DHS front and center in Congress' cybersecurity debate--again
A proposed expansion of the Homeland Security Department's authority to protect networks and systems is central to one comprehensive Senate proposal but absent from another.
There’s a new push in Congress to plug agencies’ cybersecurity holes by boosting the Homeland Security Department, an organization that lawmakers have often criticized for its ineffective computer security programs.
Some powerful voices are now saying shortcomings in DHS’ cybersecurity program have been the result of a lack of resources and clear authority. Key lawmakers on committees with direct jurisdiction over the department want to significantly expand the department's authority and responsibilities for securing the country’s computer networks.
That idea took shape in June when Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Thomas Carper (D-Del.) introduced a bill to consolidate many existing governmental authorities — and some new ones — in a National Center for Cybersecurity and Communications, which DHS would oversee.
The center would conduct risk-based assessments of systems, give agencies mandatory security controls to mitigate vulnerabilities, develop policies for federal information technology purchases, and take over the enforcement of information security at federal agencies from the Office of Management and Budget. The senators’ bill would also statutorily establish a White House cyber policy office and, if passed, could put an end to the debate over DHS’ cybersecurity role vis-à-vis the White House’s cybersecurity coordinator.
However, although the bill could settle one debate about DHS’ authority in cyberspace, it opens another because there is still some skepticism about DHS’ abilities.
The bill’s backers say DHS needs the additional authority to carry out its mission of protecting civilian government networks and critical infrastructure from cyberattacks. “Our bill more than addresses these shortcomings by creating [the center], which would have new, strong authorities to protect nondefense, public-sector and private-sector networks from cyberattack,” Lieberman said. “DHS already has this responsibility through presidential directive but, in our opinion, insufficient authority to carry it out.”
The notion that DHS needs more authority got some steam earlier this month from Richard Skinner, the department’s inspector general, when he told the House Homeland Security Committee that the DHS team responsible for monitoring the .gov domain needed new authority to compel agencies to follow its recommendations. “Until they have that authority or until there are mechanisms in place to ensure that compliance is in fact taking place, we’re going to continue to experience problems,” he said.
Several prominent former officials have also come out in favor of more cybersecurity clout for DHS. Robert Jamison, a DHS undersecretary during the Bush administration whose directorate led DHS' cybersecurity efforts, told Lieberman's committee that the proposed bill provides needed clarification for roles, authorities and responsibilities.
Karen Evans, former administrator of e-government and IT at OMB and now a partner at KE+T Partners, said the bill clarifies DHS’ authority to meet its cybersecurity mission.
“If you are going to ask [DHS] to do things and if the idea is for them to really fulfill the vision of what everybody had in mind when that department was set forward, well, then, they need to have clear authorities to be able to do their job, and I think this bill cleans up a lot of things,” she said.
However, during a recent hearing before the Senate Homeland Security and Governmental Affairs Committee, John McCain (R-Ariz.) said he isn’t confident DHS is the right agency to work in partnership with the Defense Department. McCain is the ranking Republican on the Senate Armed Services Committee.
Lieberman said Senate Majority Leader Harry Reid (D-Nev.) is eager to pass a cybersecurity bill by January. However, McCain's view and those of senators who sit on other committees in which cybersecurity-related legislation has been introduced will have to be reconciled first.
Merging the Lieberman/Collins/Carper proposal with a separate comprehensive bill that cleared the Senate Commerce, Science and Transportation Committee earlier this year will be a tall order, although senators have indicated that they want to work together to do so. Although both bills focus on securing federal networks and critical infrastructure and partnering with industry, the commerce committee’s bill, proposed by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), doesn’t focus on DHS.
After a year that's seen the appointment of a White House cyber coordinator, establishment of a new DOD Cyber Command and State Department's push for Internet freedom, DHS' role in cybersecurity is once again front and center in Congress' policy discussions on cybersecurity.