Future of Federal Cybersecurity, Part 1: Interview with Harry Raduege, Co-Chair of the Commission on Cybersecurity for the 44th Presidency
The Commission report issued late last year has been highly touted by IT security leaders, including those in the Barack Obama administration. Among many of its findings, the Commission called for the creation of an Office of Cyberspace within the White House that would address information security concerns. The panel noted that information security is one of the nation's most pressing security problems. Thank you for joining us.
HARRY RADUEGE: My pleasure.
ERIC CHABROW: You recently wrote about the state of the nation's IT infrastructure and I quote, "The stark reality is that the bad guys are winning and our nation is at risk." How at risk are government IT systems and what exactly does that mean in how the government functions?
LT. GEN. RADUEGE: The state of cybersecurity today is grave. When we talk about the type of damage that we are taking on a daily basis, it's actually very, very extreme and we have heavy losses that we are experiencing. Just in the area of cyber crime, we are losing tremendous identities every day to identity theft that is being sold to individuals who are taking great advantage of cyber-criminal activity. And, in fact, a recent study just came out, and this is very recent, it estimates about $1 trillion dollars of intellectual property is stolen each year, and some of the people who are involved in securing the Internet today are noticing that cyber crime actually has escalated by 53 percent over totals from last year. So, with all of this activity in cyberspace, as we refer it, there is a lot of economic espionage that is going on, and also other type of military and criminal activity that is progressing today on the Internet.
ERIC CHABROW: And the Commission's No. 1 recommendation, or at least the first one listed, says the president should state as a fundamental principal that cybersecurity is a vital asset for the nation and the U.S. will protect it by using all instruments of its national power. It's only a few weeks into is administration, but so far are you pleased from what you have heard from President Obama?
LT. GEN. RADUEGE: Yes. He has many things on his plate today but we have been encouraged with the president only being in office for less than a month at this point, the fact that he has already talked about appointing a cyber advisor to himself and also has asked (National Security Agency cybersecurity expert) Melissa Hathaway to stay on with this administration now and perform a 60-day assessment of where we stand in the cyberspace arena. So, I think for all that the president has on his plate today, that's a very strong indication that he has taken cybersecurity and cyberspace as a key national priority.
ERIC CHABROW: The Commission recommends the establishment of an Office of Cyberspace. How would that office function and why is it needed?
LT. GEN. RADUEGE: We felt that all parts of our nation are involved in the requirements of cybersecurity. It permeates everything we do, from our national security to our ability to provide emergency response to our financial and banking institutions and even into our personal lives. So, it is really something that permeates all of our lives, whether they are in business or in our personal lives or in out national security areas.
We felt that we needed to elevate the importance of cybersecurity and have an oversight that was really at a higher level of our government. We have a number of activities and agencies that have key roles on a daily basis in performing cybersecurity responsibilities. Some of those agencies the Department of Defense, the Department of Justice, the Department of Homeland Security, the FBI, the intelligence community activities, the Department of Commerce all of those activities have key roles, and so someone who would orchestrate and pull all of those responsibilities and key activities together we felt was needed at a higher level and that is why we recommended it in the National Security Council to establish an Office of Cyberspace.
ERIC CHABROW: If you could pick out a few key points from the Commission's report, what would you like to see incorporated in the FISMA (Federal Information Security Management Act) reform that is going on within Congress?
LT. GEN. RADUEGE: The fact that of creating awareness and really education at the congressional level. Our Congress, of course, has lots of hearings, they have lots of guidance that is provided across the federal government, and I think a clearer understanding of the importance of cybersecurity and the key role that cyberspace plays in our nation's security and our economic well being is very important.
So, I believe that the Congress first off, just providing the awareness and education crossing all of the domains that the Congress has oversight of in our federal government, is a key starting place. I think also that they can be very useful in changing regulations and laws concerning proper use of cyberspace.
For example, the FISMA laws, which right now are very much geared toward compliance-based requirements, could be changed to really be more of a risk management approach. We know that criminals and outside activity are rampant throughout our information networks today, so when we talk about the Federal Information Systems Management Act grading our various federal government activities, I think that we should move away form just a checklist type of activity and more into really understanding how our information networks are being protected in an operational state.
ERIC CHABROW: Of course, Congress not only enacts these regulations, they appropriate money. The Commission's report notes that only two-tenths of one percent of the nation's R&D budget is earmarked for cybersecurity research. That's $300 million dollars this fiscal year. Why do you feel that amount is inadequate, what would be a more appropriate amount and how should it be allocated?
LT. GEN. RADUEGE: Well certainly the Comprehensive National Cyber Initiative of the Bush administration actually talked about $30 billion dollars being required to initiate that plan, and I know that at the time Sen. Obama and Sen. McCain, when they campaigned, both thought that that figure might be on the low end and that more needed to be appropriated and marked for cyber initiatives and research and development.
So, I think it is a key requirement that we really take a look with perhaps this Office of Cyberspace that we have recommended creating and the Office of Science and Technology Policy that really puts together a coordinated cybersecurity R&D type of program.
Certainly, there is talk now about the need to re-architect the Internet. We have used it for years and years, we invented it, but today it is still using 1970's and 1980's core protocols. So, that is something that certainly for economic well-being, for benefit of our nation and the world and creation of great technological-type jobs could be an area that we could look at as far as increased R&D and benefits to our nation and our world.
ERIC CHABROW: You have written and I quote, We must strive to create a cyber culture where cybersecurity becomes institutionalized and paramount in a rapidly changing information technology environment."
Our site, GovInfoSecurity.com, is aimed at serving those in government responsible for implementing and managing information security and protecting employee and citizens privacy. How do you see their jobs changing as cybersecurity become more institutionalized?
LT. GEN. RADUEGE: In my career, I have noticed quite a change in the cyber area. Prior to 1998 goodness, I guess that is just a mere 10 years ago there was really an ignorance, and I would call it an era of ignorance, about the use of the Internet and cybersecurity and all that was going to develop over the years.
We then went kind of after 1998 into a phase for about a five-year period I would estimate, of awareness. We could see that now there was going to be uses of the Internet that were certainly wonderful, but then there were also things that were going to be less desirable, in the area of fraud and espionage and bad use of the Internet.
And, then we went into kind of a phase three,--what I call an actualization phase and I think that is where we are today where the Comprehensive National Cyber Initiative that was initiated a year ago, changes to some laws, specifically the Identity Theft Enforcement and Restitution Act, and even this Commission that was put together by the Center for Strategic and International Studies, which I took part in, realized the importance of cyberspace and the growing demands and needs for cybersecurity.
We really have gotten to a point in time where I believe we need to move into a fourth phase and that is creating a cyber mindset. And, that is really where we are transforming our government and our industry and our personal lives, to really be aware of the great uses of cyberspace but also the great vulnerabilities and challenges of cyberspace. I would say that in cyberspace, opportunity is really abundant and mistakes are unforgiving and sympathy is nonexistent today.
ERIC CHABROW: So back to the government and the way it can function in this fourth phase of cyber mindset, what has to be done to help government employees develop this mindset?
LT. GEN. RADUEGE: This is why we are recommending in our Cyber Commission Report the creation of an individual that advises the president and has the ear of the president, and from all indications, President Obama is going to follow through with that recommendation of the Commission and also his thought patterns in the past on that.
I think it is very important that we elevate this to a national-level priority, very important that that be realized and I think president's stating that cyberspace is vital to our national well being is key. Also, the fact that this position could have tremendous influence and impact over the entire federal government and not just in one piece or another or different federal activities take on different levels of impact and awareness of this need.
I think that a coordinator and advisor to the president can bring more stability and long-term education and awareness across our entire government, and make all government employees more aware and educated on becoming better cyber users and create this cyber mindset that I think is critical for our nation's well-being.
ERIC CHABROW: Next time in part two of our interview, Gen. Raduege will reveal who he feel should be in charge of each agency's IT security and will share his thoughts on the government furnishing workers with the latest technology tools while balancing that with providing them a secure IT environment to work in. For GovInfoSecurity.com I'm Eric Chabrow. Thanks for listening.