Cyber leadership takes shape at Homeland Security

The Obama administration's recent cybersecurity review resulted in few changes in agency roles and responsibilities for protecting federal computer networks and systems, but officials and outside experts say they will bring a more coordinated approach to oversight.

In a speech at the Global Cybersecurity Conference Tuesday in Washington, Homeland Security Secretary Janet Napolitano said cybersecurity oversight under the Bush administration was disorganized.

"When I came into the department, I think it's fair to say we were not organized sufficiently where cybersecurity is concerned," Napolitano said. "Just as these efforts were kind of spread throughout the federal government, they were kind of spread throughout the Department of Homeland Security."

The 60-day White House review of cybersecurity policies clarified federal responsibilities, she said, charging the Defense Department with protection of the .mil domain, and the Homeland Security Department with protection of the .gov domain. DHS also was given responsibility for coordinating with the private sector for protection of the .org and .com domains, she said.

Security experts said the clarification does not reflect any major change in oversight, since Defense and Homeland Security maintained similar responsibilities under the Bush administration, but they pointed to more centralized management of cybersecurity efforts within DHS as significant. In June, Napolitano moved all cyber responsibility under Deputy Undersecretary for National Protection and Programs Directorate Phil Reitinger, including the National Cybersecurity Center, which previously maintained its own director that reported separately to the DHS secretary.

"NCSC didn't get traction in the previous organization structure, because of split allegiances," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at Homeland Security during the Bush administration and now runs his own information security consulting firm, Garcia Strategies. "Having two different cyber organizations reporting to the secretary was really inefficient."

More centralized authority will help Homeland Security drive initiatives forward both within the department and across the federal government, said one former intelligence official who asked to not be named.

"DHS faced less [of] an organizational problem [than] a directional problem," he said. "It was never clear that DHS understood what their mission was, and they never seemed to have the wherewithal to execute. If these changes structurally can help create and improve the leadership, that's a good thing," though he added the administration's failure to appoint a White House cybersecurity coordinator has created a wait-and-see attitude among some observers.

Alan Paller, director of research at the SANS Institute, applauded the choice of Reitinger as the DHS cybersecurity chief.

"The real significance is Phil himself. The prior administration never had real strength in cyber at the top," he said.