More money and staff a must for DHS to take lead role for cybersecurity
Homeland Security has only about a third of the resources needed to oversee the security of civilian networks; NSA could continue to be a dominate player.
The Homeland Security Department needs more money and employees to support a planned increase in responsibility for governmentwide cybersecurity, leading some security specialists to speculate that the National Security Agency will continue to play a large role in federal cyber operations.
DHS will gradually take on a bigger role in securing civilian computer networks against cyberattacks, the Washington Post reported on Tuesday. Homeland Security Secretary Janet Napolitano said the department "will become, in effect, the non-DoD locus for cybersecurity." Administration officials said DHS will receive increases in funding and personnel to support the increase in work, according to the article, which was removed from the Washingtonpost.com Web site on Wednesday.
Homeland Security is capable of leading the cybersecurity effort for civilian agencies only if it receives proper funding and staff, security professionals said. "DHS is probably the best place to secure the dot-gov networks, but it needs resources and people to do the job," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "Right now, they have about a third of what they need. If this is a serious effort, it has to be fully supported."
In President Obama's fiscal 2010 budget request released on May 7, DHS asked for $918 million to support the Office of Infrastructure Protection, which coordinates efforts with industry to protect the nation's critical industries, including transportation and energy systems and the Office of Cybersecurity and Communications.
DHS wants to use about $400 million of the $918 million to expand the national cybersecurity protection program, which represents an increase of $87.2 million, and an additional $37 million to address capability gaps identified in the largely classified Comprehensive National Cybersecurity Initiative created during the Bush administration.
"This will take a lot of manpower and a lot of horsepower," said Michael Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002. "DHS needs to be constitutionally strong -- not in the literal sense, but by having the internal fortitude to get this job done."
The White House should create a separate, national cyber agency to address all threats against federal computer systems and networks, including those in civilian agencies as well as the Defense and intelligence communities, he said.
But Jacobs acknowledged that such a strategy would be difficult to put into practice. "NSA won't relinquish what they own," he said. "The only solution is for DHS to build its own capability. This is better than doing nothing -- a lot better. If they can hire the right people and build the right capabilities, they will do this country a great service. If they can't do that, or if they get into a [power struggle] with other folks, we'll remain in our current situation."
NSA will likely maintain a large part of the control over cyber operations, even if DHS is charged with official oversight, said Alan Paller, director of research at the SANS Institute. "The jury is still out on how this will play out, not in terms of who gets the budget [for cybersecurity], but who actually controls much of it," he said.
Geography plays as much an influence as anything, Paller said, pointing to reports of a possible move of two DHS organizations, the National Protection and Programs Directorate and the National Cybersecurity Center, to an NSA facility in Fort Meade, Md., where the Pentagon is considering creating a new cyber command.
"That would bring DoD and non-DoD [cyber operations] under the same roof," Paller said. "There simply is no technical reason for them to be separate. As they get closer physically, they will naturally evolve toward allowing each group to do what it does best -- delegating the other tasks to the other group -- making them essentially one organization even if they seem to have different bosses and different reporting and oversight paths."
More details about cybersecurity responsibilities will be available after the White House releases results of its 60-day cybersecurity review, which the cybersecurity industry expects any day. One detail has been released: The Obama administration confirmed that the White House would oversee the coordination of securing networks governmentwide.