Czar Prospect Offers Cybersecurity VisionDHS, NIST Play Key Roles
In testimony before the House Committee on Science and Technology's Subcommittee on Technology and Innovation, the Microsoft corporate vice president of trustworthy computing provided details on a plan to exploit complementary capabilities at the Department of Homeland Security and the National Institute of Standards and Technology to create what he called a "hybrid model for information security that improves security across the federal enterprise and fosters agility to counter ever-changing threats."
And, in discussing the relationship between government and business to jointly safeguard federal IT systems and the nation's critical IT infrastructure, Charney offered astute observations on such a challenge. "Early efforts on partnership focused on information sharing. The problem is that information sharing is not an objective, it's a tool," he said. "You share information so you can do something. Sharing information just for the sake of sharing information doesn't make any operational change that makes security better. So, the first problem was the wrong focus, focus on sharing instead of action."
Charney - who co-chaired the highly respected Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency - hasn't publicly said he'd take the White House post if offered, but during the hearing Committee Chairman David Wu, D.-Ore., and ranking minority member Adrian Smith, R.-Neb., were deferential to all witnesses, but seem to focus more attention on Charney than the others. And he didn't disappoint, showing his wide knowledge of the challenges facing the government in securing IT.
Hybrid Cybersecurity Model
In his testimony, Charney said some elements of cybersecurity are common throughout government, such as developing IT security plans and implementing the Federal Desktop Core Configuration, which requires purchased PCs and laptops be preinstalled with specific security controls. Yet, he pointed out how diverse various components of federal government are from one another in terms of functions and systems. "A fully centralized model for managing security will not work," he said. "Each agency has a unique security paradigm with different threats, so each agency needs to mange its own risk."
Still, he said, if some security controls should be applied uniformly across the government, but other controls need to be tailored to address specific agencies' missions and risk, a hybrid model must be fashioned. Such a model, he said, would include a centrally managed horizontal security function to provide a foundation of governmentwide policy, standards, and oversight; as well as vertical security functions resident in individual agencies to manage their risks.
In this hybrid model, Charney said, DHS and NIST would provide a horizontal and individual agencies would have vertical functions. DHS would develop minimum baselines for security and work with the standards community where appropriate. It also would processes to foster implementation of best practices that exceed minimum standards so federal agencies can more quickly achieve higher levels of security when necessary to address their own unique risks. Under the plan he outlined, NIST would create governmentwide standards to help agencies meet the security control policy set by DHS.
Each agency would be responsible to assess its risks and implement effective management controls, activities to configure and patch systems, build effective incident response capabilities, identify and detect unauthorized access, test security controls regularly, audit for compliance and implement security changes.
Charney said this plan has many challenges. NIST needs more funding for its Computer Security Division to continue its focus on standards. "With greater resources," he said, "NIST will make a more dramatic impact on the cybersecurity of the computing ecosystem."
The Microsoft executive noted that DHS has struggled without a strategic plan for cybersecurity, resulting in an unfocused approach to IT security that wasn't optimized for effectiveness. "The lack of a cohesive vision was exacerbated by constant changes in leadership, lack of personnel, and inadequate funding for its mission," he testified. "Moving forward, DHS should develop a strategic vision and look to build on its strengths in partnership, information sharing and growing security capabilities to function in the horizontal role."
Government-Private Sector Cybersecurity Partnership
Efforts in the 1990s to develop a partnership between the federal government and the private sector to secure critical IT suffered because the two sides focused on information sharing and not on the end goal of information security, Charney told the lawmakers.
Another problem was the government's attitude to either share information with all business partners or none. "Government has been concerned, for understandable reasons, about not playing and picking favorites in the marketplace," Charney said. "It often took the view that it has to share with everyone or no one. And, of course, when you share a lot of information about vulnerabilities, threats and risks too broadly, you actually make the problem worse, and if you share with no one, then there's nothing."
Charney said the government must decide which party can take action on the information, and then share it with that organization, and "not worry so much about sharing with everyone or no one because that's not a productive model."
The government-private sector partnership never had the right philosophical underpinning, he said, adding: Markets deliver some level of security; customers demand it, markets deliver it. But markets don't always provide the level of security government needs for public safety and national security. "Markets aren't designed to do national security. You cannot make a market case for the Cold War," he said. "In those situations, the government steps in and does things."
Charney said the proper basis for a government-private sector cybersecurity partnership is to determine how much security the marketplace can provide - "and a little more, because companies do have a sense of corporate responsibility; they do care about public safety and national security" - and ascertain what level of security the government seeks.
"The key is filling the gap between what the market would provide and what the government sees as necessary, and there are a lot of ways to fill that gap," Charney said. "Acquisition regulations are an example to drive the market in a particular direction, regulations, standardization. There are many ways to fill a gap: tax incentives. So, the real key, and I think is the basis of the partnership, is to focus on meeting the requirements that span from between where markets are and governments want, and figures out the right way to incentivize the right behaviors so the products take you where you want to go."
Public-Private Cybersecurity Expertise
If Obama is seeking what he calls a cybersecurity coordinator who's not only knowledgeable in IT security matters, but has extensive government and private sector experience, Charney is eminently qualified.
As head of Microsoft's trustworthy computing office, Charney heads a group that ensures products and services uphold the company's security and privacy policies as well as oversee corporate efforts to address critical infrastructure protection, network security and industry outreach about privacy and security. Before joining Microsoft in 2002, Charney led the PrincewaterhouseCooper's cybercrime prevention and response practice.
In the 1990s, Charney served as the chief of computer crime and intellectual property in the criminal division of the Justice Department, helping prosecute nearly every major hacker case in the United States from 1991 to 1999. He co-authored the original Federal Guidelines for Searching and Seizing Computers, the federal Computer Fraud and Abuse Act, federal computer crime sentencing guidelines and the Criminal Division's policy on appropriate computer use and workplace monitoring.
According to his Microsoft biography, Charney also chaired the Group of Eight nations Subgroup on High-Tech Crime, served as vice chair and head of the U.S. delegation to an ad hoc group of experts on global cryptography policy for the Organization for Economic Cooperation and Development. In addition, he was a member of the U.S. delegation to OECD's Group of Experts on Security, Privacy and Intellectual Property Rights in the Global Information Infrastructure.
Charney also served as an assistant district attorney in Bronx County, N.Y., where he later was named deputy chief of the Investigations Bureau. In addition to supervising 23 prosecutors, he developed a computer-tracking system that was later used throughout the city for tracking criminal cases.