DHS rejects criticism of agency as Beltway politics

Security group claims DHS is unfit to lead national cybersecurity efforts

The U.S. Department of Homeland Security (DHS) today dismissed as classic Beltway politics the suggestion by a group of experts that it was unfit to lead the nation's cybersecurity initiatives.

The criticism was leveled yesterday by members of a commission working on developing cybersecurity recommendations for the next administration in Washington. The group, in testimony before a congressional subcommittee, suggested that the White House, rather than the DHS, needs to take charge of defending the country against cyberthreats.

At the hearing, lawmakers were told that the department does not have the leadership, the implementation capabilities or the influence needed at the federal level and with the private sector to drive the improvements needed to bolster the nation's cybersecurity.

Laura Keehner, a DHS spokeswoman, dismissed the criticism as a political gambit aimed at snaring a few headlines. "Rearranging the deck chairs is a classic 'inside the Beltway' pastime," Keehner said in an e-mailed comment. "But all that it ensures are more headlines for political posturing and a guarantee that in two years, government's cyberefforts will be in the same place."

Keehner insisted that the agency was getting meaningful work done and cited as examples the recent creation of the National Cyber Security Center and the hiring of "several hundred" information security analysts. She also said the DHS was focused on collaborating with the private sector, which owns much of the nation's critical infrastructure.

"To be fair, we are undertaking something not unlike the Manhattan Project," Keehner said. "Billions of dollars are going into this effort. We're the first to admit there is more work to be done, but the progress that we have made should not be discounted."

Her comments came in the wake of a barrage of criticism leveled against the agency yesterday by members of the Commission on Cyber Security for the 44th Presidency. The 40-person commission was established last November by the Center for Strategic and International Studies (CSIS), a bipartisan Washington-based organization focused on security policy initiatives. The group is scheduled to release its final recommendations in November.

Yesterday, members of the commission presented some advance details of the recommendations they are developing to the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.

Paul Kurtz, chief operating officer of Good Harbor Consulting in Arlington, Va., and a member of the CSIS commission, said that escalating espionage and attacks against critical infrastructure and government targets have elevated cybersecurity from a DHS problem to "a national security issue." It's a situation that calls for far more leadership and organizational ability than the DHS has shown it is capable of, he said.

In his testimony, James Lewis, CSIS director and a senior fellow, said the recommendations being developed by the commission are designed to address the lack of organization and overall unpreparedness to deal with a growing range of cyberthreats facing the U.S.

"We are under attack and taking damage," Lewis said, and there needs to be a better way to address the issue.

Cybersecurity has emerged as a national security issue, Lewis said, and it is time for the government to use its diplomatic, military, economic, law enforcement and intelligence-gathering abilities to confront the problem.

One of the commission's most important conclusions is that "credible offensive capabilities are necessary to deter potential attackers," Lewis said, but it may be futile to look to the DHS to lead the charge.

Lewis and other witnesses at the hearing said the problems at the DHS had to do with a lack of leadership, slowness to execute, a relative lack of clout in fostering multiagency collaboration and a failure to develop information-sharing and public/private partnerships.

"The DHS has struggled. It does not have authority to direct other departments," Lewis said. "Our interviews have suggested that oversight of cybersecurity has to move elsewhere."

Both the intelligence community and the U.S. Department of Defense have the ability to manage and lead cybersecurity efforts, but it may not be politically wise to have them do so, Lewis said. Giving the intelligence community the lead in such a mission could pose serious constitutional issues, while handing over the reins to the Defense Department would suggest a militarization of cyberspace, he said.

Only the White House has the authority and the oversight to lead the mission, he added.

But having the next president appoint a so-called cybersecurity czar is not enough because previous holders of the position have tended to get marginalized, Lewis said. Rather, the goal should be to have a White House-led collaboration involving federal agencies, law enforcement and the private sector, he said.

Also testifying was David Powner, director of information management issues at the U.S. Government Accountability Office (GAO), who echoed many of the views expressed by the others during the hearing.

Powner noted that despite some improvements, the DHS has not fulfilled its obligation to protect systems that support the nation's critical infrastructure. Powner's testimony summarized the results of two GAO reports that were released yesterday and noted several areas in which the DHS has failed to deliver on its mission.

For example, the cyberanalysis and warning capabilities of the U.S. Computer Emergency Readiness Team (US-CERT) are still a work in progress and don't fully address several key attributes related to network monitoring, anomaly detection, warning and response, Powner said.

Similarly, the DHS is still in the process of implementing more than a dozen corrective actions it had identified as being needed after a cyberexercise called Cyber Storm in 2006. Pointing to the escalating cyberthreats facing the country, Powner noted that the DHS should have implemented the corrective actions faster and not like a "slow-moving bureaucracy."

The GAO report also faulted the DHS for failing to effectively share information relating to control system vulnerabilities across the federal government and the private sector and for not implementing a strategy for mitigating those vulnerabilities.

A national cyberinitiative known as National Security Presidential Directive 54 and announced by President George W. Bush in January should help boost the country's readiness for dealing with cyberthreats, according to those testifying at the hearing.

But the relative secrecy under which the effort was shrouded has been counterproductive, Kurtz noted. The cyberinitiative is really a "good news story" that has been overclassified to the point where those who need to know more about the effort still remain in the dark, he said.

Even here, the DHS has failed to demonstrate the leadership to move its efforts forward, Kurtz said. He described a recent meeting between senior DHS executives and about 70 private-sector representatives to discuss ways the two sides could collaborate on security under the presidential directive. But instead of reaching any consensus, there was a lot of "infighting between senior DHS leadership" on how to proceed, and the meeting ultimately ended with the government basically throwing overboard the private-sector proposals, he claimed.

"It demonstrated in spades the lack of leadership, the fact that no one was in charge at the DHS," said Kurtz, who used words such as "sickening" and "travesty" while describing the meeting to committee members.

Rep. Michael McCaul (R-Texas), a ranking member of the subcommittee, stressed that the focus of the commission is on finding a way to come together in a bipartisan fashion to address the country's cybersecurity challenges.

"We are not in the business of finger-pointing and partisanship," McCaul said. He noted the work being done by some "very good men and women" at the federal level and commended them for their efforts. "We don't want to be sitting here someday with a cyber 9/11 and say, 'What could we have done differently to stop that?'" he said.

Copyright © 2008 IDG Communications, Inc.

  
Shop Tech Products at Amazon