Air Force Chief, Ex-FBI Agent: Cybersecurity Policy Can't Wait

Both the U.S. Air Force chief and a former FBI agent think that now is the time for a U.S. executive order on cybersecurity. Here's why.

President Obama had better release an executive order on cybersecurity soon because it is increasingly clear that the government’s muddled approach is just making the problem worse. Both the FBI’s former chief of cyber intelligence and the new chief of staff for the Air Force have made it clear that a change has to come soon.

Steven Chabinsky, a 17-year FBI vet, was barely out the agency's door when he started ripping into the Federals’ cybersecurity efforts. Chabinsky, who left the Bureau earlier this month, called the long-standing focus on reducing vulnerabilities a “failed approach.”

Chabinsky's claim was indirectly backed by Gen. Mark Welsh, the U.S. Air Force's brand new chief of staff, who said he doesn’t want to put more money into cyber defense until he’s sure the government knows what it’s doing.

In an article in Foreign Policy, Welsh said, "I'm a believer, I'm just not sure we know exactly what we're doing in it yet, and until we do, I'm concerned that it's a black hole. I'm going to be going a little slow on the operational side of cyber until we know what we're doing."

The lack of a clear-cut goal or policy means Welsh doesn’t know what is expected from the Air Force as far as cybersecurity is concerned.

"I don't know of a really stated requirement from the joint world, through U.S. Cyber Command in particular, as to what exact kind of expertise they need us to train to and to what numbers to support them and the combatant commanders," he said.

Chabinsky is a lot more direct about what he thinks is needed now that he's no longer a government employee: Some sort of limited offensive capability.

"The FBI needs stronger partners in the private sector who can figure out who the bad guys are, and there needs to be much stronger relationships between the private sector, law enforcement, and the courts to ensure that all the legal authorities that exist can be brought to bear against cyberattackers," he told The Washington Post.

He thinks companies that find proprietary data on an external server should be legally able to take action–to delete or encrypt the data. A company could then report the crime to the authorities so the government could search for the hacker.

Chabinsky is the latest of several former Federal security types to issue warnings on the topic. Earlier this year, Shawn Henry, who recently retired as the Bureau’s top cyber-sleuth, also called for a more offense-minded approach. Ex-CIA director Michael Hayden thinks the private sector may not wait for the government to act. He expects to see the emergence of a ‘‘digital Blackwater," or the emergence of firms that could be hired to go all mercenary on online intruders.

Chabinsky wants to head off the hired-gun approach. He wants more debate and clarity on what companies can and cannot do to protect themselves. “This is an area that would seem ripe for congressional debate and resolution,” Chabinsky said.

Debate, certainly. As far as Congress actually resolving something … well, I’m not holding my breath.

P.S. Chabinsky left the FBI this month to become chief risk officer for a company called CrowdStrike, which lets companies “go on the offensive against today's most advanced adversaries.” CrowdStrike says it is, “[a] stealth-mode security start-up.” Given the amount of press it has already received, I worry about the PR tsunami it will see when it isn't so stealthy. But I digress.

NEW! Download the State of the CIO 2017 report