Experts urge overhaul of cybersecurity
The Homeland Security Department, the agency in charge of coordinating federal cybersecurity efforts, is not fully prepared to protect the United States against a significant attack on the cyber infrastructure, according to government auditors and some independent experts. Also, cybersecurity coordination should be moved to the White House to reflect the scope of the threat posed by potential cyber attacks, some experts said.
The Government Accountability Office released findings Sept. 16 to a House subcommittee that concluded DHS has not fully addressed key issues that include monitoring network activity, analysis, warning and response. DHS also did not implement several corrective actions to strengthen coordination with the private sector after its first large-scale simulation exercise and does not effectively share information on control system vulnerabilities with the public and private sectors, the GAO said.
“Until these steps are taken, our nation’s computer-reliant critical infrastructure remains at unnecessary risk of significant cyber incidents,” David Powner, GAO’s director of information management issues, testified before the House Homeland Security Committee’s Emerging Threats, Cybersecurity and Science and Technology Subcommittee.
Also, DHS' performance was criticized by members of the Center for Strategic and International Studies’ Cyber Commission on Cyber Security.
Paul Kurtz, chief operating officer at Good Harbor Consulting and a commission member, said it was not clear who was leading the cybersecurity effort at DHS.
“There really is no one in charge right now at DHS,” Kurtz said. “It’s as though you have several people with their hands on the steering wheel and there is really no common direction.”
Kurtz said a lack of leadership was evidenced by infighting about cybersecurity efforts he had seen among the department’s senior leadership. He added that about 70 people from the private sector were present when that infighting happened.
Kurtz also said cybersecurity “really is no longer a homeland security issue, but a national security issue” and that situation is not the fault of DHS.
James Lewis, head of the CSIS program that sponsors the commission, said trust between the government and the private sector needed to be rebuilt and an increased focus was needed on the critical infrastructure sectors critical for cybersecurity – the sectors of telecommunications, electricity and finance.
The expansion of the cyber threat necessitates moving the authority for coordination from DHS to another organization, the commission’s preliminary findings indicated. The panel's complete report is expected to be released in November.
“Our view is that any improvement to the nation’s cybersecurity must go outside of DHS to be effective, and this will require rethinking the roles of DHS" and the White House’s Homeland Security Council, Lewis said. “We concluded that only the White House has the necessary authority and oversight for cybersecurity.”
Lewis said because the most dangerous cyber threats now come from foreign military and intelligence services, along with terrorist organizations and international crime organizations, DHS does not have significant authority to deal with those threats.
“We have to bump this up,” Lewis said.
In response, DHS spokeswoman Laura Keehner said in an e-mail message that the department was performing meaningful work on cybersecurity. She pointed to the recently created National Cyber Security Center, which will coordinate military and civilian cybersecurity efforts and to DHS' efforts to hire several hundred analysts.
"Rearranging the deck chairs is a classic inside the Beltway pastime, but all that it ensures are more headlines for political posturing and a guarantee that in two years [the] government's cyber efforts will be in the same place," she said. "Billions of dollars are going into this effort. We're the first to admit there is more work to be done; we are focused on collaborating with the private sector -- which owns the vast majority of this country's critical infrastructure -- to mitigate threats."
In a related development, Rep. James Langevin (D-R.I.), the subcommittee's chairman, announced the formation of a bipartisan House Cybersecurity Caucus scheduled to begin meeting in January, but he provided no details about its membership or operations.
Ben Bain is a reporter for Federal Computer Week.