Part of the blame for continued cybersecurity problems in the U.S. government and beyond lies with Congress and its "scattershot" approach to dealing with the issue, a former assistant secretary for cybersecurity at the U.S. Department of Homeland Security said today .
Congress has often provided aggressive oversight of cybersecurity efforts at DHS and elsewhere, but there are continued turf battles between various congressional committees, and lawmakers introduce multiple pieces of legislation that sometimes conflict with each other, said Gregory Garcia, who served as assistant secretary for cybersecurity and communications at DHS from late 2006 to late 2008.
Garcia mentioned eight congressional committees that have responsibility for a portion of cybersecurity policy, and he called on congressional leadership to coordinate cybersecurity efforts. Some committees are pushing for more cybersecurity responsibility outside of DHS, while other committees are resisting changes, he said during a press briefing.
Congressional leaders "need to bring their committees together, sit them around the table ... and make sure everybody understands what is their jurisdiction, what's their responsibility, and what are the policy gaps," Garcia said. "Have a coordinated, leadership-driven process, rather than letting all these committees go off freelancing with their next great idea."
If one committee is pressing for the U.S. Department of Justice to have more authority and a second is pressing for DHS to have more authority, "we're not making progress, we're going off scattershot," Garcia added.
Garcia's time at DHS was marked by hypercriticism from a Democrat-controlled Congress of the agency, with its leadership appointed by former Republican President George Bush, he said. There were also significant management problems at DHS, partly because the agency is only six years old, Garcia said, but a large problem was that agency leaders were sensitive about criticism from Congress, and wouldn't let lower level staffers make the decisions they had expertise to make.
"Decisions were made at the political level, not at the civil servant level," he said.
Some of the congressional criticism of DHS seemed "cynical," added Garcia, now president of Garcia Strategies, a consulting group.
Members of the House Homeland Security Committee didn't immediately respond to a request for a reaction to Garcia's comments. The House committee has hosted several hearings focused on cybersecurity in recent years.
Garcia's criticism of the cybersecurity policy process came two days after the U.S. Government Accountability Office (GAO) issued a report saying that federal IT systems remain vulnerable to a variety of cyberattacks.
Security audits have "identified significant weaknesses in the security controls on federal information systems, resulting in pervasive vulnerabilities," the GAO report said. "GAO has identified weaknesses in all major categories of information security controls at federal agencies."
During 2008, audits found weaknesses at information security controls at 23 of 24 major U.S. agencies, the GAO said. Agencies did not consistently authenticate users to prevent unauthorized access to systems; did not encrypt sensitive data; and did not log and monitor security-relevant events, the GAO said. Agencies have failed to fully implement information security programs, the report said.
Asked what Congress can do to help private companies better protect themselves, Garcia and Alan Kessler, president of intrusion protection vendor TippingPoint, questioned whether new regulations would be productive.
Many large companies should have enough incentives to protect their data, Kessler said. "I'm not sure regulations or fines are necessarily going to compel boards of directors or senior IT executives," he said. "They can lose everything with one vulnerability."
However, Congress may be able to create some incentives for medium-sized businesses that don't have the resources to properly address cybersecurity, Kessler added.
Garcia also questioned whether new regulations would be effective, but he warned that they may be coming. Some U.S. industries still don't take cybersecurity seriously enough, he said. "There may be a time when the Congress gets fed up ... and will declare market failure and regulate," he said.