The Homeland Security Department has come a long way in the last decade in how it manages, assists, oversees and responds to cybersecurity incidents that the public and private sectors face daily. Now a group of experts are recommending to the President-elect Donald Trump to go even further.
Rep. Michael McCaul (R-Texas), chairman of the Homeland Security Committee, Sen. Sheldon Whitehouse (D-R.I.), the ranking member of the Judiciary Subcommittee on Crime and Terrorism, and other former federal government and current industry technology experts say time has come for DHS to have a separate component that is focused solely on cybersecurity issues.
“Right now, I would argue, it is a focus, but it’s not the priority and the main focus within the department. If the department is going to have the mission and now has the authorities from Congress when we passed the Cybersecurity Act to strengthen and defend the nation’s critical infrastructure, then I think it needs to have the power in one agency with a priority. I would argue that today it’s not the priority. It’s not being implemented as well as it could be, and the information sharing, while I remain optimistic, has not gone as well as it could. By consolidating it into one cybersecurity agency, we can make that happen.”
In the report, the Commission on Cybersecurity for the 45th President describes the new organization’s mission:
“The Department of Homeland Security’s National Cybersecurity Agency will lead the national cyber defense to protect critical infrastructure and federal agencies, to mitigate the effect of cyber attacks, and to ensure public awareness of serious cyber threats.”
Jim Lewis, the senior vice president and program director at Center for International and Strategic Studies (CSIS) and project director, said the group debated the best approach to creating this new focus on cybersecurity, and in the end, DHS made the most sense.
“The theory was if you are going to make DHS the lead agency, give them the resources, give them the tools and focus the mission to make them an independent agency,” Lewis said in an interview with Federal News Radio. “Right now, they are still an office in the Secretary’s office Maybe that was a good idea in 2003, but now it’s time to move on.”
McCaul said he will reintroduce legislation, the DHS Reform and Improvement Act, in the coming weeks to begin the reorganization process.
“This will be my highest cybersecurity priority in the next year,” he said. “I have entered into memorandums of understandings (MOUs) with all the relevant chairman of jurisdiction, including ones that have cyber authorities, to reorganize the department. I think that is one of the strongest statements we can send to consolidate a cybersecurity agency within the department. It is desperately needed and a show of strength at a time when it’s most needed. I’m very optimistic that we will see that legislation.”
DHS leaders also have been pushing for a restructuring of the National Protection and Programs Directorate (NPPD) over the last two years. DHS told McCaul’s committee in October 2015 that the goal of the NPPD reorganization is to develop more unity between organization’s cyber and physical infrastructure teams, enhance operational activity and improve acquisition program management.
In addition to reorganizing DHS, the commission also is recommending that the Trump administration relook at the White House’s structure around cybersecurity.
“The next president should also strengthen the apparatus within the White House for managing cybersecurity policy and operations. To this end, the special assistant to the president should be elevated to an assistant to the president; the Office of Management and Budget (OMB) should reinforce DHS efforts for federal agency cybersecurity; and Cyber Threat Information Integration Center (CTIIC) should be tasked to support the White House on strategic operational planning for cybersecurity,” the report stated. “The CTIIC should be developed to take on the same set of roles for cyber that the National Counterterrorism Center (NCTC) plays for counterterrorism and support the White House on strategic operational planning. Beyond its responsibilities for enabling intelligence sharing, the CTIIC should be responsible for developing and maintaining, under the direction of the National Security Council, plans for countering cyber threats, including developing red team scenarios and plans to address their findings.”
The move to strengthen DHS isn’t new. The Obama administration gave DHS additional authorities in 2014 to oversee federal networks, and in 2010, putting DHS in charge of civilian agency networks particularly around complying with the Federal Information Security Management Act (FISMA).
President Barack Obama also signed Presidential Policy Directive 41 in July giving DHS additional roles in responding to and dealing with cyber attacks.
And this move to reorganize DHS builds on all of those efforts and then some. For example, the commission says the new cybersecurity agency’s mission should include working with the National Security Council, OMB and the General Services Administration (GSA) to master its role of defending civilian agency networks, extending its success with the Continuous Diagnostics and Mitigation (CDM) program.
The commission also wants DHS to mitigate major attacks on critical infrastructure and become more of a hub for information sharing with the private sector.
The reorganization of DHS is part some 250 recommendations outlined in the report led by CSIS. The think tank sponsored a similar report in 2008 for then President-elect Obama.
The other recommendations in the 2017 report focuses on everything from building a cybersecurity workforce to taking a more assertive approach to cyber crime to reviving the international cyber strategy.
Lewis said this second set of recommendations is much more focused and takes into account all the changes to the technology environment over the last eight years.
He said in 2008 cybersecurity was a niche issue, dominated by law enforcement and intelligence agencies. Now, with the Office of Personnel Management data breach and a host of other high profile attacks, there is a much broader recognition of what can and needs to be done.
“We did two things that were different. We wanted to focus on specific improvements from where we are now. There has been some progress. We also wanted to have an East Coast and West Coast point of view,” Lewis said. “This administration has done some amazing work, particularly in the last three years and particularly with [White House cybersecurity coordinator] Michael Daniel, who really changed the landscape, built the interagency process. We are in such a different place than we were in 2007. Everyone is happy where we are, but we also all say where we are is not where we need to be so a lot of work still needs to be done.”
One of those areas that still needs work is to strengthen agency networks against cyber attacks.
Whitehouse said an important recommendation is to create an independent inspector general unit or agency to test agency networks.
He said this new IG unit combined with a new office in the Government Accountability Office that would focus only on cybersecurity would attract the necessary expertise that many audit organizations can’t bring in currently, and move agencies away from just ensuring basic compliance of cyber laws and policies. He said every one of the 73 agency IGs today can’t be expected to have the necessary expertise to improve federal cybersecurity to the level needed.
“[The new IG unit] could reside within OMB. It could reside within GAO. It could be a new, independent IG. There are a variety of ways that you could house this authority,” Whitehouse said. “The important point for me is that across a wide array of civilian agencies to have someone who is empowered to go in and stress test their security rather than check off a minimum security checklist will raise the bar across all of those agencies. If people know they are vulnerable to a white hat penetration test on how well they’ve done by an agency that could hold them accountable for their failure to adequately provide for institutional cybersecurity that will get people’s attention in a new way. I think even federal civilian agencies that are not subject to that will say, ‘whoa, that is a bit of game changer and we need to up our performance here.’”
Whitehouse added if these auditors could help agencies better understand their vulnerabilities, that is the first step to having better defenses.
Lewis said the new administration and Congress should view the working group as a resource that they call on for briefings or testimony to help further the recommendations.