House politicians search for DHS cybersecurity fix

It's easy to criticize government failures. But as the U.S. Congress is learning in the case of the executive branch's cybersecurity efforts, fixing problems and crafting improvements is a little more difficult.

The U.S. Department of Homeland Security's cybersecurity arm has been under fire practically since its inception, flunking tests by outside auditors and receiving letter grades of "F" from congressional overseers. That invited speculation last year about whether the National Security Agency or the White House should take over responsibility for cybersecurity tasks.

Both ideas met with a lukewarm reception during a congressional hearing on Tuesday. "The mission should not reside in NSA," said Microsoft Vice President Scott Charney, a onetime Justice Department computer crime chief. Charney said if you want the public to trust its government, "it's really important to empower DHS to take the necessary operational role."

The chairman of the full House Homeland Security Committee, Bennie Thompson (D-MS), felt the same way. "I don't think the answer to our problems in cyberspace comes from giving control of the entire federal cybersecurity mission to NSA," he told the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.

There are "pockets within DHS showing signs of improvement," Thompson added.

And the idea of a White House takeover wasn't wildly popular. "I want to respectfully disagree with those of you who think the White House is a place to put this," said Rep. Paul Broun, a Georgia Republican. He added: "I think this committee, not the White House, should be setting policy."

Making the hearing more lively than usual was last week's resignation of Rod Beckstrom, director of Homeland Security's National Cybersecurity Center. In his farewell letter, Beckstrom blasted what he said was an NSA power grab, saying the secretive military agency "effectively controls DHS cyber efforts through detailees, technology insertions." (The week before, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying "there are some wizards out there at Fort Meade.")

"It's pretty clear (DHS) have not lived up to those responsibilities," said Dave Powner, a director at the Government Accountability Office, who testified at the hearing. "The question is: do we want to keep working with them...or do we just designate them an operational role and put someone else in charge of coordinating with the private sector and the intelligence community?"

Part of official Washington's dissatisfaction with DHS involves disagreements with not just who should handle cybersecurity topics, but what should be done. Security hawks would like the government to have the authority to order around the private sector. Defense hawks would like more focus on offensive "cyberattacks." Privacy advocates worry about Homeland Security's expansive mission, and remember how the NSA and FBI fought for many years to restrict domestic use of encryption.

"I don't think DHS can effectively lead offensive capabilities we need in cyber," said Amit Yoran, the CEO of monitoring firm NetWitness and a former DHS cybersecurity official. DHS's "key role" should be to protect government networks, he said.

Any significant legislative effort to rethink federal cybersecurity efforts is likely to wait until a two-month review ordered by the Obama administration in February is complete. Rep. Yvette Clark (D-NY), chairman of the cybersecurity subcommittee, said that review is crucial because the Bush administration's "strategy stopped short of mandating security changes. Without teeth, the strategy was never implemented."

CNET's Stephanie Condon contributed to this report.