawmakers spot a leadership vacuum in the tangle of roles and responsibilities.
The government lacks a point person with the authority “to reach across government to compel departments to do what they need to close cyber vulnerabilities,” said Rep. Jim Langevin, D-R.I., during the hearing Wednesday. "Right now, we do not have anyone in charge ostensibly in that respect.”
(Image via Orhan Cam/ Shutterstock.com)