Cybersecurity experts disagreed Tuesday on whether the U.S. Department of Homeland Security should continue to lead the nation's cybersecurity efforts, with one critic saying the agency has largely failed to secure cyberspace.
DHS doesn't have the authority to coordinate cybersecurity efforts from other agencies, including the U.S. National Security Agency (NSA) and the U.S. Federal Bureau of Investigation, said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), a Washington, D.C., think tank.
A CSIS commission of cybersecurity experts, in a report released in December, recommended that President Barack Obama strip DHS of its cybersecurity coordination authority and create a new cybersecurity office in the White House. Lewis repeated criticisms of DHS during a Tuesday hearing before the Senate Homeland Security and Governmental Affairs Committee, saying DHS should have a cybersecurity role but overall coordination is "beyond its competencies."
"Our networks are vulnerable, our opponents are inventive and energetic, and we are disorganized," Lewis said. "We need a comprehensive strategy and someone in charge of it."
U.S. cybersecurity efforts have been "hobbled by infighting" and DHS has no authority over U.S. military branches, intelligence agencies and law enforcement agencies working on cybersecurity, Lewis added. DHS does, however, have a role in protecting the nation's critical infrastructure and protecting the U.S. government's civilian networks, he said.
But Senator Susan Collins, a Maine Republican, and Stewart Baker, a former assistant secretary at DHS, disagreed with the CSIS recommendation. A cybersecurity czar in the White House would largely be shielded from congressional oversight and could lead to new "turf battles and confusing lines of authority," Collins said.
"On an issue as pressing and as complex as cybersecurity, congressional oversight is critical to making real progress," Collins added.
Collins and Baker both said Congress should give DHS enough resources and authority to do the job. While the cybersecurity efforts at DHS have not been perfect, the agency has made significant progress in the past year, Baker said.
A new cybersecurity office in the White House could take a couple of years to become fully functional, and there's no guarantee it would work better than DHS, he added. Creating a new organization would be a "recipe for treading water" for a couple of years, he said.
Instead of hoping a new organization would do better, "we would be much better off building [up] DHS in its capabilities," Baker added.
Members of the homeland security committee plan to introduce new cybersecurity legislation this week. The legislation would largely focus on revamping cybersecurity requirements for federal agencies, participants of the hearing said.
While other participants focused on what agency should lead cybersecurity efforts, Alan Paller, director of research at the SANS Institute, urged senators to demand more secure IT products from federal vendors. The U.S. government spends about US$70 billion a year on IT and agencies can better use their procurement power to push for more secure products, he said.
Other parts of the U.S. government also can better rely on the cyber-offensive expertise of the NSA and other agencies to understand their vulnerabilities, Paller said.
The nation needs to do a better job of protecting cybersecurity, Paller said, because other nations are training sophisticated hackers to target the U.S.
"There's a gap between the attackers and our defenses," Paller said. "What is problematic is that the gap is increasing at an increasing rate."