Tom Ridge on DHS's IT Security RoleEx-DHS Secretary Questions Department's InfoSec Breadth, Depth
Tom Ridge, the first Homeland Security secretary, sees the role of the Department of Homeland Security as a focal point for collaboration among the various agencies on cybersecurity.
Proposals from the White House and Capitol Hill would to varying degrees give DHS more sway in developing cybersecurity policy for the civilian part of the federal government, as well as collaborating with industry to create voluntary security standards for the nation's critical IT infrastructure.
Ridge, a former House member and governor of Pennsylvania, says the biggest challenge exists with how DHS can work with private industry in order to advance security needs of both the public and private sector.
"Because ... if you're looking to try to preserve government continuity of operations, the infrastructure that the government relies upon is generally owned by the private sector," Ridge says in an interview with Information Security Media Group [transcript below].
"DHS will have some form of role in trying to collaborate and ensure the exchange of information between the public and the private sector to the benefit of both," he explains.
As far as being prescriptive in directions, Ridge can't see how any agency can identify precise procedures and approaches to managing risk.
"In my judgment, the most effective means of reducing the risk ... is making sure that you have this very robust exchange of information between the public and private sector," Ridge says.
In the interview, Ridge discusses the:
- Critical need for the government and industry to share cyberthreat information;
- Bipartisan nature of the new leaders of the Senate and House Homeland Security committees;
- Prospects for passage of cybersecurity legislation in the just-convene 113th Congress.
Ridge recently was named chairman of the advisory board of anti-malware startup TaaSERA. He also chairs the U.S. Chamber of Commerce's National Security Task Force.
Ridge served in the House of Representatives from 1983 to 1995, leaving Congress after being elected Pennsylvania's governor, a post he held until 2001. He resigned as governor shortly after the 9/11 terrorists attacks, when President Bush asked him to become assistant to the president for homeland security. With the creation of DHS in 2003, Ridge became its first secretary, serving until 2005.
The Role of DHS
ERIC CHABROW: President Obama is going to increase authority to the Department of Homeland Security to help direct government-wide IT security, at least among civilian agencies. Some on Capitol Hill, such as Arizona Senator John McCain, oppose giving DHS such clout. What's the appropriate role for DHS in safeguarding the government's IT security?
RIDGE: DHS's role in terms of what we're seeing in government security is shared responsibility. Quite frankly, I could argue that among all the agencies they may be assigned responsibility, I'm not quite confident that they have the breadth and depth of experience to oversee what the rest of the federal government is doing. Having said that, I think they can be a focal point for collaboration among the various agencies. The biggest challenge that exists right now is not only the government's relationship with the agency and how they can act with the private sector in order to advance security needs of both the public and private, because, frankly, if you're looking to try to preserve government continuity of operations, etc., the infrastructure that the government relies upon is generally owned by the private sector. DHS will have some form of role in trying to collaborate and ensure the exchange of information between the public and the private sector to the benefit of both.
CHABROW: I'll get to that in a moment. I would just like to expand a little bit more on DHS itself. What should the role be, just as a coordinator among the various agencies, or should it have a little more clout there?
RIDGE: Candidly, I don't know how any federal agency can be prescriptive in terms of identifying precisely the procedures and approaches that the government and/or the private sector takes in order to reduce the risk of malicious malware being embedded and exploited in the system. I think hackers and technology move quicker than prescriptive directions. In my judgment, the most effective means of reducing the risk - and we're just about managing the risk, as you and I know that intrusions are going to continue forever and ever - is making sure that you have this very robust exchange of information between the public and private sector. Horizontal would be public to public, agency to agency, with vertical [being] federal government to private sector and private sector up to the feds.
Public/Private Sector Relationship
CHABROW: Let's talk a little bit about the private sector. I know you testified on Capitol Hill against the government regulating the private sector. But what should that relationship be?
RIDGE: The best example I can relate to is the comprehensive arrangement that the Department of Defense has with several thousand of its contractors and subcontractors, where they have, after they experimented with a pilot program, developed a means by which there's continuous flow by directional flow of information between their contractors and DOD. I think that's one of the means by which you enhance information sharing and, frankly, you reduce the risk.
Prospects for Cyber Legislation
CHABROW: We're going to need federal law to do that and there are some hang-ups getting that through Congress. What should Congress do and what's feasible legislation that can get enacted?
RIDGE: Frankly, Congress is very close to a solution. You now have two new chairmen. You have Congressman McCaul over in the House side. You have Senator Tom Carper on the Senate side. It's interesting. You've got a Republican and a Democrat, both known to be very practical in their orientation. I think this is one area, in spite of what appears to be bipartisan gridlock, I'm optimistic that sometime during the course of this year we can marry the ideas that frankly are fundamental to the legislation that both chambers offer next year to come up with a solution.
At the end of the day, I think the epicenter of the solution has more to do with information sharing than anything prescriptive, but I think there's a way we can get it done this year, and I fully intend on being as involved as I possibly can because I chair the U.S. Chamber of Commerce Taskforce on Homeland Security, and the past couple of years we've been focused on both supply-chain security and IT. I hope to be involved in that. I'm optimistic. I know both men and I think there's a desire to get something done, and I suspect it will be done.
CHABROW: Do you think the privacy issue will be addressed to get many lawmakers to support the bill?
RIDGE: You're onto something major here. Whenever you're dealing with the digital world, this proprietary corporate information or private individual information, that's an issue that has to be dealt with directly and carefully, but I don't think that's going to be an impediment to the kind of solution that I think government and corporate America is looking to develop.
CHABROW: Would you say the same thing about liability, not providing too much protection, as some critics of some of the legislation have said?
RIDGE: This whole question of liability is a fascinating one to me because there have been people who have written articles who have said, "If some of these software providers were going to be held legally liable because of their failure to embed detection software or other better means of resisting attacks, should they be held liable?" Frankly, I think that will need to be a separate discussion. I think the key point right now is let's start sharing information to combat the hackers and then let's start talking about how we can incentivize the private sector, frankly, to do more and to do better. These are the software that are more resistant to these kinds of attack.
That's where it's a natural lead into TaaSERA, because here's an opportunity for the digital world to, I don't say, necessarily change from the proactive security where they look for signature-based malware, but to do what the intelligence and law enforcement agencies are doing and kind of do it with a little more behavior analysis and anticipation on an attack. That's the kind of innovation that I think government and the private sector longs for and one of the reasons I think TaaSERA has some great market potential.
CHABROW: Do you see more narrowly focused legislation on cybersecurity going through Congress this year than a broad, omnibus Cybersecurity Act?
RIDGE: Yes. I see a hybrid. You probably followed very closely with what was contained in the House bill and the Senate bill. I think much of the House bill, married with about 75 percent or 80 percent of the Senate bill, is a good baseline and gets us about almost all the way there. There are some details to be worked out, but I do see a piece of cyber legislation coming out of the Congress this year.