The Department of Homeland Security-the lead federal agency charged with protecting U.S. computer networks-has fundamentally failed in its mission and should be relieved of its cyber-security responsibilities, a blue ribbon panel told Congress Sept. 16.
James A. Lewis of the Commission on Cyber Security for the 44th Presidency and director and senior fellow at CSIS (Center for Strategic and International Studies) told lawmakers that responsibility for cyber-security should be shifted back to the White House. Before Congress created DHS in 2003 by merging 22 federal agencies, responsibility for cyber-security rested with the White House.
"Oversight of cyber-security must move elsewhere. The conclusion we've reached is that only the White House has the authority to be effective," Lewis told the House Committee on Homeland Security's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. "It did not take long for our group to conclude that our national efforts in cyberspace are disorganized."
The CSIS Commission was formed a year ago to formulate security policy and operations recommendations for the next president. The panel is a nonpartisan commission composed of approximately 30 cyber-security experts, including members of the Committee on Homeland Security and security experts from Microsoft, IBM, Oracle, Verizon and Cisco Systems. Lewis said DHS' poor performance on cyber-security could be attributed to a lack of strategic focus, overlapping missions, and poor coordination and collaboration.
"Given DHS' weaknesses, we considered a number of alternatives," Lewis said. "The intelligence community has the necessary capabilities but giving it a lead role poses serious constitutional problems. DOD [Department of Defense] is well suited to handle a national mission, but giving it the lead suggests a militarization of cyber-space. We concluded that only the White House has the necessary authority and oversight for cyber-security."
DHS, which was not invited to testify at the hearing, took immediate exception to the idea.
"Rearranging the deck chairs is a classic inside-the-beltway pastime, but all that it ensures are more headlines for political posturing and a guarantee that in two years government's cyber-efforts will be in the same place," Laura Keehner, a DHS spokesperson, said in a statement. "Rather than playing shell games, we're getting meaningful work done. To be fair, we are undertaking something not unlike the Manhattan Project. We have set a strong cyber-strategy, recently created the National Cyber Security Center and are in the process of aggressively hiring several hundred analysts to further our mission of securing critical infrastructure."
Rep. Bill Pascrell, D-N.J., called the Bush administration's cyber-security efforts since 2003 a "disaster," particularly after former White House cyber-security advisor Richard Clarke was given the boot.
"Let's name names and talk about accountability," Pascrell said. "I think we've been so concerned about political correctness that we haven't corrected the vulnerabilities."
Paul Kurtz, chief operating officer at Good Harbor Consulting, a member of the Commission on Cyber Security and former cyber-security advisor to President Bush, said DHS leadership has hamstrung security efforts.
"There really is no one in charge right now at DHS," Kurtz said. "We have people who are supposedly working side by side but are not working side by side. We need to establish a better means of collaboration. It's as though you have several people with their hands on the steering wheel and there is really no common direction."
The commission is expected to make its final cyber-security recommendations for the next president in November.