Democratic Sen. Sheldon Whitehouse is proposing the creation of an independent inspector generals office that would actively test the cybersecurity of federal, civilian agencies.
The office would be staffed with “red team” operators that could penetrate or “pen test” agency computer networks, thereby providing information about existing vulnerabilities to federal executives.
“Cyber responsibilities are currently spread across 73 different inspector generals and it is not reasonable to expect all 73 of those offices to have adequate expertise and capacity. Indeed, many do no more than to check compliance with minimum standards,” Whitehouse, D-R.I., explained. “A single specialized independent office could both attract world class talent to the government and spur federal agencies in the direction off more effective cybersecurity measures.”
Whitehouse proposed the idea as part of a larger policy recommendation package that he co-authored with Rep. Michael McCaul, R-Texas, and Washington-based think tank the Center for Strategic and International Studies. The recommendations will be offered to the incoming Trump administration, and both lawmakers plan to pursue legislative acton laid out in the report.
The proposed 74th inspector general would be likely housed in either the Office of Management and Budget or Government Accountability Office, Whitehouse said.
“Understanding our vulnerabilities is an important first step in improving our defenses. But we also need to clearly communicate to the American people the seriousness and breadth of existing threats,” said Whitehouse, “an educated public is a democracy’s first line of defense.”
To improve public awareness around cybersecurity, Whitehouse is also encouraging President-elect Trump to designate a “cybersecurity discloser in the executive branch.” The position would be “empower[ed] with broad declassification authority and charged with clearly, constantly and concisely reporting” data about major cyberattacks.
“Information about cyberattacks is reflexively classified making it difficult to report to the public,” said Whitehouse. By making declassification the default approach, Whitehouse hopes that the public will gain a better basic understanding of the challenges faced by federal agencies.
It remains unclear exactly when or if Whitehouse will introduce legislation related to the proposed inspector generals office in fiscal 2017.
“I have not done a survey to see what could be accomplished by executive order versus what can be accomplished by legislation,” Whitehouse said when questioned about next steps. “Chairman McCaul, myself, intelligence committee folks, folks in the house are going to have to look at I think a wide variety of options. I think this report provides a very good framework for it.”