Innovation Policy Post

The U.S. House of Representatives’ Committee on Homeland Security (“HSC”) held a Wednesday morning hearing on “Cybersecurity: DHS’s Role, Federal Efforts and National Policy.” Archived video of the hearing is available here (Windows Media). A single panel appeared before HSC:

(1) Greg Schaffer, Assistant Secretary, Cybersecurity and

Communications, Department of Homeland Security (“DHS”)

(2) Richard Skinner, Inspector General, DHS

(3) Gregory Wilshusen, Director, Information Technology,

Government Accountability Office (“GAO”)

(4) Stewart Baker, Partner, Steptoe & Johnson, LLP

The hearing showed bi-partisan support for the recently introduced Senate cybersecurity bill. On June 10, 2010, Sens. Joseph Lieberman (ID-CT), Susan Collins (R-ME), and Thomas Carper (D-DE) introduced the Protecting Cyberspace as a National Asset Act of 2010 (S.3480). Reps. Jane Harman (D-CA), chair of HSC’s Intelligence, Information Sharing and Terrorism Risk Assessment Subcommittee, and Peter King (R-NY), HSC’s Ranking Member, both indicated support for the Senate bill and said they planned to introduce a similar bill in the House. Rep. Charles Dent (R-PA) also expressed support.

Chairman Bennie G. Thompson (D-MS) discussed current Department of Homeland Security (“DHS”) cybersecurity deficiencies and urged DHS to work with state, local and tribal governments, as well as the private sector, to ensure protection of national cyber infrastructure. Schaffer noted that improving cybersecurity is one of DHS’s top five mission goals. Skinner sees DHS, and particularly the U.S. Computer Emergency Readiness Team (“US-CERT”), as coming a long way since 9/11, but feels a lot more needs to be done, especially concerning five issues: (1) the program is still under the same leadership; (2) money was not in place to start building infrastructure until 2010; (3) DHS lacks any mechanism to enforce recommendations; (4) DHS must remember that it’s not in this alone and can partner with the private sector and other federal agencies; (5) DHS should improve outreach efforts, such as education and training. Wilshusen noted that some GAO recommendations were being implemented, but DHS still must do more. Similarly, Baker, acknowledged that DHS is acting, but it is not acting quickly enough and it needs more authority to adequately protect the nation’s cyber infrastructure.

Throughout its questioning of the panelists, the HSC raised several concerns with the security in place for the nation’s cyber infrastructure. The panelists could not be sure of how many times federal systems were attacked on a daily basis, nor to what percentage such attacks were being deterred, but Schafer noted that Einstein II showed 278,000 malicious acts (not all of which were necessarily successful) at the perimeter of federal networks. In response to Rep. Smith’s asking the panelists to compare the private and federal sector’s abilities to deter malicious activity, Baker thought the private sector has a stronger system in place as the federal sector was just starting to implement programs that detect, but not reject, malicious activity. Further, the panelists noted uncertainty as to who or what agency would take charge in the case of a cyber attack also troubled HSC members.

Wilshusen also expressed doubt when Rep. Dan Lungren (R-CA) asked whether DHS was doing the best it could with the personnel, funding and authority it has right now. Instead, he feels protective mechanisms do exist, but often remain unimplemented and employees remain untrained in how to use them. Wilshusen also guestimated that DHS had implemented only approximately 30-40 percent of the GAO’s recommendations contained in its March 10, 2009 “National Cybersecurity Strategy” report.

US-CERT staffing served as another recurring concern throughout the hearing. Schaffer noted the difficulties inherent in trying to find people to fill open spots. The positions US-CERT is trying to fill require highly qualified, and thus highly competitive, hires. Rep. Zoe Lofgren (D-CA) emphasized the importance of getting appropriately qualified people to fill DHS staffing requirements and supported the use of contractors to have access to more competitive hires who may not even consider applying for a lower paying federal job.

Privacy and civil liberties remained muted issues until Rep. Jane Harman (D-CA) raised them during her comments and questions. Rep. Harman emphasized that, while we must protect our cyber infrastructure, we must not overprotect it at the cost of losing privacy and civil liberties. When asked where privacy and civil liberties fit into the equation, Schaffer noted that consideration of civil liberties is critical in forming programs at DHS. Skinner confirmed that DHS takes into account civil rights and civil liberties when implementing programs. Baker acknowledged that mechanisms to deal with privacy should be in place, but such mechanisms should act quickly so as to not hang up important implementations of the protective measures.

A final recurring theme of the hearing was DHS authority. The panelists expressed concern over DHS’s lack of authority to enforce other agencies to follow its recommendations. Schaffer explained that, when DHS sees an attack, it provides information about the attack to the effected agency, provides ways to stop the attack, and works with the agency to understand and implement any processes to address the attack. However, if the agency does not want to implement the recommended measures, DHS cannot force them. As Baker later went on to explain, it is difficult to tell an agency it must implement computer protection software as doing so will cost money. The Chairman closed the hearing asking all four panelists whether DHS needs more authority. Schaffer explained that he could not comment, but the remaining three panelists all answered affirmatively.