Lauding the President on Cybersecurity
Harry Raduege Still Has High Expectations for Administration"The administration has done more than any previous administration to secure cyberspace and should now work with Congress ... to create a comprehensive approach to addressing this very important issue for our nation," Harry Raduege says in an interview with Information Security Media Group's GovInfoSecurity.com (transcript below).
Raduege's remarks come days after the commission issued its last report, Cybersecurity Two Years After (see Cybersecurity Takes Second Place to More Immediate Concerns), which updates its initial study issued weeks after the November 2008 presidential election. The 2008 report served as a blueprint for Obama's Cyberspace Policy Review and a number of cybersecurity bills introduced in Congress.
Raduege, a retired Air Force general who once ran the military's IT system, points out that various federal entities - departments of Defense, Homeland Security and State, the FBI and Office of Management and Budget, to name a few - have in the past year pursued their own IT security initiatives. "We just feel that the fact that as we move forward we need an overarching strategy to pull all of that together to be in a better position to address these complex and fairly comprehensive issues that are facing us today," he says. Addressing the new report, Raduege also discusses:
- Why, despite the hard work of the administration, the commission sees progress on cybersecurity as being insufficient.
- How far the government should go to regulate business in cyberspace.
- What needs to be done for the administration to provide leadership in the government's cybersecurity effort.
Raduege, interview by GovInfoSecurity.com's Eric Chabrow, is chairman of the Deloitte Center for Cyber Innovation. He served in the military for 35 years, retiring as an Air Force lieutenant general. At his retirement, he was director of the Defense Information Systems Agency. Prior to his DISA assignment, Raduege directed command and control systems for North American Aerospace Defense Command, U.S. Space Command and Air Force Space Command. He also served as the chief information officer for all three commands as well as the architect for computer network defense and attack capabilities established within the Department of Defense.
Complexities of Cybersecurity
ERIC CHABROW: The new report states that there has been progress in the past two years in almost all the areas the commission identified as being critical, but in no area has the progress been sufficient. How so?
GEN. HARRY RADUEGE: Well, as you know Eric, cybersecurity is very, very complex and much of our discussion still remains today wedded to ideas that developed when the Internet was smaller, largely American, and much less important for our economic life. This administration has done more than any previous administration we believe to secure cyberspace and should now work more with the Congress, where both the Senate and the House have made cybersecurity a priority to create a comprehensive approach to addressing this very important issue for our nation.
CHABROW: The new report had 10 recommendations. The first one talks about a coherent organization and leadership for federal efforts for cybersecurity, a recognition of cybersecurity as a national priority. What needs to be done to fulfill that objective?
RADUEGE: While the Cyberspace Policy Review in May 2009 provided a framework for a comprehensive approach, we really, as a nation, still lack an integrated national cybersecurity strategy. Although we understand that a strategy is being developed, individual agencies like Department of Defense, Department of Homeland Security, Department of State - also the Office of Management and Budget, FBI, Department of Commerce, -- have made cybersecurity a high priority and started their initiatives. Each one of them have their initiatives; however, an effective strategy would set specific objectives that would be drawn from our first report in 2008 and the 2009 Cyberspace Policy Review and then set timelines and responsibilities for achieving those. We think that those are the areas that we could be best moving ahead as far as leadership and recognizing cybersecurity as a national priority.
CHABROW: Does recognizing cybersecurity as a nationally priority require a stronger presence in the White House than what we have now which is a cybersecurity coordinator?
RADUEGE: It certainly could be an area that could be beefed up. In fact, our initial report recommended that a cybersecurity coordinator or cybersecurity-responsible individual in the White House would have a staff dedicated to him to move these important objectives forward. We feel that this could advance the areas that we see as important in our report.
CHABROW: Perhaps the kind of position is in Senate legislation that calls for a Senate-confirmed cybersecurity director?
RADUEGE: That is one important consideration that we are all looking for, and to see what decision is made in that regard. But again, I believe that Howard Schmidt has done an absolutely incredible job as a cybersecurity coordinator trying to manage and coordinate all of the various activities. Not only from his chair in the National Security Council, but also in his chair with the National Economic Council. And, of course, thinking of Howard Schmidt, and what he has to do as far as responsibilities as a cybersecurity coordinator across the areas of government, industry and then also reaching into far domains of foreign policy and foreign leadership, he has a lot on his plate to do.
Job Limitations Found In the Title
CHABROW: But many would argue he may not have the authority to do things because of the way the position was created?
RADUEGE: That is reflected by the terminology of his duty title as a cybersecurity coordinator, and the fact that many of our activities and agencies within the federal government have made cybersecurity a high priority and started their own initiatives.
For example, the Department of Defense has stood a U.S. Cyber Command. Homeland Security has opened the National Cybersecurity and Communications Integration Center, which is the DHS Web Watch and Warning Center. The Department of State is taking some steps forward and also with Secretary Clinton's speech about a year ago on our Internet policy. OMB has had significant revisions to the Federal Information Security Management Act, FISMA, to create a more dynamic and automated assessment of agency security. There are a number of activities that are decentralized that are moving forward with their own initiatives. We just feel that with our cybersecurity commission and our review that the fact that if we move forward with an overarching strategy to pull all of that together, we would be in a better position to address these complex and very comprehensive issues that are facing us today.
CHABROW: One of the complaints about IT in the past was that things were stove-piped, each agency doing its own thing, irrespective of what's going on elsewhere. Is that a threat to IT security today or not?
RADUEGE: In many regards, stovepipe activities can lend (themselves to) security. However we have a policy of sharing information and going across these various stovepipes. When we talk about the issues of opening up and sharing information more, and cloud computing, this really gets into areas that cybersecurity becomes even more a critical element.
CHABROW: The new report recognizes the need for some regulation of cyberspace. What would be appropriate regulation and what would be inappropriate?
RADUEGE: Our recommendation in our first report was that we need a new cooperative approach to regulation in four essential infrastructure sectors. As a reminder we define those four essential critical infrastructures as national security, energy, banking and finance and telecommunications. We still believe, at the commission, that this is the best way where regulation needs to impose the lightest possible burdens but be flexible rather than prescriptive, and be developed in partnership with industry. Those are very important considerations for any future regulation.
CHABROW: If regulations are needed, is the atmosphere in Congress such to enact them?
RADUEGE: The atmosphere is growing as far as awareness in the Congress. I know that two of our cyber commission co-chairs, Congressman Jim Langevin and Congressman Michael McCaul, started the cybersecurity caucus in the House of Representatives several years ago to raise awareness on Capitol Hill, and I think that has been very instructive and it's been very successful in raising the awareness. In fact, the last count that I had was that we had 54 pieces of draft legislation for consideration, so I think this shows that the Congress is becoming much more aware of the significance of cybersecurity and the far reaches of cybersecurity throughout every sector of our government.
CHABROW: And just to clarify, I would assume that those 54 pieces of draft legislation that was introduced in the 111th Congress and many of those would need to be reintroduced this year?
RADUEGE: Yes, that's true.
Reviving the Cybersecurity Debate
CHABROW: This new report the commission came out with concludes that cybersecurity debate is stuck. What should President Obama do to revive that debate? P
RADUEGE: The president has taken a strong approach with his cybersecurity coordinator, Howard Schmidt. Frankly, this administrator has done more than any previous administration to secure cyberspace, and now the work should go on with the Congress, both on the Senate and House side, to make cybersecurity a distinct, national priority and to create this comprehensive approach.
President Obama has become very aware of the critical nature of cybersecurity through the flourishing black market area of cybercrime and the cyber espionage that we are being plagued with today. With that, the president certainly has the background and the interest in how important cybersecurity is. Let me just mention that probably with our 2008 report, the 2009 Cyberspace Policy Review, 2010 probably should have been the year of cybersecurity for our nation where we were more secure, but consider what really happened and I think these are some of the events that specifically caught the president's attention and the administration's attention.
First off, we saw a loss of data from Google and other Fortune 500 companies. We saw the Department of Defense describe how its classified networks had been compromised. We realized that Stuxnet worm had cut through industrial control system and a number of nations across the world. There was also denial of service attacks that were associated with WikiLeaks. As a nation, we must do more to reduce this risk and we must do it soon. Cyberspace has really become this critical challenge for national security, economic stability and propriety for our nation.
CHABROW: Listening to you, despite these problems that we saw this past year and lack of action, at least by Congress, enacting significant cybersecurity reform, do you feel that maybe those who are critical of the president's commitment to cybersecurity that he is getting a bum rap?
RADUEGE: We've seen more attention that has been placed on cybersecurity. You know I'm reminded of the fact that our cybersecurity commission report was issued just prior to the president taking office. And he wasn't in office more than 30 days before he actually launched the 60-day national cybersecurity assessment that was conducted by Melissa Hathaway, and Melissa and her team went to work and dedicated a full 60 days and nights to writing a very comprehensive report to the president, which then culminated in the resident's speech on May 29, 2009, with a published report being the Cyberspace Policy Review.
Our nation really got out of the chocks early as far as identifying cybersecurity as a very important and critical element for our nation's security. The fact is that Howard Schmidt was later appointed, unfortunately it took quite a number of months before we found the proper person to put into that position. Howard Schmidt went to work for the administration as a cybersecurity coordinator (in January 2010), with about 24 different actions that he was responsible for from the Cyberspace Policy Review. We sort of got out of the chocks early on cybersecurity. We identified a proper framework and a number of items, 10 in the near term and 14, as I recall, in the mid term that we wanted to try and take care of as far as national priority, and, then with our cyberspace coordinator being appointed, to try and put all that together. However, that is an awful lot of work for one individual and a very, very small to try and accomplish. Howard should be given a lot of credit for all that he has been doing, but I think we need to step up our approach to this and our efforts as a nation.
CHABROW: So in other words, you think the president is doing a good job. He just needs to do more of it?
RADUEGE: Correct.