From inception, there has been vigorous debate about DHS’s cyber security mission. A multi-year debate followed the assignment of this role to DHS, questioning the wisdom of trying to grow a new capability in DHS rather than handing this task to the well-resourced and better-skilled NSA.
In DHS’s early years, there was criticism that there was not enough emphasis on cyber issues. Over time, new senior level cyber security leadership and additional funding and positions have been established.
Frequent turnover among cyber security leadership as well as difficulty in recruiting skilled cyber security experts have been a continual challenge.
In recent years, a focus of criticism has been on whether DHS had sufficient skilled experts and whether sufficient overall leadership was being provided by DHS to improve security in both the government and the private sector.
In discussions with current and former government executives, I found no one who believes that DHS is doing a very good job in cyber security, much less an outstanding one. Offsetting these opinions, however, is my appreciation of the enormous difficulty of DHS’s role. Much of this appreciation is influenced by my many years in government roles and having been a technical expert in cyber security earlier in my career.
Cyber Security Is Hard
As useful context in this regard, I note that until a few years ago, there was little sharing of cyber threat information. Most public and private sector organizations were blissfully ignorant of what was happening within their infrastructures and systems. Convincing someone to change is hard especially if they don’t see the need.
I found that individuals and organizations have a disproportionate personal attachment for their IT systems
Moreover, as a CIO, I found that individuals and organizations have a disproportionate personal attachment for their IT systems. This causes them to vigorously resist pressure from the outside to make them more efficient or more effective, or, in this context, more secure. Also, some individuals believe that increased security reduces privacy and seek to block deployment of additional security capabilities.
Finally, the complexities of cyber security require a sound systems engineering foundation to devise technical solutions. Let’s face it, cyber security is truly hard!
DHS Cyber Security Mission: Bright Spots and Examination
Despite the pessimism voiced by many, there are clearly bright spots for DHS’s cyber efforts. The US CERT is a world class organization that with little fanfare goes about its job on a day-to-day role of alerting organizations to potential or actual cyber-attacks. The Immigration and Customs Enforcement organization continues to be effective in their support to fight cyber-crime. The National Cybersecurity and Communications Integration Center (NCCIC) is also beginning to show real progress in effective sharing real time cyber threat information across critical infrastructure sectors.
Despite the pessimism voiced by many, there are clearly bright spots for DHS’s cyber efforts.
Beyond the obvious bright spots, progress in other areas can be observed by retrospective examination.
- DHS’s progress in improving government network security through standardization and consolidation of access points and deployment of Einstein and has been significant. However, it has taken a long time to achieve this improvement.
- DHS’s oversight of compliance with FISMA has achieved improved measurement, but agencies spent too much energy measuring document artifacts that have little correlation to true security.
- The new continuous diagnostics and monitoring (CDM) initiative is clearly headed in the right direction. CMD is very promising although challenges lie ahead for DHS in how to orchestrate this program and to rapidly deploy these capabilities.
I recently had the opportunity to participate in the DHS Task Force on Cyber Skills. I was tremendously impressed by the very strong commitment of Secretary Napolitano and Deputy Secretary Lute to improving cyber skills and their active participation in the Task Force efforts. DHS aggressively embraced implementation of the Task Force’s recommendations. Nevertheless, progress in hiring highly skilled technical individuals has clearly been slower than the Task Force members or even the DHS leaders would like.
To DHS: Be Aggressive and Innovative
There is no doubt that DHS has come a long way from the early 2000’s in being able to fulfill their cyber security mission. There are clear examples of success and other areas are showing significant improvement. I continue to be supportive of DHS’s cyber security role and applaud their progress.
I exhort DHS’s cyber security leadership to be aggressive and innovative. As a nation we are in desperate need of strong and visible leadership in cyber security. DHS is clearly our best option. Edward Snowden has effectively closed the door on other options for the foreseeable future.