DHS Responds to Us

| Oct 20, 2009 | 4 comments

napolitano

This morning at 11am Homeland Security Secretary Janet Napolitano addressed the nation as part of the ongoing activities around National Cybersecurity Awareness Month. This is the sixth year of this program, sponsored by the National Cyber Security Division (NCSD) of the Department of Homeland Security, in which the department advises the American people on staying safe online. This year’s theme is “Our Shared Responsibility”, reinforcing the idea that all computer users have a responsibility for protecting themselves online. The address this morning featured the ability to ask questions of the Secretary: we sent one in and Secretary Napolitano answered it.

The overall talk was very accessible, speaking directly to people on the threats faced online and the precautions people can take to protect themselves. The Secretary referenced President Obama’s remarks a few months ago including his assertion that the status quo is insufficient. She noted the DHS role in securing civilian government networks referred to by her as the “.Gov world”. She also mentioned a few DHS initiatives, including: the consolidation of external connections at federal agencies and the use of the DHS intrusion detection system referred to as EINSTEIN.

“the President challenged the nation to “seize the promise” and also “confront the perils” that technology brings.”

Janet Napolitano

After her talk, she accepted submitted questions. I will admit that I typed up a question quickly on Monday, only half thinking it would actually get answered (I apologize for my lack of faith). I probably would have thought about it a little more had I known it would be answered. That said, I tried to ask a question where the answer could provide a gauge of the Secretary’s view of how federal information security should be organized, and who should lead it. We’ve all been listening to the talk about a Cybersecurity Czar, so understanding the Secretary’s point of view on this issue would be timely.

Without further ado, here’s the question:


Question 2: Daniel from New York –
We have cabinet level positions for labor, agriculture, energy, transportation, and yet none for technology/security which, as an industry, has a size commensurate with the others represented. Do you think a cabinet position to represent technology and its related effects – such as cybersecurity – is necessary?


How serious was I about a cabinet level position? Well if you think about the primary role of the cabinet, before running large bureaucracies, it is to provide advisory to the President. Same role as a czar, an adviser to the President, except where czar’s usually hang out in pre-1900 Russia, cabinet positions have been a standard in the U.S. for about 200 years. So if Benjiman Rush, a founding father, can propose a Peace Department, I can propose the Information Assurance Department.

If I can’t get a cabinet position, I’ll settle for a single, empowered official that can lay out a strong, reasoned strategy on information assurance and the protection of critical assets (or infrastructure) for the nation. We, on the national level, at this time, appear to have some serious risks to deal with and a disjointed legislative and strategic response. This requires step 1 in every strategic plan: put someone in charge. You’re oversimplifying you might counter. All strategic plans that have a chance of working put someone in charge, someone to be accountable for moving from the ‘as is’ state that is the status quo to the ‘to be’ state that leader outlines as required. Someone with a real understanding of the threats faced in cyberspace. Ideally someone who knows what he or she is doing would be great, but we won’t get greedy.

Here is what Secretary Napolitano had to say:

Answer: “Daniel, I’m not sure that I think that a cabinet level position is necessary. And the reason is that cyber runs through everything that we do as a government. So, it’s really hard to segregate it out. In fact, I think one of the things we’re learning as we enter this new cyber arena is that segregating it into an IT or IT function no longer is adequate. Again, as my remarks suggested, cyber is part of everything we do, from the most basic transaction to complicated security protections of our country. So what we need to do is make sure that cyber is part of our thinking in all departments. But added to that now, the president has included a chief technology officer, a chief information officer, in the White House, and he will be appointing a coordinator for cyber within the White House to help make sure that cyber is part of all that we do throughout the vast array of the federal government as we move forward.”


A fair answer, and it ‘got me’ on confusing information technology with information security. I should have been more clear with that in the question I asked, security is not exclusively a technology problem, and in this case I definitely don’t think the security official should report through the government’s CIO (chief information officer), Vivek Kundra or any other technology department. Like any other organization, sometimes it works to have a chief information security officer (CISO) report to the CIO and sometimes the CISO should report to someone else. I don’t think reporting to the CIO would work in this case. The CIO position is below that of chairman of the Office of Management and Budget (OMB) which does not provide the direct high level access required. Further the OMB does not have the historical role with cybersecurity that DHS and other entities have had. Finally the Federal Chief Information Officer role is best served being countered by a strong security representative, such that the transparency and related initiatives underway are properly vetted.

I was willing to combine security with technology if it got that cabinet position created. If not, forget it. :)

The answer gets a little confused in the middle. The Secretary starts by stating that information security runs through everything in government, therefore it can not be siloed out and every department must have “cyber” in their thinking or planning. But then she points out that the President has appointed central leaders for technology and looks to appoint one for “cyber” (assumed to be information security).

The use of technology does permeate every department. Understanding information security and taking safeguards to protect critical assets is the responsibility of every department. But overall strategic direction, standardization, central monitoring, organized procurement, and many other aspects of information security management will not happen without centralized leadership. Accountability is lost without an empowered national leader for information assurance.

The Secretary seems to acknowledge this dichotomy in her response. I encourage you to review the full speech:

Also, who else is ready to retire the term “cybersecurity” in favor of something else (information assurance maybe)?

Update

Dark Reading posted an interesting synopsis of the response to my question: DHS Secretary Says Cabinet-Level IT Position Unnecessary

Related Posts:


Filed Under: Homeland Security

Tags: , ,

Comments (4)

Trackback URL | Comments RSS Feed

  1. Jason Remillard says:
    October 21, 2009 at 9:20 PM

    Not bad….really. Better response than anyone has had in years! :)

    congrats on casting out and getting a hit

    -Jason

    Reply
  2. Week 43 in Review – 2009 | Infosec Events says:
    January 30, 2010 at 11:52 AM

    [...] DHS responds to us – praetorianprefect.com The address featured the ability to ask questions of the Secretary; we sent one in and Secretary Napolitano answered it. [...]

    Reply
  3. securasys says:
    April 8, 2010 at 10:21 AM

    Prefect,

    I was reading your blog post and I agree with you that in order to create a serious approach to cybersecurity, “definite leadership” is needed along with “definite authority”. You mentioned in your post how having a CISO report to a CIO can work in certain instances. I have to say, in my experience these cases are few and far between. In order for this reporting structure to work, the CIO would need to have an in depth knowledge of not only Technology but Information Security as a separate discipline.

    In many cases, the CIO misses the mark on understanding the need and urgency of security and fails at communicating that understanding to the CEO or executive board or whoever makes the final decision. In my opinion, the CISO should be the CIO’s peer and not a subordinate.

    A company needs to be able to have a security leader with excellent business acumen who can translate the real state of security to a decision maker. They need to have the assurance that their recommendations will not be watered down by a boss who simply “doesn’t get it”.

    This also eliminates any “fear” of disagreeing with your direct manager in the event the CISO’s views are in direct conflict with that of the CIO.

    I think this message is slowly starting to gain traction as the world realizes that Information Security is not something you can fix with a firewall, but involves a lifecycle involving constant study of trends and constant adjustment of existing controls. I say this in view of the many bills that are currently on the House floor relating to Cybersecurity. One particular bill that caught my attention was HR 4900 that involves the creation of a National Office for Cyberspace and a cabinet level position within the executive Office of the President.

    The individual chosen to be the Director of the National Office for Cyberspace will need to be appointed by the President but with the advice and consent of the Senate. I think this is a “game changer” and starts to place this “Security lead” in a position on par with other critical agencies with direct access to the President or his immediate advisors. I think this highlights the separation of “Information Security” as a necessary method in the overall approach to overall mitigation of risk.

    I thought this was very interesting…

    Reply
    • Prefect says:
      April 8, 2010 at 9:48 PM

      Some very good points, I agree that it takes a very good CIO to make such a reporting structure work. In most cases the CIO has way too much on his or her plate to also be the voice of information security effectively.

      That said most CISO’s are buried in their organizations. I would say that while it might be ideal to have the CISO as a department head, some companies may not find that palatable. Therefore the next level down, reporting to a CIO, CFO, General Counsel, etc. does still allow for effectiveness. I mean two levels from the top, when you start to get into the CISO reporting to the CIO reporting to the CFO, you end up with an overly burdensome chain that is similarly ineffective.

      Any lower then that second tier and its clear information security is not a strategic concern of the organization to anyone looking at it (vendors, customers, stakeholders, employees).

      Further, if you as a senior leader can’t imagine the person you have as CISO at that level of the organization, you don’t have the right person filling your CISO role, as its a strategic one when effective.

      Therefore a good CIO has his or her CISO right next to him or her when dealing with the rest of the executive leadership. Or else the CISO is not in IT. But never should the CIO attempt to make information security a sub discipline of information technology, that approach is usually a prelude to failure.

      Reply

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.