Analysis: Face of Federal IT Security LeadershipWhy DHS, Not White House, Took Lead on RSA Breach Response
When RSA announced last week that it was under a sophisticated attack targeting its SecurID products, inquiries to Schmidt's White House office, the Pentagon and the National Security Agency about how the federal government is responding to the virtual assault and what impact it was having on government IT security were referred to DHS. DHS initially didn't have a response. By late Friday, DHS issued a 119-word statement that provided scant details but said the government was working with RSA on the problem and that federal agencies have been notified about the breach that involved the two-factor authentication product (see DHS Responds to RSA SecurID Attack).
DHS provided the government's reaction to the RSA breach because Homeland Security is responsible for operational responses to cyber incidents in civilian agencies and key private-sector IT systems, said Karen Evans, who served as the de facto federal chief information officer in the Bush White House. The White House, she said, is focused on cybersecurity strategy.
(The NSA, a Defense Department agency, serves as the primary IT security agency for DoD and the intelligence community, while providing its technical expertise to civilian agencies through DHS. The NSA director also serves as commander of the U.S. Cyber Command.)
"It is DHS's job to do the daily work of protecting the cybersecurity of the non-DoD country," said Alan Paller, research director at the SANS Institute, a not-for-profit cybersecurity educational organization. "A more public role by the White House would not be more effective and would probably be counterproductive." Counterproductive? "It would undermine DHS effectiveness by implying that a DHS response is insufficient," Paller explained. "The White House weakens DHS if it makes the press believe a DHS response is insufficient."
Still, the government's RSA response served as the latest example of DHS taking the lead in vocalizing the administration's thoughts on cybersecurity. Last week, at a House Homeland Security Committee hearing on protecting government and key IT infrastructures, the chief government witness to testify was Reitinger, a role he often plays, and not Schmidt (see Experts Question Infosec Readiness). Schmidt doesn't testify before Congress, because like most presidential advisers, he asserts executive privilege to keep confidential his private advice to the president.
Behind the Scenes
That doesn't mean Schmidt's office isn't doing important work or that he's not leading the administration's cybersecurity initiative. "The White House leadership is impressive but it is behind the scenes," Paller said.
And, about every month or so, Schmidt speaks at a public event where he discusses cybersecurity, such as last month's RSA2011 IT security conference, where he mingled with government and private-sector IT security experts and participated in a panel discussion. Indeed, Schmidt is a premiere networker, virtually and in the flesh. He's also engaged with lawmakers privately, sharing the administration's thoughts on cybersecurity legislation. But much of what he does isn't seen by the public.
If legislation before both houses of Congress should become law, the top White House cybersecurity official - a Senate-confirmed director of a proposed Office of Cyberspace - would be required to testify before congressional committees (see Senate Bill Eyes Cybersecurity Reform and House Bill Aims to Reform Federal IT Security). The White House has been resistant to such an position in the past, but many lawmakers are insistent that such a leadership role be created. Officially, the administration has yet to take a position on these bills. And, similar bills failed to get enacted in the last Congress.
Nonetheless, the relative hushed approach taken by the White House sends a message - whether accurate or not - that it is failing to provide strong leadership on IT security. A poll released last month by GovInfoSecurity.com shows that two-thirds of federal, state and local government IT security practitioners don't believe the federal government is showing sufficient leadership on cybersecurity matters (see Gov't Infosec Pros Question Fed's Security Resolve).
"Leadership starts with having an honest conversation about what is happening in the United States, affecting our long-term strategic posture," said Melissa Hathaway, who conducted President Obama's 60-day cyberspace policy review in 2009. "The lack of engagement by the administration and the executive branch is discouraging."
The RSA breach provided the administration with the opportunity to start a national and international conversation about cybersecurity, said Hathaway, a senior adviser on cybersecurity at Harvard Kennedy School's Belfer Center for Science and International Affairs. "It should have started at the White House and been amplified by all of the affected departments and agencies," she said. "I worry that if the RSA incident doesn't keep our leadership awake at night, then what will?"
Perhaps it is keeping them awake at night, but they're not speaking about it.