Cybersecurity Depends on Information Sharing, Empowering CIOs, Hurd Says

Rep. Will Hurd, R-Texas, addresses GovProtect17 on June 21, 2017, in Washington, D.C. (Photo: David Keith for MeriTalk)

To protect the nation’s digital infrastructure, Rep. Will Hurd, R-Texas, said it’s important to empower agency leadership and expand information sharing between the Federal government and other entities.

“We have to empower the CIOs in the Federal agencies in order for them to be able to defend our digital infrastructure,” Hurd said June 21 at Tenable’s GovProtect17 event. “It’s a simple metric for me: Does the CIO report to the agency head or the deputy agency head? And if the answer is no, you have a fundamental problem, because that’s a signal that the agency head doesn’t care or does not recognize that their information technology unit is not just a cost center. That it is supposed to be an entity that can help move their focus on providing the right services that they need.”

Hurd applauded work by the Trump administration, such as May’s cybersecurity executive order, which placed the responsibility for cybersecurity in the hands of agency leadership.

“The cybersecurity executive order saying that agency heads are responsible is important. During the transition you had the transition teams talking about why there’s a CIO that does not report directly to the agency head. Or why, in some agencies, are there 14 people with the title CIO?” said Hurd. “These are some of the structural problems that we have to fix in order to make sure that the CIOs are able to introduce some of the newest and latest technology.”

Hurd stressed the importance of closing the gap between those with purchasing power in the Federal government, and those who will actually use the newly acquired IT systems, and said that legislation like the Federal Information Technology Acquisition Reform Act and his bill, the Modernizing Government Technology (MGT) Act, would be important to that end.

Hurd reintroduced MGT in late April, and it unanimously passed the House less than three weeks later. Hurd said that he is working with the Senate Homeland Security and Government Affairs Committee, which is responsible for marking up the Senate version of the bill, to pass the legislation quickly and get it to the president’s desk.

“The other thing that we have to do in addition to empowering CIOs is we have to improve information sharing. Keith Alexander [former director of the NSA and Commander of U.S. Cyber Command] said at a hearing recently, probably a year ago now, that the Federal government thinking they can defend their infrastructure alone, and the private sector thinking they can defend their infrastructure alone is the equivalent of the French thinking an imaginary line is going to protect them from the Germans,” said Hurd. “We have to work together, we have to improve information sharing.”

Hurd agreed with the Cybersecurity Act of 2015’s designation of the department of Homeland Security as the core agency for cyber intelligence sharing between the public and private sectors, and said that it is now Congress’ responsibility to empower DHS’s National Protection and Programs Directorate (NPPD) to improve that process.

“The Cybersecurity Act of 2015, which probably should have been approved in like 2004, codified the department of Homeland Security as an institute to share information between the Federal government and the private sector,” said Hurd. “We have to make sure they have the tools that they need. And I think that’s one of the things that we have to do this year is we have to reorganize the NPPD. They are an operational entity already, and let’s give them the tools that they need, let’s codify that into law, and let’s make sure that they’re operating like a TSA.”

However, Hurd said that DHS can’t be everything to everyone, and encouraged the development of a cyclical pattern of information sharing and analysis between intelligence and the private sector.

“Let’s take those assumptions that many of our friends in the private sector have, turn that into national intelligence collection requirements, run that to the NSA and the CIA to go collect information to answer those questions, and get that information back in the hands of those that need it,” said Hurd. “Now turning assumptions into collection requirements is actually quite simple. Tasking our national collectors is not a difficult task. But once that information is back in the hands of the Federal government getting it back out to the private sector is a very difficult issue, and this is one of the reasons why I think DHS is uniquely situated, and why they have to be the center.”

Hurd is also making an effort to improve digital information sharing between the U.S. and its allies, through recent introduction of the Enhancing Overseas Traveler Vetting Act, which authorizes DHS and the State Department to develop open source software to facilitate the vetting of travel documents and to share that software with foreign allies.

“This came from being on a task force last year or before last looking at foreign fighters traveling into Syria and Iraq,” said Hurd. “One of the things that we found was, even our European allies were not sharing, were not comparing known travelers against watch list data.”

The legislation has most recently been referred to the House Committee on Counterterrorism and Intelligence for markup.

No Comments

    Leave a Reply

    Recent