Fixing the way the U.S. government buys technology and hires and deploys its workforce is the key to improving the nation’s cybersecurity defenses, not changing the way authorities and responsibilities are divided up between federal agencies, Sen. Mark Warner, D-Va., said Friday.
The fact that the National Security Agency has primary responsibility for defending military networks, while securing civilian networks belonging to both the government and vital private industries falls to the Department of Homeland Security “is just the structure of our government,” he said, on the sidelines of a security conference co-hosted by the Army Cyber Institute.
A more important issue is the way the government buys technology, he added. “In a field that moves as quickly as cyber does, the idea that you’ve got to go through a whole procurement process … By the time you get through a bid process for a solution set, the chances are the problem has … moved on.”
He said it was not just a matter of how long procurement takes. “We need to move away … from the least cost approach to a more flexible purchasing approach that looks at value and looks more in-depth at technology,” he said.
The senator, who co-founded a cybersecurity caucus in Congress in June, declined to comment directly on a call this week by a senior NSA official to get rid of the three way divide in cyber response between DHS, NSA and Federal Bureau of Investigation. “By the time we fill out the paperwork that would allow NSA to provide assistance, it’s typically days to a week before we can actually respond,” said Curtis Dukes, the agency’s deputy national manager for national security systems.
But his predecessor at the agency, former chief of the NSA’s Information Assurance Directorate, Dick Schaeffer, disputed that.
“It wasn’t a matter of bureaucracy impeding the speed of the response,” he said, pointing out that “We had legal agreements in place” with FBI and DHS that enabled quick reaction. “It doesn’t take days or weeks or even hours to bring a response to an event. It’s as quick as picking up the phone,” he said.
Even six years ago when he was at the agency “We knew what the guidance was … that we could all work together … And I think the situation is even better today,” he said.
“There was a period in recent history, he said, when the issue was ‘Who’s in charge?’ I think today [the question is] ‘How do we work together?'”
The amount of time it takes to put teams together might have been a “fair point” a couple of years ago, agreed DHS Deputy Undersecretary for Cybersecurity and Communications Phyllis Schneck. “That problem is independent of policy,” she said, and “something that we’re working on right now” would let them “spin those teams up within minutes.”
During a speech at the conference, former NSA Director and U.S. Cyber Command Commander Gen. Keith Alexander ridiculed the current approach of “incident response” — comparing it to an investigation into a plane crash. “As someone who flies a great deal, I’d like them to learn the lesson about how not to crash in the first place,” he said.
Later he told CyberScoop that the President’s Commission on Enhancing National Cybersecurity — of which he’s a member — was looking at “some things that need to be done about how [the Department of Defense, which houses NSA], DHS [Department of Justice] work together.”
When it came to deploying the power of the military, the administration should “set out the rules of engagement, get Congress to buy in, tell the American people [and] work with our allies,” he argued.
But he added, “Before we talk about organization, we have to talk about how we’re going to operate and make that clear,” he said urging a more seamless approach.
Warner also said operational posture was key to improving response.
“On personnel, there is expertise on the [civilian] government side,” he told CyberScoop, “The jewel in the crown is the NSA but increasingly as the private sector sees their vulnerabilities — and obviously the private sector can throw a lot more cash at folks — there’s going to be expertise in each of these domains, private, the civilian government side, the .mil side … We’re gonna need to make sure they can work together closely,” he said.