Exit Interview: DHS's Bruce McConnellA Top Cybersecurity Leader Assesses Tenure at DHS
In his four years as a top DHS cybersecurity policymaker, Bruce McConnell learned that to build trust with the public, the federal government must be more transparent in the way it approaches security and privacy.
And building trust through transparency is more important than ever in the wake of the Edward Snowden leaks at the National Security Agency (see Edward Snowden is No Daniel Ellsberg), says McConnell, who stepped down earlier this summer as acting deputy undersecretary for cybersecurity in the Department of Homeland Security's National Protection and Programs Directorate.
Now that information is starting to be declassified, the general guidelines of the program are being discussed, which McConnell says is "healthy."
Similar to talks surrounding the nuclear age in the 1950s and 1960s, cyberspace is an area where consensus needs to be built, McConnell says in an interview with Information Security Media Group (transcript below).
"We need to expose those questions to the American people and build a consensus around what's appropriate for governments to do, how we want to balance the security and privacy pieces," he says. "For all the bad things that have or may happen because of these disclosures, as the president says, Americans should welcome the debate, and it's a good thing from that standpoint."
In the interview, conducted days before his departure from DHS, McConnell discusses the:
- Impact of a politically dysfunctional Congress, which hasn't enacted significant cybersecurity legislation in more than a decade (see Piecemeal Approach to Cyber Legislation);
- Cybersecurity framework being developed by a government-industry partnership that will create IT security best practices that the owners of the nation's critical infrastructure can adopt voluntarily (see Cybersecurity Framework Discussion Draft Issued); and
- Need to create global institutions to improve Internet security governance (see Diplomat: Security, Openness Can Co-Exist).
In the second part of the interview, McConnell discusses the challenges the government faces in establishing programs for sharing cyberthreat information (see Can DHS Be Trusted to Protect Gov't IT?).
McConnell, who spent most of his four years at DHS as senior counselor for cybersecurity, is joining the EastWest Institute, a global think tank focused on security. Before working at DHS, he served on the Obama-Biden presidential transition team, working on a variety of information policy and technology issues. During the first eight years of the millennium, McConnell worked as a consultant. In 1999 and 2000, he coordinated year 2000 computer remediation programs for 120 nations.
As chief of information policy and technology in the White House Office of Management and Budget from 1993-1999, McConnell led the government-industry team that reformed U.S. encryption export policy, created an information security strategy for government agencies, redirected government technology procurement and management along commercial lines and extended the presumption of open government information onto the Internet.
ERIC CHABROW: Allan Friedman of the Brookings Institution says your thinking was ahead of its time. "McConnell's position on cybersecurity has remained largely unchanged while the world around him slowly converged on him." Is it true that people came to your thinking? If not, how did your thinking evolve about cybersecurity over the past four years?
BRUCE McCONNELL: My thinking has remained consistent on a couple of points and probably has changed on a couple of points. The continuity includes the importance of remembering that cyberspace is a civilian space. It's a marketplace; it's a neighborhood; it's a schoolyard; it's a playground. Whatever we do to secure it, we need to do that in a way that retains its essential nature - its vibrancy, openness and innovation - while maintaining resilience and peacefulness in the space. I think that has stayed consistent. The other thing I continue to believe even more strongly is that security takes a village. Cyberspace is a global village. It's not just one agency, not even one government. It takes companies, individuals, governments and citizens around the world, and multinational corporations to make it work. Those two things have stayed the same, the civilian space and it takes a village.
I think what's changed is a better appreciation for how important it is to bring in the private sector - private sector technology, private sector solutions. One example of that at DHS was when we moved away in the Einstein program from using government-furnished technology to basically adopting commercial solutions to provide the network defense for the .gov domain.
CHABROW: For those who may not be familiar with Einstein, why don't you just take a moment to explain what it is?
McCONNELL: Einstein is a program that DHS sponsors to keep the .gov [civilian agencies network] secure. It's a network defense program. It uses intrusion detection and intrusion prevention on the .gov network to block bad things from coming in and stop good things from going out to the wrong place. One place my thinking has evolved is the importance of use of private-sector technology in providing solutions in that.
The second thing, if I were to think about it, is the idea that the importance of linking security and privacy. One of the things that's interesting at DHS is that every system that handles personal information faces the public and has an unclassified privacy impact assessment that has been published and you can look it up. It's possible to link privacy and security by the use of transparency, and I think my thinking has become more nuanced on that point and that it's really important to keep those two things together.
Voluntary Best Practices
CHABROW: Let's take those two concepts that you just brought up, first relying more on the private sector and speaking of the village, which involves government, the private sector and individuals as well.
McCONNELL: The netizens.
CHABROW: Exactly, the netizens. Right now, the administration is creating a cybersecurity framework aimed particularly at protecting the critical infrastructure. Of course, there's been a lot of resistance against government regulation, and this is something that business could voluntarily adopt once it's completed. Is that really the right way to go, or are there circumstances when you need to have more forcefulness from the government?
McCONNELL: You're right. The cybersecurity framework is a premier effort right now that the government is hosting, but it's really private-sector led to develop a way of thinking about cybersecurity risks to critical infrastructure, both privately-owned critical infrastructure as well as government-owned, whether it's a local water company or the power company or the banks. This effort, hosted by NIST [National Institute of Standards and Technology], is really involving the private sector in a big way. At the end of the day, it will have three different parts. It will have a risk management framework, which will allow us all to communicate better with CEOs about how to think about cyber as a risk, just like they think about operational risks and financial risks. The second piece of course will be a compendium of all the technical standards and controls that are possible for people to use. And the third part is a maturity model.
One of the risks in creating this framework was that it would create just a floor which would become the ceiling and people would just do the minimum. The maturity model allows companies to gauge themselves against the various levels of maturity from just a strict compliance-based approach to more [of a] culture of security.
You asked whether or not the private sector is going to do this on its own or whether sometimes there's a need for government to step in. I think the jury is still out. The administration decided to take a voluntary approach in part because Congress did not take action on the administration's legislative proposal, which was mostly voluntary, but it had a few mandatory elements, such as mandatory incident reporting. I think we're all going to try to see whether that works and whether the industry is able to step up to this. I'm very hopeful that will be the case, but we'll all have to see.
CHABROW: There seems to be political reasons why you're doing this voluntary approach. At the same time, you're saying you seem to have more trust or belief in the abilities of business. Is that a change of attitude by you over these years, that businesses can do more, or is it just the political realities that there are elements where you feel there isn't maybe as strong a role for government, but it just can't be accomplished in this environment?
McCONNELL: Certainly there's no consensus that it's time for government to move in this place, and I don't think there's enough data to make the case at this point. That's point one. Point two is that business needs to be incentivized in order to make these investments. I think most information security professionals would say that we as a country are not investing as much as we should in information security. The market incentives aren't right where they need to be, and that was one of the reasons the president in the cybersecurity executive order asked Homeland Security, Treasury and Commerce to produce reports on incentives. How do you incentivize firms to adopt stronger cybersecurity practices?
Privacy, Trust Issues in Government
CHABROW: There's been a lot of news surrounding NSA programs - DHS is a partner with NSA in securing the government - about collecting information on American citizens. I don't want to go into the details or even get into your opinions of whether that's right or wrong. What I want to address is the issue of trust and entrusting government, because basically what I'm hearing from people in government is that it's conducted in secret and we're basically hearing people say, "You have to trust us. We're not using this information to spy on Americans. We're trying to use this to collect information to prevent bad things from happening to America." But there's still a lack of trust, and we're both of the generation that remembers the Nixon White House using information it should not have had in going after citizens. Do you know what goes on in these programs? A lot of us don't. Should we trust you and why?
McCONNELL: You can have security and privacy, and I think the way that you get there is through transparency. DHS programs have publicly published privacy impact assessments which explain exactly what information DHS collects from the public, how it's collected, how it's stored, how it's used, how it's destroyed, when it's no longer used and if it isn't needed. Those can be reviewed by the public. I think that transparency can build trust, and one of the problems in the current set of revelations has been people were surprised to learn about these programs and that does not build trust.
One of the things that we've been seeing now as the administration has started to declassify some information about these programs is that it's possible actually to talk more in an unclassified way about things than the security establishment sometimes likes to do. Certainly you don't want to reveal all the details about who, what, where and when. But the general outlines of the program I think are now being discussed, and I think that's healthy.
In the United States in the '50s and '60s, we had a debate, a public debate, about the nuclear age, the Cold War and strategies of mutually-assured destruction. As we move forward into cyberspace, we need to also expose these questions to the American people and build a consensus around what's appropriate for government to do, how we want to balance the security and privacy pieces. For all the bad things that have or may happen because of these disclosures, as the president says, Americans should welcome the debate, and it's a good thing from that standpoint.
CHABROW: I just heard two things here. One is the inability to pass regulations in Congress, and now public clamor because of these leaks, that it's forcing the government to be more transparent and forward. Talk a little bit about the political process and that influence on cybersecurity.
McCONNELL: I would say the American people definitely need more help from the Congress. It's been disappointing, certainly from my former seat and as a citizen, to see the Congress's inability to pass even basic legislation in the cybersecurity area. This kind of legislation is needed to clarify the roles and responsibilities of government and to create the basis for the kind of trust that's needed in cyberspace and the roles between the government agencies and the roles of the private sector. It's been discouraging to see that lack of activity.
CHABROW: I believe the last significant piece of legislation to pass Congress was in 2002 or 2003, with the E-Government Act. We've gone a decade without any significant cybersecurity legislation. I'm really surprised when you hear so much agreement on 90 to 95 percent of what should be done and you can't get it passed. Why?
McCONNELL: As we all know, all politics is local, and the way the political system has evolved in the United States, there's really no incentive for members to take a leadership role on a national level in terms of legislation. That being the case, it's very hard for Congress to find consensus and agreement on even basic things. I mean, we've seen that not just in cybersecurity but across the board.
One of the things that concerns me is that in today's world we need government to be more agile, not less agile. It's not at all clear to me how we get out of this bind, turning if I may to the question of governments of the Internet. There you have an environment where there's multiple stakeholders. Certainly, national governments are acting and will act in cyberspace. But if you think about who has cyber-power, you also have to include large IT firms, information services firms, cloud companies and information companies. Then, the netizens have great power as well in cyberspace. For the future of cyberspace and the way it needs to be governed, we need to find ways to bring all those different groups together in a more agile way. One of the things that we looked at earlier last year was the WCIT [World Conference on International Telecommunications] conference in Dubai, which was governments only. It's a UN organization. There are industry observers who need to find ways to create either ad hoc or formal institutions which balance the various interests in cyberspace in a way that's closer to what's happening on the ground.