Last Friday's disclosure that Rod Beckstrom is resigning from his position as one of the federal government's top cybersecurity executives has exposed widespread — though not universal — opposition to the National Security Agency's expanding role in domestic cybersecurity issues.
Many interested parties, including some federal lawmakers, are supporting Beckstrom's contention that allowing an intelligence agency such as the NSA to lead the government's cybersecurity efforts is a bad idea that will do little to foster the broad collaboration needed to protect public and private-sector networks against security threats.
Beckstrom, who currently is director of the National Cyber Security Center, said in a sharply worded letter to Janet Napolitano, secretary of the Department of Homeland Security, that he was resigning effective this Friday — less than a year after being appointed to the job at the NCSC. In the letter, he cited concerns about what he described as the NSA's growing domination of national cybersecurity initiatives as the main reason for his decision to quit.
The NCSC was set up within the DHS last year to oversee and coordinate the government's security defenses and responses to cyberthreats. But Beckstrom claimed in his resignation letter that the NSA was effectively running those efforts and is trying to wrest further control away from the DHS by proposing that the offices of both the NCSC and the National Protection and Programs Directorate, another DHS unit, be moved to the intelligence agency's headquarters at Fort George G. Meade in Maryland.
Letting an intelligence agency play the lead role on cybersecurity issues would be "bad strategy on multiple grounds," Beckstrom contended. He wrote that the intelligence culture embodied by the NSA is "very different than a network operations or security culture," and called for "a credible civilian government cybersecurity capability" in which the NSA would have a role, but not a controlling one.
Similar sentiments were voiced at a hearing on cybersecurity matters held yesterday by a subcommittee of the U.S. House Committee on Homeland Security. For instance, Rep. Bennie Thompson (D-Miss.), the committee's chairman, pointed to Beckstrom's resignation and said it was the result of inefficient leadership, an unclear organizational structure and poorly designed roles and responsibilities within the federal government.
The best way to handle the cybersecurity problem isn't to give more control to the NSA, but instead to rely for leadership on a civilian agency "that interfaces with but is not controlled by NSA," Thompson said. However, he didn't specify which agency he thought should be placed in charge of the government's efforts.
Scott Charney, vice president of Microsoft Corp.'s Trustworthy Computing initiative and one of the witnesses who testified at the hearing, said that letting the NSA take the lead would erode public trust in the effort to protect systems from attackers. There's no question that the NSA has the most technical expertise on cybersecurity of any government agency, Charney acknowledged. But, he said, if government officials want to convince people that the cybersecurity work is "being done in a transparent fashion, the mission cannot rest with the NSA."
Much of the opposition to the NSA taking charge of cyberdefense efforts stems from what critics say would be the mutually incompatible roles confronting the spy agency. The NSA's primary mission is to eavesdrop on communications and gather intelligence. That puts the agency's emphasis more on covert activities and data collection than on information sharing, which is what is needed to build effective defenses against cyberthreats, according to the critics. Some have also cited what they claim is a tendency by the NSA and other intelligence agencies to designate too much data as classified.
"The main problem with the NSA [leading the cybersecurity effort] is that it would have two roles," said Bruce Schneier, chief technology officer at BT PLC's BT Counterpane security services unit. "One is protecting [systems], the other is eavesdropping, and they come into conflict."
As an example, Schneier pointed to a possible discovery by the NSA of a vulnerability in Windows that would enable the agency to monitor electronic communications. "Do they fix it, or do they exploit it?" he asked.
Schneier also dismissed as disingenuous suggestions that the NSA is the only agency with the skills needed to deal with cybersecurity issues. Many companies and federal agencies can bring the same kind of information security expertise to the table that the NSA can, he argued.
Gartner Inc. analyst John Pescatore said it might make sense to put the NSA in charge of military cybersecurity efforts, but not the ones aimed at the private sector and civilian federal agencies. "As an agency, [the NSA's] strength lies in breaking into networks," Pescatore said. "How to protect networks is not what they do, even for the [Department of Defense]."
Another cause for concern, Pescatore said, is the fact that much of the NSA's activities are top secret, as is how its budget is allocated. "A lot of what they do is appropriately classified," he noted. Even so, the lack of transparency is the "exact opposite" of what is needed on cybersecurity initiatives outside of the military, Pescatore contended. "Securing cyberspace can't be done in a top-down secret mode," he said, because close collaboration is needed between the public and private sectors to do the job right.
Not surprisingly, the NSA and federal intelligence officials have defended its ability to lead on cybersecurity. In testimony late last month before the House Permanent Select Committee on Intelligence (download PDF), Dennis Blair, who became director of national intelligence in January after being nominated by President Barack Obama, said the NSA has "the greatest repository of cyber talent." While acknowledging that there's a "great deal of distrust" of the NSA and the intelligence community in general, Blair said the agency's capabilities should be "harnessed and built on" to protect both federal and critical private-sector networks.
And the NSA does have its defenders outside of the government. For instance, Alan Paller, director of research at the SANS Institute, a security research and training organization in Bethesda, Md., said that the leadership on the part of the NSA and DOD has been "the only bright spot in a desolate federal cybersecurity landscape." Until recently, at least, most other agencies "were under the thumb of IT industry representatives and a White House that hid from the challenge," Paller added.
Concerns about the NSA's cybersecurity role have been percolating since the Bush administration gave the agency a considerable amount of responsibility for a multibillion-dollar program called the Comprehensive National Cybersecurity Initiative. The CNCI, which was publicly disclosed early last year, is designed to bolster the nation's ability to defend itself in cyberspace. But the highly classified nature of the program and the NSA's role in it have spooked many observers.
With those concerns and Beckstrom's resignation in mind, all eyes are now on a 60-day review of national cybersecurity efforts that was ordered by Obama last month. The review is being led by Melissa Hathaway, who worked during the Bush administration as a "cyber-coordination executive" in the Office of the Director of National Intelligence, a position that put her in charge of coordinating and monitoring the CNCI's implementation.
The DHS currently is in charge of implementing cybersecurity policies across the government -- at least on paper. But its leadership has been slammed as ineffective and inconsistent by critics, including a commission of security industry representatives that was set up in late 2007 by the Center for Strategic and International Studies, a bipartisan think tank in Washington, to develop a set of cybersecurity recommendations for the next president.
In its final report, issued in November, the commission said that a comprehensive approach to cybersecurity "falls outside the scope of DHS's competencies" and called for the lead role to come directly from the White House, through a new centralized cybersecurity office. The DHS dismissed the commission's claims as inside-the-Beltway "political posturing" after members of the commission testified at a congressional hearing last September.
An NSA spokeswoman yesterday referred questions about Beckstrom's resignation and the cybersecurity leadership issue to the DHS, which voiced regret about the planned departure of Beckstrom and defended the government's cybersecurity efforts in a statement sent via e-mail.
"The Department of Homeland Security has a strong relationship with the NSA and continues to work in close collaboration with all of our federal partners on protecting federal civilian networks," the DHS said. The agency added that it's "fully engaged" in Hathaway's ongoing review and that it looks forward to maintaining a "positive working relationship" with all stakeholders in national cybersecurity efforts.