January 5, 2016–A new report from the Center for Strategic and International Studies recommends a wide range of policy options for the next presidential administration to consider in boosting U.S. cybersecurity, including strengthening the role of the Department of Homeland Security or creating a new agency that would focus on cybersecurity. The CSIS report, which updates a similar effort undertaken in 2009 at the beginning of the Obama administration, said that cybersecurity needs to be an “operational component agency” at DHS, on par with DHS components such as the Coast Guard.
“Cybersecurity is a full-time job and the most important function DHS may have if it is to be more than a border security agency,” the report says. “If DHS is serious about cybersecurity, it should make it a core mission and remove peripheral activities.”
Rep. Michael McCaul (R., Texas), chairman of the House Homeland Security Committee and a co-chair of the CSIS task force that produced the report, today reiterated his recommendation for a reorganization of DHS that would turn its National Protection and Programs Directorate (NPPD) into an operational unit devoted to the protection of critical infrastructure, and his pledge to push for legislation to accomplish that early in 2017.
Legislation that would create the Cybersecurity and Infrastructure Protection Agency within DHS cleared the Homeland Security Committee last year, but was stymied by what Rep. McCaul said were competing interests of other House committees with jurisdiction over cybersecurity. Rep. McCaul said at a press conference today following release of the CSIS report that he has entered into memorandums of understanding with other committee chairs that will help speed progress of the bill. “I am very optimistic that we will see that legislation . . . one of the first coming out of my committee,” he said.
Sen. Sheldon Whitehouse (D., R.I.), who also co-chaired the CSIS task force that produced the report, said today that he supported the proposed organizational changes at DHS, and also called for creation of a “roving inspector general for cybersecurity” that would test the network defenses of federal government agencies.
Among other recommendations, the report said the Trump administration should consider a new international strategy on cybersecurity that will better coordinate policy among likeminded countries, expand measures to deter cyber attacks, and create new and more effective consequences for sponsors of cyber attacks and cyber crime. The report also recommends redoubled efforts to secure the networks of U.S. critical infrastructure sectors including the telecom, finance, and energy sectors. Further on the domestic front, the report suggests creation of a Division of Data Protection within the Federal Trade Commission to focus on data protection and security, and passage by Congress of national data breach legislation.
It also recommends an effort by the federal government to disrupt the business models of cyber criminals, and says the government should consider expanding the current work of the Department of Justice, the FCC, and service providers to combat the use of botnets. And it recommends that the National Institute of Standards and Technology undertake an effort to develop metrics that measure the effectiveness of adoption of its voluntary cybersecurity framework for critical infrastructure entities.
The report further recommends the Government Accountability Office be given a “new review capability” that would “allow for an independent congressional review for federal agency cybersecurity. With new authorities and resources, GAO would be able to provide robust, continuous evaluation of agency cybersecurity, using penetration testing and similar measures.” – John Curran, firstname.lastname@example.org