DHS still doesn't quite get this cybersecurity thing
The Department of Homeland Security is still lacking in the cybersecurity department, according to a bevy of critics. What's galling is that the DHS' inadequacies are barely news anymore. Here's what would be a real news flash: "DHS locks down cybersecurity. Hackers locked out!"
Perhaps I'm cynical from following the DHS from inception, but that's my reaction after reading the latest dose of criticism detailed by News.com.
Stephanie Condon outlines how some are saying that the DHS can't be trusted with its cybersecurity mission. Trust isn't the issue. Bureaucracy is. The DHS is a hodge-podge of 22 agencies and frankly I'd rather have them sniffing out explosives than worrying about hackers. The job is big enough. Perhaps we need a DCS, or Department of Cybersecurity.
James Lewis, a director at the Center for Strategic and International Studies, testified at a house hearing on the cybersecurity matter and concluded that the existing setup isn't conducive to effective battling hackers. Lewis said (full testimony):
It did not take long for our group to conclude that our national efforts in cyberspace are disorganized. None of the existing cyber security structures are adequate. We found that the central problems in the current Federal organization for cyber security are the lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility. Much of the problem resides with the performance and capabilities of the Department of Homeland Security. While the Department’s performance has improved in recent years, making this Department more effective will be an immediate task for the next administration. However, our view is that any improvement to the nation’s cyber security must go outside of DHS to be effective, and this will require rethinking the roles of DHS and the Homeland Security Council.
Given DHS’s weaknesses, we considered a number of alternatives. The Intelligence community has the necessary capabilities but giving it a lead role poses serious constitutional problems. DOD is well suited to manage a national mission, but giving it the lead suggests a militarization of cyber space. We concluded that only the White House has the necessary authority and oversight for cyber security.
Simply appointing a czar, however, will not work. Czars in Washington tend to be either temporary or marginalized. Longing for a Czar is a symptom of our industrial-age governmental organization. We are developing recommendations on how to leverage information technology to increase security while improving the efficiency, and transparency of government operations. Our thinking on this has been shaped in part by the implementation of the Intelligence Reform and Terrorist Prevention Act, which imposed a new, more collaborative structure on the Intelligence Community. This is still a work in progress, but the IC’s experience shows that the combination of a Congressional mandate, adequate authorities, and a focus on “enterprise” solutions (e.g. those that cut across traditional agency barriers) can improve federal performance.
The big conclusion from Lewis: The U.S. needs the President to be Mr. Cybersecurity and impose better practices on the army of bureaucrats. Color me skeptical.
Meanwhile, the General Accountability Office (GAO) reports that the DHS hasn't fully learned the lessons of Cyber Storm, an information security exercise in Feb. 2006. The problem with this tidbit: The DHS has already conducted Cyber Storm II in March.
Commenting on their experiences during the second Cyber Storm exercise, in March 2008, participants observed both progress and continued challenges in building a comprehensive national cyber response capability. Their observations addressed several key areas, including the value and scope of the exercise, roles and responsibilities, public relations, communications, the exercise infrastructure, and the handling of classified information. For example, many participants reported that their organizations found value in the exercise because it led them to update their contact lists and improve their response capabilities. Other participants, however, reported the need for clarifying the role of the law enforcement community during a cyber incident and for improving policies governing the handling of classified information so that key information can be shared. Many of the challenges identified during Cyber Storm II were similar to challenges identified during the first exercise.
Based on the GAO--the single best part of government by the way--I'd have to side with Lewis. Cybersecurity has to be more of a priority and lumping it into the DHS isn't going to work. However, any fool (including me) can identify the problem. What's the solution? Keep in mind that the reality will differ greatly from the white board and toss me a few fixes. If you were king of cybersecurity in the U.S. for a day what would you do?