By William Jackson
SAN FRANCISCO — Deputy Defense Secretary Ashton B. Carter told the security industry at the RSA Conference that protecting cyberspace is a cooperative effort between the government and the private sector, and that the Defense Department is preparing to play an active role in both military and civilian systems.
The top threat to the DOD is assaults on its military networks. “That’s our problem,” he said. “We know how to deal with that.” But a second serious threat is to the critical civilian infrastructure on which the DOD depends. “We want to play a role in defending that as well,” Carter said.
Carter did not spell out the details of the military’s role in defending civilian systems, but he urged the industry to support pending cybersecurity legislation that would encourage and enable greater information sharing between government and the private sector.
The role of the government in protecting privately owned infrastructure is being debated in Congress as competing cybersecurity bills move through the legislative process. The Obama administration has named the Homeland Security Department as the lead agency for protecting civilian government networks, and it also is the focal point for cooperation with the private sector.
But day-to-day responsibility for agency cybersecurity lies with each agency, and the Office of Management and Budget historically has overseen compliance with the Federal Information Security Management Act. Some of that authority is being delegated to DHS, and agencies are required to report FISMA compliance and security status to the department.
DHS also works with DOD’s National Security Agency in developing security intelligence for use in the civilian sector.
Cooperation with DHS by non-government organizations is largely voluntary, however, and efforts to share sensitive government information with the private sector remain tentative.
Although most legislative proposals would put authority for civilian infrastructure with DHS, there are some who feel that it is a more appropriate role for the NSA because it has decades of expertise in the area and because national security and the economy depend in large part on cybersecurity.
Israeli cryptographer Adi Shamir (the S in RSA), speaking on the NSA vs. DHS debate, said the job of cybersecurity should be left to the experts at NSA.
“I shudder to think that the same guys who are in charge of airport security are in charge of securing the Internet,” Shamir said. “Pretty soon we are going to be taking our shoes off when we enter the Internet.”
Carter’s remarks focused more on cooperation between government and industry rather than on DOD control, however. The military depends on private-sector innovation for security, and DOD is eager to support this with investments in commercial technology, he said. Although current DOD budget plans call for $500 billion in reduced spending over the next 10 years, cybersecurity is not under the budget ax, he said.
“At no time was it even considered to make cuts in cybersecurity,” he said. The department is increasing cybersecurity spending and is looking for new areas to invest in, he said.
Carter said that security developments are suffering because the IT market currently undervalues security. “This is a mistake,” he said. “I’m afraid events will soon prove this attitude wrong.”