Rep. David Wu Takes On His Allies: Conversation with the Chair of the House Technology & Innovation Subcommittee
Wu chairs the House Science and Technology's Subcommittee on Technology and Innovation, which provides NIST oversight, and sees the dissemination of cybersecurity best practices developed by NIST as a resourceful way to safeguard IT. "Eighty to 90 percent of cybersecurity issues can be addressed with existing technology if people just apply the right procedures and use the proper technologies which are available today," the Oregon Democrat said in an interview with GovInfoSecurity.com (transcript below).
In a wide ranging interview, Wu outlines the additional cybersecurity responsibilities he'd like NIST to receive. He also discussed:
- Why he favors the elevating NIST's Computer Security Division to a laboratory despite the objection's of NIST's top executives.
- An ill-fated reorganization plan of NIST's IT Lab.
- Characteristics of a cybersecurity "czar" who has more muscle than proposed by President Obama.
GovInfoSecurity.com's Eric Chabrow interviewed Wu.
Wu is finishing his 11th year representing Oregon's First Congressional District, which covers the northwest corner of the state, including parts of Portland. A native of Hsinchu, Taiwan, Wu is the first Chinese-American elected to the House of Representatives.
Before his election to Congress in 1998, he was a lawyer, specializing in high-tech law.
Wu holds a bachelor of science degree from Stanford University and a law degree from Yale Law School.
ERIC CHABROW: The Cybersecurity Enhancement Act is a bill you co-sponsored that is before the full House and it would add new cybersecurity related responsibilities to National Institute of Standards and Technology. How do you see NIST's role as changing?
DAVID WU: There are at least three ways in which NIST's role will either increase or change. One is the development of technical standards and other, if you will, high-tech approaches to cybersecurity. A second is cooperation in international arenas, which is one of the important areas to develop. And a third is an education and best-practices campaign to be developed by NIST and promulgated through the Manufacturing Extension Program, which is run out of NIST, and that is to disseminate better practices. What we have found is that 80 to 90 percent of cybersecurity issues can be addressed with existing technology if people just apply the right procedures and use the proper technologies which are available today.
You know you can improve driving safety a lot if you just use the seatbelt and the equivalent in computer technology is using the processes which are available today; in essence using the safety belts for cybersecurity.
CHABROW: This fall, you chaired a hearing in which you said NIST has created some great guidance but it is not necessarily in a language that everybody would understand. Is that what you are talking about here?
WU: That is part of what I am talking about. There is guidance, and it needs to be in language which is understandable to a broad range of computer users of a broad range of expertise in computer technology and language. But the other piece of it is the dissemination of that knowledge and language. We envision that the (NIST) Manufacturing Extension Program (Partnership) can do a lot of outreach. That is MEP's job anyway, to disseminate best practices in manufacturing and in business practices and I think that an important part of sound business practice is cybersecurity, or if you will, computer hygiene.
CHABROW: With these additional responsibilities, is there going to be additional funding?
WU: That is subject to appropriation and I certainly hope that there will be.
CHABROW: In August, the director of NIST's Information Technology Lab, Cita Furlani, outlined a proposed reorganization of a lab with the aim of enhancing NIST's research on cybersecurity. Under her plan, the head of the labs Computer Security Division would have been relocated to her office and she contended that the reorganization would help encourage a more multidisciplinary collaboration with other NIST units in developing cybersecurity programs and guidance. And, as you know, before your committee in October she announced that she was withdrawing that plan as some stakeholders within NIST complained that it would weaken the process to develop cybersecurity processes. Some of the witnesses that have testified before your committee have suggested that perhaps even the Computer Security Division should become its own lab. What do you think about all this?
WU: The reorganization at NIST has been put on indefinite hold and I support that indefinite hold indefinitely. I think that we do need to consider elevating the Computer Security Division to laboratory status at NIST.
CHABROW: Why so?
WU: It is a very important field and it deserves the profile and the increase in access both to senior management and to resources.
CHABROW: Is there anything as Congress that you could do to encourage them to do that?
WU: We can mandate it, but I think it is better to have the agency come to a more subtle rearrangement of the pieces. We will see what they do.
CHABROW: I spoke with Patrick Gallagher a few weeks ago, the new NIST director, and he was very supportive, not necessarily of the new plan to reorganize the IT Lab, but the idea that they were being active about looking into that. He suggested that adding labs isn't necessarily the way to go. In fact, he said that he may think about, if it looks logical, to even consolidate some labs.
WU: Pat is very smart, very hardworking. He is a career person at NIST and he knows that agency. He knows that there is very strong interest in elevating the status of the Computer Security Division. I don't think he disagrees with that at all, but I do think that he believes that some of the divisions at NIST are organized in some ways along, if you will, old economy lines and we ought to be looking at some reorganization based on, if you will, new economy lines.
CHABROW: Not just looking at the Computer Security Division but NIST as a whole, it's been what about 20 years since it has had a major reorganization and it is time for it to look at the entire picture?
WU: Well, Pat is relatively new and I do want to give him an opportunity to settle into his new position. Now, he has been at NIST I think his entire career, and he has some strong thoughts about how the agency might improve from its very good status today. I would want to see what type of proposals he comes up with. I know that he has some pretty thoughtful ideas about it.
CHABROW: Is this on the agenda for your subcommittee next year?
WU: It is.
CHABROW: In a year or so, what would you like to see NIST look like and what responsibility should it have concerning information security?
WU: As for overall NIST organization I do not want to prejudge or jump ahead of anything that Pat has in mind. It does make sense to have some remixing of the different functions at NIST to better reflect the current economic and industrial reality.
In terms of cybersecurity, a year or two down the pike I hope that we are much more involved in international cybersecurity issues and well represented by NIST in those forums. There are some difficult cybersecurity issues that NIST has the expertise to solve, whether that is in identity management issues or in interoperability issues.
The arena, which I think has the most opportunity and is in essence the low hanging fruit, is developing education and knowledge dissemination program so that people in the public and private sectors are much more aware and much more willing to take the steps to implement existing security standards, existing security technology. The estimates are that will gain us 80 or 90 percent of what we need to do to have effective cybersecurity and I think that we should pick that low hanging fruit and do so sooner rather than later.
And finally, I would like to either give up on the concept of a cybersecurity czar, or have a cybersecurity czar with real authority and with at least some budgetary influence. I think what we have had in the last while is not a cybersecurity czar but a cybersecurity eunuch. If you look at the record, we have had a series of resignations and very little bureaucratic influence and very little budgetary authority. If we are going to have someone, we don't need a cybersecurity eunuch, we need someone who has a little bit more oomph to get the job done.
CHABROW: Sort of in align with what the Commission for 44th Presidency outlined: an Office of Cyberspace in the White House?
WU: That is one set of approaches, yes.
(The interview occurred before President Obama named Howard Schmidt as cybersecurity coordinator.)
CHABROW: There is a lot of concern because President Obama hasn't named someone in nearly seven months as cybersecurity coordinator, do you have any sense why it is taking him so long or why he hasn't named a cybersecurity coordinator yet?
WU: This administration has generally been careful in making its appointments and I do not begrudge them the opportunity to be careful in their selections.
CHABROW: Although I am wondering whether they just can't find someone to fill the job the way that it is currently positioned.
WU: It doesn't help for me to speculate.
CHABROW: Just to make it clear, you are saying either give this person real authority and you would like to see this person if they are given authority be within the White House?
WU: I am flexible on organization.
CHABROW: But if they are not going to do that then just do nothing, or what would the alternative be?
WU: I think NIST has been a very capable agency and is fully capable of taking a leading role in this.
CHABROW: So, just in other words, use the current processes out there with NIST coming up with what it feels are the best guidance and through the Office of Management and Budget try to make sure the agency is compliant?
WU: It is not my preferred alternative, but it is better than having a cyber eunuch in place and hoping for good things and again being disappointed.