DHS and Cybersecurity: Yes, No, Maybe So?
The Department of Homeland Security (DHS) has had a stained reputation almost from the start, and especially since its dismal performance in the wake of Hurricane Katrina. With a new administration coming in January, a lot of smart people are scrutinizing the agency and trying to carve out the way forward.
Among the nagging questions is whether or not DHS should continue to oversee the government's cybersecurity efforts. I'm having trouble forming an opinion.
There's no question DHS is a troubled agency and it's doing not nearly enough to prepare for a potential Cyber 9-11. But I'm skeptical of the idea that Washington will do better by simply moving the responsibility to another part of the government.
Last week, a group of outside experts recommended cybersecurity be moved from DHS -- which "isn't equipped to protect the federal government against cyberattacks" -- to an office within the Obama White House. Many members of the Commission on Cyber Security for the 44th Presidency "felt that leaving any cyber function at DHS would doom that function to failure," according to its recently-released 96-page report.
The commission also wants new government regulations to protect computer networks in the U.S. Such regulations would call for readjusting government efforts to defend its own infrastructure, but regulations for private industry are also needed, the report said.
It would be easy to agree straight away that cybersecurity could be better handled from within the White House. But it's not necessarily fair to take it out of DHS's hands right now.
For starters, DHS is still a young agency. Clearly too many smaller agencies were crammed into its belly and there's no trace of efficiency in Michael Chertoff's sprawling house. That doesn't mean the problem can't be fixed or at least improved by a change in leadership. [Note: President-Elect Obama has nominated Arizona Gov. Janet Napolitano to succeed Chertoff.]
It's also far from certain the government could do a better job by running cybersecurity efforts from the White House.
Here's a former colleague and one of my trusted security sources arguing for DHS getting another chance:
The former colleague, via Facebook: "If there are failures or weaknesses there, they should be addressed just like a faulty radar system or poorly designed sub. Ineptitude by any governmental body entrusted with protecting key infrastructure shouldn't be grounds for moving the responsibility to a private agency. Reform the agency, inject resources and leadership."
My security source, via Twitter, pointed out that despite DHS' shortcomings, the agency's cybersecurity people are doing some "super cool" stuff. She wasn't at liberty to explain what those cool things are.
Here's a current colleague on Facebook arguing for cybersecurity's move from DHS to someone else's turf: "DHS has not really knocked it out of the park when it comes to cybersecurity. The problem, IMHO, is that the political appointments at DHS go far too low in the organization, and cybersecurity was spread too thin. I like CSIS' guidance that it be moved to the Executive Branch and attached to the NSC. Frankly, after six years, it's just time to try something new."
I suggest something in the middle: Let DHS continue to handle cybersecurity but also create a stronger oversight entity from within the Executive Branch, similar to the creation of a director of national intelligence separate from CIA. True, the latter entity's record isn't great so far, but it's another example of changing the leadership rather than the responsibilities.
One could also argue that having two such layers in the government would be a lot like practicing defense-in-depth. Not a sure thing, but possible.
That's how I see it. It's time for the readers to weigh in.
About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to email@example.com.