Governing Cybersecurity from the White HouseHow Much Muscle Should Cybersecurity Coordinator Be Given?
"The secretary of defense is not going to take direction from a staffer on the White House staff, except possibly the national security adviser himself, and even then they disagree," Paul Rosenzweig, the onetime deputy assistant secretary for policy at the Department of Homeland Security in the George W. Bush administration, says in an interview with GovInfoSecurity.com (see transcript below).
Rosenzweig, who recently published a paper entitled Cybersecurity, A Complex Web of Problems, contends the federal government needs clearer lines of authority and a more coherent structure of public-private interaction to safeguard government and the critical national IT infrastructure. "That structure should provide for greater and more effective control and coordination of the federal effort," he says. "Though current cyber coordinator Howard Schmidt has begun well, he should become a cyber leader with more directive authority."
In the interview with GovInfoSecurity.com's Eric Chabrow, Rosenzweig discusses:
- Problems Schmidt faces in having dual reports: to the president's national security and economic advisers;
- How the office of a Senate-confirmed cybersecurity adviser could be structured; and
- Reasons why the administration doesn't appear to be as vigorous in pursuing cybersecurity goals in 2010 as it did in 2009.
Rosenzweig is founder of Red Branch Consulting, which provides legal and strategic advice on national security and privacy concerns, according to his Heritage Foundation biography.
He served as DHS deputy assistant secretary for policy and as acting assistant secretary for international affairs. In four years at DHS, he developed policy, strategic plans and global approaches to homeland security, including international rules for data protection. He became a visiting fellow at Heritage in 2010, where he worked as a senior legal research fellow at its Center for Legal and Judicial Studies from 2002 to 2005.
Rosenzweig received his law degree from the University of Chicago Law School; a master in chemical oceanography from Scripps Institution of Oceanography, University of California at San Diego; and a BA from Haverford College.
ERIC CHABROW: In a paper entitled "Cybersecurity, A Complex Web of Problems" that was just published by the Heritage Foundation, you characterized America's cyber policy as confused, unfocused, and disconnected. How so?
PAUL ROSENZWEIG: We have made a lot of progress since say 10 years ago, but we still have a system where essentially there is inadequate direction from the center and at the federal level, at least, all of the departments are kind of going off in their own directions. You know the outsider precedes them as almost at war with each other. Perhaps that is too strong in a sense, but there is a clear sense that there hasn't been a fundamental policy decision or a set of decisions made about how we should manage the federal enterprise for defending cyberspace.
CHABROW: We'll get into some of that in a moment. In your paper you do credit the Obama administration with making a strong start at rationalizing U.S. cybersecurity policies, and although you say the U.S. is better organized now than it was three years ago or 10 years ago, as you just said, you write that the momentum of 2009 seems to have waned in 2010. What happened?
ROSENZWEIG: That is a hard question to answer not being on the inside. I suspect, from the outside, that what happened is an economic collapse, healthcare reform, in two words in Afghanistan and Iraq, which is to say that senior executives in Washington have only a limited bandwidth with in which to deal with significant problems. Though the administration seemed to have come to power with the idea that cybersecurity would be one of those critical pieces that would get a good fraction of bandwidth, circumstances pretty much seem to have shortened that ability. Another thing that I think has happened is the very typical Washington thing, one expects or hopes for greater centralized control probably with our cyber policy and what one perceives from the outside is that in the crafting of a cyber coordinator position in the White House, the degree of actual power that the position got eroded quite a bit and that made the position less attractive and that made it hard to find somebody who wanted the job. There we are.
Dual Masters' Dilemma
CHABROW: Was [Cybersecurity Coordinator] Howard Schmidt doomed from the get go?
ROSENZWEIG: Doomed is a strong word. In Washington, nobody is doomed and nobody is a star. He has a very hard job in front of him, especially populating the White House where they can't quite decide whether cybersecurity is a national security issue or an economic issue. Until that fundamental choice is made, they're not comprised by made to say it's both. You can't settle on an approach to cybersecurity. You have got to take a view, either view actually and I have one I prefer, but I would be happy with either view. Just not no view.
CHABROW: Why can't it be both?
ROSENZWEIG: Because you can't do two things at the same time; you can do some of both, obviously, but fundamentally the imperatives are split. A national security perceptive would be more federalizing, more centralizing, make the government more responsible for the overall protection of the net. A more economic approach is hands off, let the market run, count on private companies to develop the security systems they want and need, and federal government in a minimal role of standard setting kinds of things. The approaches wind up being very different. The mindsets wind up being very different. Who you put in charge of doing it winds up being very different. In national security interest is obviously DoD (Department of Defense). An economic interest is maybe the Department of Commerce, and NIST (National Institute of Standards and Technology) or DHS (Department of Homeland Security.
CHABROW: Could there possibly be parallel approaches if you did, for example, let NIST, or the Department of Commerce where NIST is located, take hold of approaching it from as an economic problem and letting industry come up with solutions as you suggested, but then at the same time letting DoD or the NSA (National Security Agency) worry about the defense?
ROSENZWEIG: There can in theory; my concerns are two-fold. First, it's a major resource constraint. We are doing two things at once is more expensive then doing one thing at once always. And the other is that one strongly suspects that without kind of a direction from the start, at the top, the two approaches will quickly diverge from each other, and they are relatively incompatible, at least in my conception they are. If Mr. Schmidt can pull off doing both and making them work together, then he will be a star. He will not be doomed. He will be the greatest success since the incandescent light bulb or something.
CHABROW: That is interesting, a good challenge for him.
ROSENZWEIG: I don't want to make it easy, right? Edison tried a thousand light bulbs that failed before finding one that works, so I hope that the path to success for Mr. Schmidt is quicker.
CHABROW: Let's talk about what you feel should be the approach the government should take?
ROSENZWEIG: My conception is one that has, as the White House cyberspace review itself said, more leadership from the top. I think that Mr. Schmidt's hand needs to be strengthened. I think that he needs to have coordination effects through a unified cybersecurity budget that kind of spans the departments. I think he should have a role in and dotted line authority over sub-cabinet officials who are engaged in the cyber effort like the head of U.S.-CERT - Computer Emergency Readiness Team - that is part of DHS. Not pulling them out of their department, not changing who they report to on their day to day basis, but the truth of the matter is that the things that drive policy are personnel and budget in this town, and that is just reality.
CHABROW: Is there an example in some other area where a mechanism is set up to do what you just proposed?
ROSENZWEIG: We've tried it twice in recent years with conceitedly marginal success. The Department of Homeland Security and the Office of the Director of National Intelligence are much larger infrastructures that are intended to achieve the same kind of centralizing and coordinative functions with budgetary control. I think everybody would agree that they are a work in progress. I wasn't there in the administration so I don't know all the details, but I've read that back in the Clinton administration they attempted and achieved with much more success something of what I'm suggesting with respect to proliferation initiatives, trying to coordinate counter-proliferation initiatives across the State Department, Department of Defense, etc., and they had a pretty strong centralizing function there. That seemed to have turned out well. It's a mixed bag. I start by asking myself whether the current federal approach is working? Answer, not as well as it should so we need to try something else. Maybe what I'm suggesting is wrong, but the status quo is surely not where we want to stay.
CHABROW: Can the White House do this on its own, or does it need legislation to be able to do what you're proposing?
ROSENZWEIG: Some of it, it could probably do on its own. Some of it would require legislation. It depends how much directive authority the centralizing forces got. So long as it is coordinative, it wouldn't need any authority. Any ordering around would probably require something. For example, the president could direct the Office of Management and Budget to collect into a single unified line item all of the cybersecurity spending in the federal government, or even all the civilian cybersecurity spending in the government so he could see it and he could tell Mr. Schmidt that he wanted his recommendations on how to whack it up and that wouldn't require any change.
On the other hand, if Mr. Schmidt were going to direct movements of monies in accounts, he doesn't have that legal power now and he would need somebody to give it to him before he could do it. You can get 60 or 70 percent of the way there without legislation, and maybe that would be enough. Maybe we wouldn't need the last 30 percent.
CHABROW: And maybe that's all one could get in these days anyway?
ROSENZWEIG: Yes, you know look I'm not at all sanguine; I understand the legislation process is cumbersome and somewhat broken, and I certainly understand it's under the pressure of partisan dynamics that extend way beyond this issue. I mean as far as I can tell, there are no conservative principles of cybersecurity, no liberal principles of cybersecurity, but there are lots of other things out there that make legislating in this area difficult just as a matter of process.
Not Just Power, But What to Do With It
CHABROW: In the approach that you are suggesting, does that matter whether it's an economic approach or a homeland security or national security approach?
ROSENZWEIG: Well, the things that I am suggesting are structural so no they don't matter up front, but if you gave somebody like Mr. Schmidt this authority, he would have to know which way to whack up the money. So you come quickly to the question of okay, centralizing to do what, to what effect, for what purpose? It wouldn't be very useful. It would be a meaningless exercise to do the centralization with no intent to do any rearrangement right? Then, you are just centralizing for the sake of it. Once he has the authority, he needs a policy so he knows what to do with it.
CHABROW: The position itself, should it remain as adviser to the president, special assistant to the president, and not one that would need senatorially confirmation?
ROSENZWEIG: That's a hard question. I suspect that if he is actually going to have as much authority as I would want him to have, he'd have to be effectively cabinet rank to senatorially confirmed and subject to some forms of congressional oversight. You know, the secretary of defense is not going to take direction from a staffer on the White House staff, except possibly the national security adviser himself, and even then they disagree. It's not an easy thing. If we decide to go the whole 100 percent, it would be incumbent upon whatever president there is to seek the cabinet rank for the officer.
CHABROW: Well, we need obviously some kind of congressional action?
ROSENZWEIG: Absolutely. But like we said there are plenty of weigh stations between here and there that you don't necessarily have to get to.
CHABROW: The status quo, what additional risk is that putting on protecting our IT systems, both in government and key national infrastructure?
ROSENZWEIG: The federal efforts to protect infrastructure is being led by default by those who have the greatest current capability. That typically resides within the military, typically resides within NSA. That may actually be the right answer, because they may indeed be the most effective, but there are lots of people, civil libertarians, civilians who don't want to see a militarization of this critical space, who thinks that might not be the right choice. Right now, it's the default choice because they are the most able. But not thinking about it and not planning for it, not deciding in advance whether or not we like that answer, risks us winding up with some place five years from now that we all look up and say "How did we get there, and this isn't really where we want to be."
CHABROW: How optimistic are you that something will be done?
ROSENZWEIG: Guardedly. I think that people recognize that the current structures are not perfect. I participate with relative frequency on panels and studies that are aimed at thinking of better answers, technologically and legally, organizationally, etc. To some degree, my optimism has to be guarded because I think that fundamentally we're talking about trying to impose higher hierarchical structures on a system, the cyber-domain Internet, that is not hierarchical. And so, you got a lot of challenges in doing this, so I doubt that there will ever be a perfect solution. That I'm quite sure of. But government isn't about perfect solution. I know a lot of voters wish it were, but me too sometimes, but in truth, it's about better solutions and we can do better, and I think with some optimism we will.