The House Science and Technology committee held a hearing last Thursday afternoon to asses the cybersecurity efforts of the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST). The committee reviewed the agencies’ current cybersecurity programs, asking the advice of private sector security experts on the role the federal government has in securing the private sector’s infrastructure, enhancing the monitoring of federal networks, and more clearly defining cybersercurity metrics. Called to testify were Mr. Greg Wilshusen, the Director of Information Security Issues at the Government Accountability Office (GAO); Mr. Mark Bregman, the Executive Vice President and Chief Technology Officer of Symantec Corportation; Mr. Scott Charney, the Corporate Vice President of Microsoft’s Trustworthy Computing Group; and Mr. Jim Harper, the Director of Information Policy Studies at the Cato Institute.
In his opening statement, Technology and Innovation Subcommittee Chairman David Wu (D-OR) asked the witnesses what is required to implement the recommendations of the 60-day review. He praised the review’s call to develop metrics to improve program assessment, budgeting, research and development, and planning. He stressed, however, that the $830M request this year from NIST and DHS on cybersecurity efforts needs to used wisely.
The panelists were circumspect about the role of the new cybersecurity czar, warning against government taking too large a role by acting as a co-partner or regulator of industry. Government, they agreed, should set security policy, minimum goals and desired outcomes, as well as facilitate best practices to help agencies meet these goals.
Mr. Wilshusen pointed out that DHS has yet to fully satisfy its cybersecurity requirements. He recommended that DHS work to bolster cyber analysis and warning systems, improve infrastructure control systems, strengthen recovery ability, reduce organizational inefficiencies, and secure internal information systems.
Mr. Bregman higlighted the global nature of problems in cybersecurity, “We all are using the same hardware and software. We all share the risks of cybersecurity.” Bregman defined the role of DHS and NIST as agencies that provide strategic direction, coordination, and balance for the nation, as well as taking a prominent role in international cybersecurity.
In his opening testimony, Mr. Charney remarked, “Government must develop a model for managing its own security.” Charney supported the near-term action plan of the administration’s review, especially in areas where DHS and NIST can expand their capabilities to support government-wide policy, standards and oversight of cybersecurity.
Mr. Harper responded to the review by expressing his concern with threat exaggeration that may lead to policies that supress competition and jeopardize civil liberties. Government, he stated, is a large consumer of cybersecurity goods, and can set high standards simply in its purchasing of products. Companies, he explained, should bear the burden of failure, not the government.
Mr. Wu’s question regarding public-private partnerships spurred a good deal of discussion. Charney, while agreeing with Mr. Harper regarding market liability, added that the market can supply security for the government in some cases and in other cases cannot. The government can fill in the gap by providing appropriate incentives. Charney acknowledged that there is some research industry cannot do because there is no economic model for it (e.g. the Internet). Mr. Bregman added that a clearly defined research agenda would stimulate investment in both the private and academic worlds. By aligning the research agendas of government agencies, a larger community of expertise can be created. Mr. Harper responded by stressing the importance of government and industry staying in their roles, and working separately in their respective areas.
Thursday’s hearing was the last of three hearings on cybersecurity in response to the administration’s Cyberspace Policy Review (pdf). For more information about the first hearing and second hearing, including testimony from the Computing Research Association board member Dr. Fred Schneider, see our earlier blog post.
An archived web cast of the hearing as well as copies of witness testimonies can be found on the House S&T Committee website.