W.H. Cyber Office QuestionedConcern Over Lack of Oversight Raised
Several bills before Congress, including a measure to be introduced Tuesday to reform the Federal Information Security Management Act, call for the creation of an Office of Cyberspace that would establish policy and coordinate information security across the federal government. White House cybersecurity advisor Melissa Hathaway, in a speech last week before the RSA Conference, strongly suggested the need for such an office.
But Sen. Susan Collins, R.-Maine, ranking member on the Senate Committee on Homeland Security and Governmental Affairs, said establishing such a White House office could limit Congressional oversight on cybersecurity. Instead, she said Congress should consider leaving much of the coordination of federal civilian cybersecurity to the Department of Homeland Security.
Because of the separation of powers, Congress is limited on compelling White House officials to testify before its committees, a constraint that doesn't exist with officials from cabinet departments and agencies. "We have to proceed carefully so we don't create a whole new round of turf battles and inadequate Congressional oversight," Collins said at Tuesday's committee hearing on cybersecurity.
Stewart Baker, former Homeland Security assistant secretary for policy, testified that creating a cybersecurity office within the White House wouldn't necessarily speed up the government's increased response to cyber attacks as it would go through the growing pains of any new organization.
Supporters of a White House cyber office point to failures within existing agencies in addressing cybersecurity as a reason to create a new organization, Baker said, adding that supporters have an idealized vision and unrealistic vision of that new group. "Since the whole point of the new organization is to cure the failings of the old organization, I think it's fair to say that the proponents of change never imagine an understaffed, overworked agency that drops balls," Baker said. "More or less by definition, an organization that does not exist does not have any flaws. So there's a great temptation to give this new organization great responsibility. After all, the old agencies have sometimes failed, and the new agency has not."
Baker conceded that Homeland Security's execution of its cybersecurity responsibilities in the past have not been perfect, but the department has spent much of the past year improving its record. "It has able new leadership and a head start on creating the capabilities it needs," he said. "I would be inclined to build on that foundation rather than starting over."
James Lewis, a senior fellow for technology and public policy at the Washington think tank, the Center for Strategic and International Studies, said a major reason previous administrations have failed to secure the nation's digital infrastructure was divided responsibility among many agencies and White House offices. "Our opponents exploit these divisions," he testified.
"In the previous administration," Lewis said, "the White House assigned DHS the lead role for cybersecurity, but this was beyond its competencies. DHS is not the agency to lead intelligence, military, diplomatic or law enforcement activities. This does not mean that DHS does not have an important role; however, and properly scoping the role and responsibility of DHS and then providing adequate resources for those responsibilities is an urgent task for this administration."