Agency cyber shortfalls not just a problem of funding

Thursday - 1/26/2012, 7:45pm EST

Richard Stiennon, chief research analyst, IT Harvest, part 1

Download mp3

Part 2

Download mp3

Part 3

Download mp3

part 4

Download mp3

part 5

Download mp3

Lawmakers in Congress have been crafting cybersecurity legislation for years. And a bill could be on the Senate floor as soon as next week.

But Richard Stiennon, the chief research analyst at IT Harvest and author of the book "Surviving Cyberwar" told In Depth with Francis Rose that Congress' usual method of dealing with serious problems might not work with cybersecurity.

That's because many of the tricky cyber issues at agencies are not necessarily congressional issues at all, but executive issues, Stiennon said. "i've been calling for some sort of assigning of responsibility," he added, which would more explicitly denote to agency cyber officials their roles in protecting the network from incursions and stopping data from being stolen.

"Part of the problem is most organizations don't even have processes in place to identify when data's being exfiltrated from them," he explained. "But if they could — and if they were responsible for it — they would start doing things immediately, just changing what they do today without any additional expense. Maybe there's some training involved and getting people up to speed on the tools that they already have, but it doesn't require billions and billions of dollars to solve this problem."

Doubtful of cyber 'domain'

Among the major cybersecurity developments of 2011 was the launch of Cyber Command under Gen. Keith Alexander, the head of the National Security Agency. Also in a new DoD strategy, the Pentagon includes cyber as its own domain, along with air, sea, land, and space. Some experts are skeptical of that model, though. Stiennon is one of them.

He said setting cyber apart as its own domain risks creating an organizational challenge for the Defense Department.

"You're going to always have joint operations," Stiennon said. "But adding an additional domain with additional commanders and an additional infrastructure of management, I think it isn't going to be as effective as if we just recognize that cyber is actually one of the predominant ways that we accomplish warfighting and ... that that should just be part of the operations of a modern Defense Department."

This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.