A group of security industry experts and government officials recommended on Tuesday that cybersecurity authority inside the federal government be taken away from the Department of Homeland Security (DHS) and moved back to the White House as soon as possible.
Speaking at a hearing in front of the House Subcommittee on Emerging Threats, Cyber Security and Science and Technology, members of a commission tasked with developing security recommendations for the next president said that DHS's cybersecurity authority is compromised by not having power over other agencies and that the United States is unprepared for a major online attack.
"Oversight of cybersecurity must move elsewhere. The conclusion we've reached is that only the White House has the authority to be effective," said James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS). "This is not a call for a czar. Czars in Washington tend to be marginalized. I think DHS has struggled for a number of reasons. One of the most important is that it doesn't have the authority to direct other agencies. I began by thinking we should strengthen DHS and I did not receive much encouragement when we put that forward. There are things that only DHS can do, but our view is that many of these functions need to move to the White House. This is now a serious national security problem and needs to be treated as such. Cybersecurity now needs to receive White House attention,." Lewis said.
Before Congress created DHS, the White House held authority over cybersecurity issues. That authority took various forms during the early years of the Bush administration, but was moved from the White House to DHS in 2003.
Members of the committee, which asked the CSIS's Commission on Cyber Security for the 44th Presidency to create a set of recommendations on security policy and operations, questioned the witnesses on why the country is unprepared for a large-scale cyber attack nearly seven years after DHS was created and given much of the responsibility for cyber security. The answers varied, but came down to a lack of authority for DHS and a lack of communication between the agency and private sector organizations as well as other government entities.
"There really is no one in charge right now at DHS, and that's why they've struggled," said Paul Kurtz, a partner at Good Harbor Consulting, and a former adviser to President Bush on cyber security issues. "We have people who are supposedly working side by side but are not working side by side. We need to establish a better means of collaboration,." Kurtz said.
The commission, which includes representatives from the Homeland Security committee, as well as dozens of private sector security experts, such as Scott Charney of Microsoft Corp. and Pete Allor of IBM, areis planning to release full recommendations in November. Several members of the committee laid the fault for the state of the nation's cyber security at the feet of DHS, and more directly, the Bush administration.
"This administration has been a disaster when it comes to cybersecurity since 2003 when they got rid of Richard Clarke, and it's been all downhill since," said U.S. Rep. Bill Pascrell, Jr., (D-NJ), referring to the former cyber security advisor to Bush on the President's Critical Infrastructure Protection Board (PCIPB). "Let's name names and talk about accountability. I think we've been so concerned about political correctness that we haven't corrected the vulnerabilities."
Kurtz, who served on the PCIPB with Clarke, said that the disorganization and lack of both internal and external communication at DHS has been a major stumbling block in implementing many of the recommendations that CSIS and other various organizations and panels have made over the years. Kurtz referenced a recent meeting at DHS that included both private sector experts and DHS officials, including Greg Garcia, assistant secretary of the, Office of Cyber Security and Communications, and his boss, Robert Jamison, under secretary of the, National Protection and Programs Directorate, in which the various DHS leaders argued amongst themselves about authority and essentially disregarded the input from the non-DHS people in the room.
"What was so discouraging about that day, and I'll never forget it, is that we had infighting between DHS leaders as to how to proceed," Kurtz said. "It demonstrated in spades the lack of leadership, and that no one is in charge at DHS. It was a travesty. We had 70 or so private sector people in the room who had spent a lot of time and once again been asked to come up with some ways that we could better work together and the department basically threw it overboard. It was incredibly discouraging to witness."
Lewis and the other witnesses, who included David Powner, director of information management issues at the Government Accountability Office, and Lt. General Harry D. Raduege, Jr., chairman of the Center for Network Innovation at Deloitte & Touche, did not spell out exactly what form the White House's oversight of cybersecurity should take. But they all emphasized the need for netter coordination and communication between government agencies, law enforcement, the military and private sector organizations in dealing with potential national-level cyber attacks.
"The short answer is we're not prepared for a major event. We're not well-prepared," said Powner, who added that the US-CERT has not grown into the role of a national focal point for security coordination and response that was envisioned for it.
The panelists did say that the commission has been working with representatives from both the John McCain and Barack Obama campaigns to bring them up to speed on cyber security issues, and that both campaigns had been receptive.
"The United States is disorganized and lacks a coherent strategy," Lewis said during his prepared testimony. "This new strategy should be one of the first documents the new administration issues."