Story

Global Insights: The DHS Cybersecurity Logjam

When the Department of Homeland Security (DHS) was established in March 2003, one of the new department’s primary goals was to enhance U.S. cybersecurity.

But after several years passed without major DHS initiatives in this area, observers concluded that the department was insufficiently prepared or resourced to address cyber emergencies. Indeed, prior to the 2008 presidential election, the influential think tank Center for Strategic and International Studies’ Commission on Cybersecurity recommended that the next occupant of the White House formally revoke DHS’ limited authority to coordinate cybersecurity because the department, having never had authority over the U.S. military, intelligence community and law enforcement agencies, could not perform this coordination role effectively.

When the Obama administration assumed office, it followed many of the commission’s recommendations, but it ignored this one. With White House encouragement, DHS has made it a higher priority to address the security of U.S. civilian cyber networks and has earned greater support in Congress for remaining the lead civilian agency in this area.

For example, DHS made cybersecurity one of its five most important mission areas in the first-ever Quadrennial Homeland Security Review (QHSR) released in 2010, 74 percent higher than in the 2012 budget.

DHS currently has the lead role in securing federal civilian network systems, sometimes described as the “dot.gov” domain. Through its National Infrastructure Protection Plan, DHS works with private- and public-sector owners and operators of critical infrastructure and key resources to bolster their cybersecurity preparedness, risk mitigation and incident-response capabilities. The fundamental problem the department faces is that, at present, it has responsibility to protect all nondefense public- and private-sector networks from cyberattack, but lacks sufficient authority to accomplish this mission.

Within the civilian government space, the department has broad authority to set requirements for other agencies, but it does not have direct enforcement authority over those departments and agencies. For instance, the department’s U.S.-Computer Emergency Readiness Team (U.S.-CERT) program, which is charged with monitoring the security of civilian cyber networks, does not have the enforcement authority that it needs to ensure that agencies comply with its recommendations and mitigation guidance.

Sometimes other agencies cannot meet DHS requirements for valid reasons, including limited resources. But sometimes the other agencies just ignore DHS’ findings, since it is a relatively weak department that lacks the means to punish them for noncompliance, such as by withholding funds.

Similarly, DHS lacks authority and influence over the decisions of the private-sector operators that control some 90 percent of the U.S. critical infrastructure. To respond to this gap, Sen. Joseph Lieberman last year proposed legislation that would dramatically expand the department’s authority with respect to U.S. critical infrastructure under private ownership. In partnership with industry, DHS would determine which infrastructure networks were critical to U.S. national security and would formulate mutually acceptable security standards for them. If it was determined that a particular network lacked adequate protection, DHS could take measures to improve it.

Sen. John McCain championed an alternative approach, offering legislation that would promote the voluntary sharing of information by private companies with the National Security Agency (NSA) and establish liability protections for the companies that participate, without expanding the DHS’ authority to mandate security procedures.

However, a divided and fractured Congress proved unable to enact comprehensive cybersecurity legislation, leading congressional leaders to request that the Obama administration submit its own proposal. The White House proposed an approach that, though relying primarily on incentives, nonetheless includes both mandatory as well as voluntary compliance. Some proposed changes, such as upgrading U.S. laws that govern cybersecurity activities, have gained widespread approval. The desire to have DHS lead federal civilian cybersecurity efforts is also widely supported. But opposition has arisen to mandatory sharing of information with federal authorities as well as to some proposed federal actions that could perversely create disincentives for private-sector cyberdefense actions.

The comprehensive Obama approach would strengthen the DHS’ authority to defend civilian government sites, including by deploying intrusion detection software, conducting risks assessments and taking other preventive measures. The administration also wants to give DHS the same enhanced authorities as the Department of Defense to recruit and retain more and better IT employees.

McCain and other critics note that the Defense Department already has excellent cyberdefense capabilities, especially within the NSA and the new U.S. Cyber Command, and argue that it would be more effective to use these already existing and proven capabilities rather than have DHS try to replicate these capabilities for civilian networks. DHS defenders argue that it is more efficient for one department to oversee the protection of both physical and virtual critical infrastructure in the U.S. private sector.

Except for certain core critical infrastructure sectors, the administration’s proposal would rely primarily on market incentives to drive the private sector toward developing cybersecurity frameworks and voluntary plans to implement them. For the most part, government agencies would help only if requested. The expectation is that the disclosure of cybersecurity performance would expose firms to reputation, litigation and other risks, making it harder for them to attract investment, find business partners and obtain government procurement. They would also have to pay more for cyber insurance. Critics worry that making private sector activities more transparent to the market can also help potential attackers identify vulnerabilities.

The administration proposal would subject core US critical infrastructure to more stringent regulation, forcing affected firms to adopt risk-mitigation standards and plans that would be assessed by a third-party commercial evaluator. A “high-level summary” of the plan and the assessment would be made public to ensure their adequacy. DHS could substitute its own risk-mitigation framework if the one produced through the above process is deemed inadequate. The administration has proposed collaborative deliberations with private-sector actors to determine which networks fall into this category for each sector, but some analysts worry this will take too long.

The administration’s proposal would also facilitate federal cyber assistance to state and local governments as well as the private sector by clarifying the currently vague statutory authority in this area. The question of what help federal agencies should be able to render to state, local and private-sector actors has provoked much debate. Some critics doubt that DHS has the experience and resources to take on these expanded responsibilities, while others worry that businesses would try to free ride on federal cybersecurity capabilities rather than pay to develop their own.

Critics’ main concern is their perception that the department has had a mixed record at countering terrorist threats and protecting U.S. critical infrastructure from physical disasters, such as Hurricane Katrina, even if the U.S. has not suffered a massive Sept. 11-style terrorist attack since DHS was entrusted with securing the country from such a threat.

Nevertheless, Congress needs to enact some legislation soon, as it is crucial for operators of private and public cyber infrastructure to share information about breaches in data security. It took the shock of the Sept. 11 attacks to increase information-sharing between intelligence and law enforcement agencies. It should not take a similar “cyber Pearl Harbor” to induce much greater data-sharing between public- and private-sector cyber defenders.