NSA Dominance of Cybersecurity Would Lead to ‘Grave Peril’
(WIRED) The government’s national cybersecurity efforts would be in "grave peril" if they were dominated by the intelligence community, said Amit Yoran, former head of the Department of Homeland Security’s National Cyber Security Division.
Yoran told a House subcommittee on Tuesday that although the Department of Homeland Security, which currently oversees the government’s cybersecurity efforts, has demonstrated "inefficiency and leadership failure" in those efforts, moving the cyber mission to the National Security Agency "would be ill-advised" due to the agency’s lack of transparency.
Two weeks ago, Director of National Intelligence Admiral Dennis Blair told the House intelligence committee that the NSA should take over government cybersecurity duties, because the agency has the smarts and the skills for the job.
But Yoran, who served at one time as CEO of In-Q-Tel, the venture capital arm of the Central Intelligence Agency, said a cyber program overseen by the NSA would be over-classified and lack adequate oversight and review, which is needed to gain the trust of the public and private-sector partners who will be needed to secure the nation’s infrastructure.
"One of the hard lessons learned from the Terrorist Surveillance Program is that such a limited review can lead to ineffective legal vetting of a program," Yoran said. "The cyber mission cannot be plagued by the same flaws as the TSP."
Yoran’s comments echoed those made by Rod Beckstrom, the DHS’ current cyber chief who tendered his resignation last week in part over concerns about the NSA assuming a leading role in the government’s cybersecurity plan.
Yoran said the intelligence community’s mission — to collect information on adversaries — is at odds with the mission to secure networks. Faced with a network compromise, the intelligence community’s focus would be on counterintelligence activities targeted at the offender rather than working with the public and private sector to secure the network.
"Simply put, the intelligence community has always and will always prioritize its own collection efforts over the defensive and protection mission of our government’s and nation’s digital systems," he said.
Yoran also said that the intelligence community’s tendency to over-classify information is anathema to the cybersecurity mission and would likely have "catastrophic consequences."
"High levels of classification prevent the sharing of information necessary to adequately defend our systems," he said. "It also creates insurmountable hurdles when working with a broad range of government IT staffs that do not have appropriate clearances, let alone when trying to work with, communicate and partner with the private sector. Classification cannot be used effectively as a cyber-defensive technique, only one for avoiding responsibility and accountability."
Scott Charney, vice president of the Trustworthy Computing division of Microsoft, agreed with Yoran’s assessment of the NSA during his testimony to the committee.
Charney said that there was no question that the NSA was the government’s center of technical expertise, but that to get the public "to trust that the networks are being secured well in a transparent fashion, the mission cannot reside in NSA."
Instead, he recommended that the DHS retain its lead operational role over cybersecurity but work with the NSA in a way that utilizes the agency’s technical expertise.
Yoran, who currently is CEO of cybersecurity firm NetWitness, resigned from his DHS job after just a year in the position amid speculation that the DHS was not making cybersecurity a priority. Beckstrom expressed similar frustrations in a recent interview about the DHS’s commitment to its cyber mission, following his resignation.
Yoran said DHS had demonstrated "inefficiency and leadership failure" in its cyber efforts and that "administrative incompetence and political infighting" had squandered its efforts to secure the nation’s infrastructure for years.
The hearing was the first of three the subcommittee has scheduled to address the nation’s cybersecurity issues and plans.