Critics: Homeland Security unprepared for cyberthreats

Some Washingtonians are rethinking the idea that DHS can handle cybersecurity, saying it has proven to be inefficient, bureaucratic, and unable even to monitor federal networks well.

Stephanie Condon Staff writer, CBSNews.com
Stephanie Condon is a political reporter for CBSNews.com.
Stephanie Condon
5 min read

WASHINGTON--When politicians got together six years ago and decided to glue together a medley of federal agencies to create the U.S. Department of Homeland Security, one of the justifications was a better focus on cybersecurity.

"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."

That was then. Now, Homeland Security is weathering a deluge of criticism of its lackluster cybersecurity efforts on grounds that they have proven to be inefficient, bureaucratic, and not even able to do a decent job of monitoring federal computer networks.

This week, it even led to what would have been unthinkable a year or two ago--a suggestion that Homeland Security can no longer be trusted with its cybersecurity mission and it should be handed to another federal agency.

"While DHS has improved, oversight for cybersecurity must move elsewhere," James Lewis, a director and senior fellow at the hawkish Center for Strategic and International Studies, said Tuesday. "The conclusion we reached is only the White House has the authority and oversight for cybersecurity. This is now a serious national security problem and should be treated as such."

Lewis was testifying at a hearing of the House Homeland Security's subcommittee on emerging threats, cybersecurity, and science and technology. Lewis appeared on behalf of CSIS's Commission on Cybersecurity for the 44th Presidency, a group made up of 40 cybersecurity and government experts. They're expected to release a final report in November with recommendations for the next administration.

Adding to the public criticism of Homeland Security were two new reports published by the Government Accountability Office (No. 1 and No. 2) detailing the department's shortcomings.

Since 2005, the GAO has been reporting on DHS' cybersecurity efforts and has made 30 recommendations to the department, yet the department "still has not fully satisfied any of them," said David Powner, the GAO's director of information management issues.

The GAO's new reports include descriptions of the department's failure to fully address 15 key cyberanalysis and warning attributes related to activities such as monitoring government networks for unusual activity. For instance, warnings sent to federal offices regarding threats were neither consistently actionable nor timely, the GAO reported.

"We're not prepared" to handle cyberthreats, Powner said.

Lewis pleaded with politicians to remain focused on the topic. "Congress has to be involved with this," Lewis said, "to support building the infrastructure that will keep us secure."

Subcommittee Chairman Rep. James Langevin, D-R.I., announced at the hearing the creation of a House Cybersecurity Caucus, a forum for House members from various committees to discuss cybersecurity. The new caucus will begin work in January 2009.

Naming names
The GAO reports were released just one day after DHS Deputy Secretary Paul Schneider and a group of other federal officials who work on cybersecurity sought to address the many unanswered questions about the governemnt's secretive National Cyber Security Initiative.

Schneider made it clear at a forum on Monday that Robert Jamison, the DHS undersecretary for national protection and programs, is leading the department's cybersecurity efforts. However, witnesses and congressmen at Tuesday's hearing said there was a lack of leadership in the DHS.

"There really is no one in charge right now at DHS, and that's why they have struggled," said Paul Kurtz, a partner and COO for Good Harbor Consulting, who testified Tuesday. "You have several people with their hands on the steering wheel."

Rep. Bill Pascrell of New Jersey, D-N.J., said it was time to "name names" of who was responsible for the department's problems.

"Robert Jamison, the undersecretary, gave himself a solid C in cybersecurity the last time he came before the full committee," Pascrell said. "When was getting a C a good mark?"

Pascrell complained that the administration has been too secretive about the National Cyber Security Initiative.

"The Senate tried for months to get the information public, and the White House refused," he said.

Pascrell pointed out that Marie O'Neill Sciarrone, a special assistant to the president, spoke at Monday's forum regarding federal cybersecurity efforts--but the event, hosted by the Information Technology Association of America, cost $50 for government employees to attend.

The witnesses at the hearing concurred the DHS has been too secretive.

"There's no reason to classify (the cyber initiative)," Lewis said.

However, he also said the initiative has produced some useful results.

"We've made a little progress," he said.

While it may be the norm for a new administration to completely revamp such a program, "we can't afford" to have that progress set back, Lewis said. "It'd be a lot easier to avoid that fumble if it wasn't top secret."

A new administration, a new start
Lewis said that a cybersecurity strategy "should be one of the first documents the new administration issues."

People representing both the Obama and McCain campaigns are on the CSIS commission, Lewis said, and both campaigns have recognized the need for greater cybersecurity.

"We've asked to brief them on our recommendations, and we believe in the next month or so we'll have that opportunity," he said.

The federal government is already working to establish working relationships with the private sector to improve cybersecurity, but the next administration will have to consider whether to consider all sectors of equal importance, Powner said. The three most critical sectors to work with, Lewis said, are the finance, electricity, and telecom industries.

"Existing partnerships are not meeting the needs of public or private sector," Lewis said. "The first need is to rebuild trust."

Harry Raduege, chairman of the Deloitte Center for Network Innovation, said another reason to make cybersecurity a priority for the White House is to better coordinate international efforts.

Officials from other countries often ask, "'Who should we come to talk to in the United States about your overarching strategy?'" Raduege said. "There was never one place I could recommend they go, no one individual with an entire national strategy perspective."

CNET's Declan McCullagh contributed to this report