Former DHS cybersecurity chief points finger at Congress

IDG News Service - Part of the blame for continued cybersecurity problems in the U.S. government and beyond lies with Congress and its "scattershot" approach to dealing with the issue, a former assistant secretary for cybersecurity at the U.S. Department of Homeland Security said today .

Congress has often provided aggressive oversight of cybersecurity efforts at DHS and elsewhere, but there are continued turf battles between various congressional committees, and lawmakers introduce multiple pieces of legislation that sometimes conflict with each other, said Gregory Garcia, who served as assistant secretary for cybersecurity and communications at DHS from late 2006 to late 2008.

Garcia mentioned eight congressional committees that have responsibility for a portion of cybersecurity policy, and he called on congressional leadership to coordinate cybersecurity efforts. Some committees are pushing for more cybersecurity responsibility outside of DHS, while other committees are resisting changes, he said during a press briefing.

Congressional leaders "need to bring their committees together, sit them around the table ... and make sure everybody understands what is their jurisdiction, what's their responsibility, and what are the policy gaps," Garcia said. "Have a coordinated, leadership-driven process, rather than letting all these committees go off freelancing with their next great idea."

If one committee is pressing for the U.S. Department of Justice to have more authority and a second is pressing for DHS to have more authority, "we're not making progress, we're going off scattershot," Garcia added.

Garcia's time at DHS was marked by hypercriticism from a Democrat-controlled Congress of the agency, with its leadership appointed by former Republican President George Bush, he said. There were also significant management problems at DHS, partly because the agency is only six years old, Garcia said, but a large problem was that agency leaders were sensitive about criticism from Congress, and wouldn't let lower level staffers make the decisions they had expertise to make.

"Decisions were made at the political level, not at the civil servant level," he said.

Some of the congressional criticism of DHS seemed "cynical," added Garcia, now president of Garcia Strategies, a consulting group.

Members of the House Homeland Security Committee didn't immediately respond to a request for a reaction to Garcia's comments. The House committee has hosted several hearings focused on cybersecurity in recent years.

Garcia's criticism of the cybersecurity policy process came two days after the U.S. Government Accountability Office (GAO) issued a report saying that federal IT systems remain vulnerable to a variety of cyberattacks.

Security audits have "identified significant weaknesses in the security controls on federal information systems, resulting in pervasive vulnerabilities," the GAO report said. "GAO has identified weaknesses in all major categories of information security controls at federal agencies."