SAN FRANCISCO β The director of the National Security Agency (NSA) today downplayed widespread concerns about his agency's growing role in national cybersecurity affairs.
Speaking at the security-oriented RSA Conference 2009 being held here this week, Lt. Gen. Keith Alexander stressed that the NSA has no desire to run cybersecurity for the federal government. Instead, the NSA wants to team up with the U.S. Department of Homeland Security in developing and enforcing cyberdefenses for government and military networks.
"I think we need to dispel the rumor" about the NSA wanting to take control of the national cybersecurity agenda, Alexander said. "It's not NSA or the DHS. It is one team for the good of the nation. The DHS has a really tough job. We want to provide them with the technical support" needed to combat threats in cyberspace.
"That is the right partnership," Alexander said.
His comments appeared aimed at allaying concerns that the spy agency had begun exerting too much influence on the domestic cybersecurity agenda. Those concerns bubbled to the surface in early March when Rod Beckstrom, then director of the National Cybersecurity Center (NCSC) within the DHS announced that he was quitting his post after just a year on the job.
In a resignation letter to DHS Secretary Janet Napolitano, Beckstrom voiced concern over what he said were the NSA's attempts to wrest control of the NCSC from the DHS. The NCSC was set up in January 2008 to coordinate cybersecurity and oversee such efforts across the federal government, and Beckstrom was its first director.
In that letter, Beckstrom noted that the NSA effectively "dominates" most national cybersecurity efforts and had sought to move the offices of the NCSC and the National Protection and Programs Directorate to an NSA facility in Fort Meade, Md. Beckstrom warned that allowing the NSA to run national information security efforts was a "bad strategy" because the intelligence culture embodied by the NSA was at odds with the "network operations or security culture" needed to defend government networks against threats.
Beckstrom's sentiments were shared by others in the security industry and the federal government. Much of the opposition to allowing the NSA to take the lead on cybersecurity arose from concerns that that would do little to foster the broad collaboration needed to protect public- and private-sector networks against security threats. Many critics were worried about what they felt would be the mutually incompatible roles confronting the spy agency if it were given leadership of cybersecurity: covert activities and data collection versus the information sharing needed to build effective defenses against threats.
In his speech today, Alexander acknowledged some of those concerns even as he emphasized his agency's mission to help the DHS carry out its own cybersecurity duties. Alexander pointed to the vast technical skills and experience within his agency, especially in areas such as cryptography and intelligence-gathering, which he said are crucial to understanding β and defeating β cyberthreats.
But the NSA director also said that security guru Bruce Schneier was right when, just minutes before Alexander spoke, he told the audience during a panel discussion that "nobody" should be in charge of overall cybersecurity efforts. "A top-down, somebody's-in-charge model is not the right model," said Schneier, who is chief security technology officer at managed security services provider BT Counterpane.
In an interview today, Beckstrom said he was happy to hear the NSA saying that it didn't want to run federal cybersecurity efforts and also encouraged to see a discussion of the question of how much power the spy agency actually wields. He added that agencies such as the DHS, the FBI and even the Department of Commerce, need to get more funds in order to take a more active role on security. "There needs to be a balance of power," Beckstrom said. "I think the budgets are lopsided."
In addition to working with the DHS, the NSA wants to find ways to work with private industry, academia and U.S. allies to build needed defenses, Alexander said. He pointed to the multibillion-dollar Comprehensive National Cybersecurity Initiative launched in January 2008 by then-President George W. Bush as the sort of effort needed to successfully detect, mitigate and respond to network threats.
Robert McMillan of the IDG News Service contributed to this story.