The U.S. Department of Homeland Security has been ineffective in coordinating government cybersecurity efforts and should be stripped of its authority in the area, members of a private cybersecurity task force told members of the U.S. Congress.
The authority for coordinating government cybersecurity efforts and enforcing mandates should be moved to the White House, members of the Center for Strategic and International Studies' (CSIS) cybersecurity commission told lawmakers Tuesday. DHS doesn't have the authority to force other government agencies to strengthen their cybersecurity efforts, said James Lewis, director of the Technology and Public Policy Program.
"We are under attack, and we are taking damage," Lewis told the House of Representatives' Homeland Security Subcommittee on Emerging Threats, Cyber Security and Science and Technology. "The U.S is disorganized and lacks a coherent national [cybersecurity] strategy."
President George Bush's National Cybersecurity Initiative, announced in January, contains many good ideas, but more work is needed, Lewis said. Officials with DHS, the White House and other executive agencies offered details about the initiative during a private event Monday, with major focuses on improving the government's network defense capabilities and on revamping acquisition rules to protect against malicious code installed in electronic devices during the manufacturing process.
In June, DHS hosted a meeting to discuss ways the government could work with the private sector on cybersecurity, but several DHS officials argued about ways to accomplish that in front of their private-sector guests, said Paul Kurtz, partner and chief operating officer at Good Harbor Consulting and a former White House cybersecurity aide.
"What was so discouraging about that day ... we had infighting between the DHS senior leadership as to how to proceed," Kurtz said. "It demonstrated in spades the lack of leadership and the fact that no one was in charge [of cybersecurity] at DHS."
Part of the problem is that there are four officials at DHS claiming responsibly for cybersecurity, said Representative Bill Pascrell Jr., a New Jersey Democrat,
While most lawmakers avoided assigning blame for the government's cybersecurity efforts, Pascrell pointed the finger at the Bush administration. "There is no national strategy," he said."We are still at risk in this area. This administration has been a disaster when it comes to cybersecurity."
While talking to people in the private sector about sharing information with government, the CSIS commission heard several times that there's a lack of trust in DHS, Lewis added.
A DHS spokesman wasn't immediately available to comment on the CSIS recommendations. Lewis and the other members of the CSIS commission defended the Bush administration, however, saying the administration has recently focused more on cybersecurity. Bush's cybersecurity initiative contains several good ideas, he said.
"They do have a lot of work to do, I couldn't agree more, but there are folks who are trying," Lewis said.
David Powner, director of information management issues at the U.S. Government Accountability Office, echoed many of the concerns expressed by members of the CSIS commission. DHS has several organizational problems, and it's been slow to address issues identified by cyber attack exercises, he said.
Results of a March exercise called Cyber Storm haven't yet been documented, even as DHS plans for the next exercise, Powner said. "The nation's focal point for cybersecurity cannot and should not be viewed as a slow-moving bureaucracy," he said.
Asked about the government's cybersecurity readiness, Powner suggested there are major holes. "We're not prepared for major, significant events" such as a long-term Internet outage, he said.
CSIS, a nonpartisan Washington, D.C., think tank, launched the cybersecurity commission in October in an effort to make recommendations to the next U.S. president. More than 30 cybersecurity experts serve on the commission, and the recommendations Lewis and others made Tuesday are preliminary. The group expects to finish its work by the end of the year.