News

Group: DHS Should Lose Cybersecurity Authority

A private group recommends that responsibility for government cybersecurity be taken away from the U.S. DHS

By Grant Gross, IDG News Service (Washington Bureau)

September 17, 2008 — CSO —

The U.S. Department of Homeland Security has been ineffective in coordinating government cybersecurity efforts and should be stripped of its authority in the area, members of a private cybersecurity task force told members of the U.S. Congress.

The authority for coordinating government cybersecurity efforts and enforcing mandates should be moved to the White House, members of the Center for Strategic and International Studies' (CSIS) cybersecurity commission told lawmakers Tuesday. DHS doesn't have the authority to force other government agencies to strengthen their cybersecurity efforts, said James Lewis, director of the Technology and Public Policy Program.

"We are under attack, and we are taking damage," Lewis told the House of Representatives' Homeland Security Subcommittee on Emerging Threats, Cyber Security and Science and Technology. "The U.S is disorganized and lacks a coherent national [cybersecurity] strategy."

President George Bush's National Cybersecurity Initiative, announced in January, contains many good ideas, but more work is needed, Lewis said. Officials with DHS, the White House and other executive agencies offered details about the initiative during a private event Monday, with major focuses on improving the government's network defense capabilities and on revamping acquisition rules to protect against malicious code installed in electronic devices during the manufacturing process.

In June, DHS hosted a meeting to discuss ways the government could work with the private sector on cybersecurity, but several DHS officials argued about ways to accomplish that in front of their private-sector guests, said Paul Kurtz, partner and chief operating officer at Good Harbor Consulting and a former White House cybersecurity aide.

"What was so discouraging about that day ... we had infighting between the DHS senior leadership as to how to proceed," Kurtz said. "It demonstrated in spades the lack of leadership and the fact that no one was in charge [of cybersecurity] at DHS."

Part of the problem is that there are four officials at DHS claiming responsibly for cybersecurity, said Representative Bill Pascrell Jr., a New Jersey Democrat.

While most lawmakers avoided assigning blame for the government's cybersecurity efforts, Pascrell pointed the finger at the Bush administration. "There is no national strategy," he said."We are still at risk in this area. This administration has been a disaster when it comes to cybersecurity."

While talking to people in the private sector about sharing information with government, the CSIS commission heard several times that there's a lack of trust in DHS, Lewis added.

A DHS spokesman wasn't immediately available to comment on the CSIS recommendations. Lewis and the other members of the CSIS commission defended the Bush administration, however, saying the administration has recently focused more on cybersecurity. Bush's cybersecurity initiative contains several good ideas, he said.