Today marks 12 years after the 9/11 terrorist attacks; it’s been a decade since 22 government agencies were combined into the Department of Homeland Security in response to those attacks. “DHS has spent more than $35 billion on homeland security grants, but cannot measure whether we are safer from terrorist attacks,” according to Republican Senator Tom Coburn. This morning, the U.S. Senate Homeland Security and Governmental Affairs Committee held a hearing about “The Department of Homeland Security at 10 Years: Examining Challenges and Achievements and Addressing Emerging Threats.”
Ultimately, this is the agency responsible for our critical infrastructure that is often critically vulnerable to cyber attacks. Although many DHS areas were discussed during the senate panel, I thought you might be interested in tidibts from four testimonies about DHS and cybersecurity.
“We need to understand that cyber space touches everything and everyone. It is an ubiquitous feature of our lives,” testified retired U.S. Coast Guard Admiral Thad Allen. “There is no part of our national economy, infrastructure, or social fabric that is not in some way connected to the internet backbone.” Although he listed key components related to DHS and its cybersecurity mission, Allen added:
Regardless of the conditions under which the Department was created and notwithstanding the barriers that have existed for ten years, at some point the public has a right to expect that the Department will act on its own to address these issues. Something has to give.
“Now, today, threats in the cyber world are getting quite a bit of attention,” testified Thomas Ridge, former Secretary of Homeland Security. “I have heard many of my friends and colleagues from the intelligence and security communities say that we will soon be visited by a ‘Cyber Pearl Harbor.’ I share this concern. The issue, however, is not whether government and private sector leaders recognize the threat. The threat is clear. The question is what do we do about it?”
At the end of the day, if we are not prepared to enable government and critical industries to share information and coordinate to prevent major cyber attacks and incursions, we will also be unprepared to respond together and to be resilient if and when attacks occur. In this sense, we are just as vulnerable to experience a “Cyber Katrina”—that is, experience a disaster on top of a disaster—as we are to realize a “Cyber Pearl Harbor.”
“Sometimes it's easier to persuade the team to give you the ball than to actually run with it after you get it. That is DHS's problem right now,” according to Stewart Baker, a man in the unique position of having worked as former NSA General Counsel and former DHS Assistant Secretary. “There are certainly days and even weeks when I feel like the child of a troubled marriage.” His testimony outlined some of the challenges for DHS in cybersecurity, including “building a clear relationship with the NSA.”
As a concerted campaign of leaks has left NSA reeling and mistrusted by the public, it must be clear that on cybersecurity matters affecting the civilian sector, DHS is calling the policy shots. At the same time, DHS must rely heavily on NSA's technical and operational expertise to succeed. This fundamental truth has been obscured by personalities, mistrust, and impatience on both sides. It's got to end, especially in the face of adversaries who must find the squabbling email messages especially amusing because they are reading them in real time.
“We will never defend our way out of the cybersecurity crisis,” Baker said. “Sometimes the best defense really is a good offense.”
Intelligence agencies have stopped trying to trace each hop the hackers take. Instead, they've found other ways to compromise the attackers, penetrating their networks directly, observing their behavior on compromised systems and finding behavioral patterns that disclose much. In short, we can know who are our attackers are. We can know where they live and what their girlfriends look like. That’s because it’s harder and harder for hackers to function in cyberspace without dropping bits of identifying data here and there. The massive amount of data available online makes the job of attackers easier, but it can also help the defenders if we use it to find and punish our attackers.
Jane Harman, former member of the U.S. House of Representatives, added, “DHS will never ‘own’ the cyber mission, but it is responsible for a central piece: critical infrastructure protection. In the past year, DHS has tracked and responded to nearly 200,000 cyber incidents – a 68% increase from the year before.”
Republican Senator Tom Coburn doesn’t believe that’s good enough. He outlined 10 challenges still facing Homeland Security after 10 years and several of those touch on cybersecurity and critical infrastructure issues. “Despite spending $2.8 billion to secure our ports – a key component of critical infrastructure – DHS has failed to establish clear metrics for assessing and measuring our progress on port security.”
And since 2007, DHS has spent “nearly half of a billion dollars” on chemical facility security to protect critical infrastructure, but “it is not clear the Chemical Facility Anti-Terrorism Standards (CFATS) program has improved security at chemical facilities.” In fact, “only five percent of all covered facilities have approved security plans and no facility has undergone a compliance inspection – more than five years after the program was to be up and running.”
Despite DHS’s growing responsibilities for cyber security, the Department is struggling to fulfill its cyber and information technology missions, including securing its own networks. The DHS Inspector General reported to me that DHS has not addressed nearly four dozen recommendations for bringing the Department’s cyber security up to required standards. A new report from the Office of Inspector General found that DHS’s “inadequate continuity and contingency planning increases the risk that the Department may not be able to respond effectively in case of an emergency or disaster.”
In case you didn’t know it, during her farewell address, former Homeland Security Secretary Janet Napolitano warned her successor, “A massive and ‘serious’ cyber attack on the U.S. homeland is coming, and a natural disaster — the likes of which the nation has never seen — is also likely on its way. So prepare, and bring 'a large bottle of Advil'.”