This morning at 11am Homeland Security Secretary Janet Napolitano addressed the nation as part of the ongoing activities around National Cybersecurity Awareness Month. This is the sixth year of this program, sponsored by the National Cyber Security Division (NCSD) of the Department of Homeland Security, in which the department advises the American people on staying safe online. This year’s theme is “Our Shared Responsibility”, reinforcing the idea that all computer users have a responsibility for protecting themselves online. The address this morning featured the ability to ask questions of the Secretary: we sent one in and Secretary Napolitano answered it.

The overall talk was very accessible, speaking directly to people on the threats faced online and the precautions people can take to protect themselves. The Secretary referenced President Obama’s remarks a few months ago including his assertion that the status quo is insufficient. She noted the DHS role in securing civilian government networks referred to by her as the “.Gov world”. She also mentioned a few DHS initiatives, including: the consolidation of external connections at federal agencies and the use of the DHS intrusion detection system referred to as EINSTEIN.

“the President challenged the nation to “seize the promise” and also “confront the perils” that technology brings.”

Janet Napolitano

After her talk, she accepted submitted questions. I will admit that I typed up a question quickly on Monday, only half thinking it would actually get answered (I apologize for my lack of faith). I probably would have thought about it a little more had I known it would be answered. That said, I tried to ask a question where the answer could provide a gauge of the Secretary’s view of how federal information security should be organized, and who should lead it. We’ve all been listening to the talk about a Cybersecurity Czar, so understanding the Secretary’s point of view on this issue would be timely.

Without further ado, here’s the question:

How serious was I about a cabinet level position? Well if you think about the primary role of the cabinet, before running large bureaucracies, it is to provide advisory to the President. Same role as a czar, an adviser to the President, except where czar’s usually hang out in pre-1900 Russia, cabinet positions have been a standard in the U.S. for about 200 years. So if Benjiman Rush, a founding father, can propose a Peace Department, I can propose the Information Assurance Department.

If I can’t get a cabinet position, I’ll settle for a single, empowered official that can lay out a strong, reasoned strategy on information assurance and the protection of critical assets (or infrastructure) for the nation. We, on the national level, at this time, appear to have some serious risks to deal with and a disjointed legislative and strategic response. This requires step 1 in every strategic plan: put someone in charge. You’re oversimplifying you might counter. All strategic plans that have a chance of working put someone in charge, someone to be accountable for moving from the ‘as is’ state that is the status quo to the ‘to be’ state that leader outlines as required. Someone with a real understanding of the threats faced in cyberspace. Ideally someone who knows what he or she is doing would be great, but we won’t get greedy.

Here is what Secretary Napolitano had to say:

A fair answer, and it ‘got me’ on confusing information technology with information security. I should have been more clear with that in the question I asked, security is not exclusively a technology problem, and in this case I definitely don’t think the security official should report through the government’s CIO (chief information officer), Vivek Kundra or any other technology department. Like any other organization, sometimes it works to have a chief information security officer (CISO) report to the CIO and sometimes the CISO should report to someone else. I don’t think reporting to the CIO would work in this case. The CIO position is below that of chairman of the Office of Management and Budget (OMB) which does not provide the direct high level access required. Further the OMB does not have the historical role with cybersecurity that DHS and other entities have had. Finally the Federal Chief Information Officer role is best served being countered by a strong security representative, such that the transparency and related initiatives underway are properly vetted.

I was willing to combine security with technology if it got that cabinet position created. If not, forget it. :)

The answer gets a little confused in the middle. The Secretary starts by stating that information security runs through everything in government, therefore it can not be siloed out and every department must have “cyber” in their thinking or planning. But then she points out that the President has appointed central leaders for technology and looks to appoint one for “cyber” (assumed to be information security).

The use of technology does permeate every department. Understanding information security and taking safeguards to protect critical assets is the responsibility of every department. But overall strategic direction, standardization, central monitoring, organized procurement, and many other aspects of information security management will not happen without centralized leadership. Accountability is lost without an empowered national leader for information assurance.

The Secretary seems to acknowledge this dichotomy in her response. I encourage you to review the full speech:

• Full transcript of the Secretary’s remarks: Transcript
• The video of the remarks: Securing America Against the Threat of Cyber Attack

Also, who else is ready to retire the term “cybersecurity” in favor of something else (information assurance maybe)?

Update

Dark Reading posted an interesting synopsis of the response to my question: DHS Secretary Says Cabinet-Level IT Position Unnecessary

Related Posts:

• Was the Austin Plane Crash Domestic Terrorism?