Gregory Garcia: His first year as cybersecurity czar
The public greeted Gregory Garcia’s appointment as the Homeland Security Department’s assistant secretary for cybersecurity and communications with high expectations and some skepticism.
A year ago, industry leaders expected that he would raise the profile of cybersecurity issues and improve coordination between government and industry. Many said better coordination on cybersecurity was necessary to defend against possible attacks on the United States and its critical infrastructure networks.
The skepticism stemmed from uncertainty about whether Garcia would have the authority to make a difference and whether he could engineer substantial changes that would last beyond the Bush administration’s final term.
Many experts agree that Garcia has successfully championed cybersecurity in his first year, boosting its relevance in the DHS hierarchy and government and providing the energy needed to push through a number of important initiatives.
“There’s no doubt he’s won the beauty contest vote, and most people seem to think he’s done a good job,” said Jim Lewis, director of the Center for Strategic and International Studies’ technology and public policy program. “But it’s too early to rate how the DHS overall is doing” on cybersecurity.
A big test will be how the administration implements its National Strategy for Homeland Security, after what Lewis described as a ridiculous statement White House officials made in outlining that strategy in October.
Critics said the updated strategy contains little new information and includes few details about cybersecurity plans. Some said it didn’t offer much substance on cybersecurity, although President Bush was expected to issue a directive that would include more details about actions the administration would take on cyberdefense.
“Cybersecurity has so far been a faith-based strategy,” Lewis said. “Garcia has done well with [coordinating] exercises and so on and in working with industry. But what will the new presidential script be?”
Almost from the day the formation of DHS was first proposed shortly after the 2001 terrorist attacks, many thought cybersecurity would be a primary mission of the new department. Industry certainly did, and somewhat later, Congress also thought so. Yet after the 2003 publication of DHS’ National Strategy to Secure Cyberspace, the administration didn’t appear to be fully committed to cybersecurity, the department’s critics said.
DHS appointed several directors of its National Cyber Security Division to lead that strategy, but none of them lasted long. Each departing director cited frustration with the resources he was given to do the job. Industry officials also criticized previous cybersecurity directors for having neither the government experience necessary for the position nor the authority to bring about change.
Despite strong opposition from within the department, DHS Secretary Michael Chertoff eventually acceded to pressure from industry and Congress. In July 2005, Chertoff announced the creation of a new assistant secretary for cybersecurity and communications. DHS didn’t fill the position until September 2006, when it appointed Garcia. Complex issues
Judging Garcia’s performance after one year on the job is difficult, said Amit Yoran, a former National Cyber Security Division director at DHS and now chairman and chief executive officer at NetWitness, a network security forensics company.
“There is so much that is on Assistant Secretary Garcia’s plate that is critical, and the ability to respond [to cyberattacks] is so difficult to measure,” Yoran said. “Is progress being made? I would say yes. Is it sufficient? That’s harder to say because, for one thing, the threat environment is constantly changing. There’s ertainly a lot more that still needs to be done.”
Yoran and other cybersecurity experts said G arcia has succeeded in expanding awareness of cyberthreats and the need for better security. But that awareness falls short of what is needed, Yoran said.
“Garcia is doing certain things very well, but there’s still a lot that isn’t fully understood,” Yoran said. “I can’t say whether overall he’s doing an A or a C level job.”
Garcia was unavailable for an interview by press time. But, in past speeches and presentations, he has described his role as being the country’s chief cybersecurity activist, with responsibility for preparing the country to respond to cyberattacks that could overwhelm its information technology and communications infrastructure.
There hasn’t been a shortage of solutions offered for that defense, Garcia told an industry conference earlier this year. “There was just a lack of leadership and will. It is time to put those recommendations to work, and I am here to push us all to see that hard work come to fruition.”
The idea of having an assistant secretary for cybersecurity was to raise the prominence of cybersecurity at DHS and to have it taken seriously at higher levels in the department, said Shannon Kellogg, director of government and industry affairs at RSA, the security division of EMC. “And that has happened. With Garcia in the post, Secretary Chertoff himself has been taking more interest in this.”Credibility with industry
Before Garcia was appointed, industry’s criticisms focused on how DHS was not using its bully pulpit to raise awareness about the issues, Kellogg said, and now it is doing that.
Garcia has also been pragmatic, Kellogg said. “When Greg was appointed, I urged him to not ‘boil the ocean’ with what he did. And he’s done a pretty good job of that, laying out the three or four top points he thinks need to be tackled and continually stressing those.”
Kellogg said Garcia has made a substantial effort to get various DHS components, such as the U.S. Computer Emergency Readiness Team and the National Cyber Security Division, to work together and to improve information sharing between government and industry.
Garcia’s industry background gave him credibility, said Liesyl Franz, vice president of information security programs and policy at the Information Technology Association of America. Garcia’s experience in the policy arena was also important. He was a congressional staff member for several years and was in charge of the Washington office of 3Com, a network equipment manufacturer. Before becoming a DHS assistant secretary, he had the job that Franz now has at ITAA.
“Industry called for the [assistant secretary] position and also called for the person appointed to be from the private sector, because there is a big role that the private sector needs to play in incidence response,” Franz said. “With regard to that, Garcia and his staff have been exemplary in building coordination between the various parties.”
Despite receiving high marks from industry, Garcia still has a problem getting Congress to believe that DHS is making progress on cybersecurity. The Government Accountability Office released a report a few months ago that criticizes the nation’s readiness to defend against cyberattacks. And in congressional testimony last month, Gregory Wilshusen, GAO’s director of information security issues, said DHS lacks the processes needed to address specific weaknesses in critical infrastructure control processes.
“Until information-sharing weaknesses are addressed, DHS risks not being able to effectively carry out its responsibility for sharing information on vulnerabilities with the private and public sectors,” l husen said.
That statement prompted a blunt response from lawmakers. Rep. James Langevin (D-R.I.), chairman of the Homeland Security Committee’s Emerging Threats, Cybersecurity, Science and Technology Subcommittee, said criti al infrastructure control systems are increasingly being connected to open networks such as the Internet. “If this administration doesn’t recognize and prioritize these problems soon, the future isn’t going to be pretty,” he said.Champion of cybersecurity
Franz said Congress has a gap in its understanding of Garcia’s role and that, she added, is probably why his office hasn’t been funded to the level some people think is needed, given its responsibilities.
Despite those who say that Garcia has elevated cybersecurity awareness in the country, people still question what his influence has been. “I am working with large enterprises to help them build their security programs, and Garcia just doesn’t fit into any of that,” said Paul Proctor, a vice president at Gartner Research’s security and risk practice. “No one brings him up.” However, he added, it is a good thing that someone at Garcia’s level is evangelizing about cybersecurity. In the past, industry tended to write off cybersecurity as a techie issue.
On the other hand, Gartner’s most recent studies show executive level attention on cybersecurity is falling off again, Proctor said. “There’s a danger that people are starting to think the security problem is being solved.”
Howard Schmidt, a former cybersecurity adviser at the White House, said he thinks Garcia has done a good job of being a government champion for cybersecurity, but much remains for him to do. Through Garcia’s efforts, coordination among government agencies on cybersecurity issues has improved, but not everyone in government looks to DHS to take the lead role in cybersecurity, Schmidt said. Until recently, the Federal Information Security Management Act was driving improvements in cybersecurity.
FISMA “puts the onus on each agency to be responsible for its own security,” Schmidt said. For Garcia, overcoming that mind-set “is one of his biggest challenges, since some agencies tend to believe they are self-sufficient when it comes to security.”
Schmidt said Garcia also must establish clearer lines of authority for the office and its role in cybersecurity as preparation begins for a new administration that will take office in 2009. More than 20 different industry organizations represent some aspect of cybersecurity, he pointed out, “and there’s a few of them that feel they own the space.”
With a new administration, Schmidt said, people will be jockeying for position. He said Garcia’s role in the next year should be to further solidify the relationships between his office and industry — to institutionalize them — to sustain the progress he has made.