In-Depth

Critics Blast Cybersecurity at Department of Homeland Security

When it comes to information security, does the U.S. Department of Homeland Security have a blind spot?

• By Mathew Schwartz
• 01/05/2005

When it comes to information security, does the U.S. Department of Homeland Security (DHS) have a blind spot?

As part of its mandate, DHS must implement the “National Strategy to Secure Cyberspace.” Yet recent investigations call into question whether DHS has made solid progress toward improving the nation’s information security infrastructure. Others question whether it can do so at all without laws compelling industry to participate.

On the “National Strategy” front, Congressional investigators recently released a report saying DHS lacks evidence of the solid policies, planning, or budgetary expectations it would need to improve the nation’s cybersecurity. Investigators also charge DHS with not giving the cybersecurity department’s director role a sufficiently high profile, leading to a lack of leadership.

DHS’s Internal Information Security Criticized

Could DHS’s lack of cybersecurity progress relate to the in-house perception of information security? In October, the DHS’s Office of Inspector General (OIG) released details of an information security audit of DHS conducted between April and September 2004. One of the OIG’s findings is that at DHS, “the CIO is not a member of the department’s senior management team.” According to many security experts, the lack of a senior manager devoted to IT—and security—would be a deficiency. The OIG also said communications between the CIO and departmental CIOs and information security managers was lacking.

Overall, the OIG identified a number of problems, leading it to recommend that “DHS continue to consider its information systems security program a significant deficiency.”

The OIG didn’t, however, criticize every aspect of DHS’s in-house information security. “DHS has made significant progress over the last year in developing, managing, and implementing its information security program at the departmental level,” it said, noting some notable shortcomings—revealed by the audit—should be reconciled through planned 2005 projects.

Raising the Information Security Profile

To rectify DHS’s approach to information security, many have been publicly calling for DHS to give cybersecurity more clout, for starters. In the wake of DHS cybersecurity chief Amit Yoran’s departure in October 2004, after only a year on the job, five industry groups—the Business Software Alliance, the Cyber Security Industry Alliance (CSIA), the Financial Services Roundtable, the IT Association of America, and TechNet—fired off a letter to the House of Representatives arguing DHS was shortchanging cybersecurity. “Too often over the past 14 months the cyber security function has suffered from missteps, and an increasing inability to meet the growing challenges that have been identified by Congress, government entities, and the private sector.”

More recently, CSIA recommended DHS make the cybersecurity chief role more prominent—an assistant-director-level position—thus removing it from under physical security in the DHS hierarchy. The House Select Homeland Security Subcommittee on Cybersecurity also advanced such an idea, and the recommendation was translated into proposed legislation—part of the reform of intelligence agencies Congress tackled in late 2004—but then dropped. Legislators say they will reintroduce it for the next Congressional session.

Yet there’s no evidence such legislation would increase either the actual power, or discretionary spending capabilities, of the head of cybersecurity; the role might just get a new title.

Steps at DHS to Improve Information Sharing

DHS has, however, been taking steps to better coordinate information sharing with U.S. organizations. That’s a crucial component of the “National Strategy to Secure Cyberspace.” For example, in October 2004, DHS lured Howard Schmidt, the former cybersecurity advisor to President Bush who’s now chief security officer at eBay, back to government cybersecurity work as chairman of the U.S. Computer Emergency Response Team (US-CERT). US-CERT was established in September 2003 as a public and private partnership with DHS, with a public-outreach component for fostering information sharing. Some security observers say the move will increase the focus on cybersecurity at DHS, given Schmidt’s high profile.

Schmidt, however, will have his work cut out for him. In December 2004, the House Select Homeland Security Subcommittee on Cybersecurity released a report criticizing the lack of cybersecurity progress at the DHS. The subcommittee, which interviewed DHS management, referred to DHS statements that US-CERT was assuming some of the industry coordination and outreach duties the “National Strategy” mandates, especially for securing such critical infrastructures as hazardous materials, emergency services, and transportation.

Yet based on evidence to date, the subcommittee criticized those DHS statements, questioning how US-CERT had advanced the DHS mission. “Much of this work previously existed in the Carnegie Melon CERT/CC,” it noted, and asked—perhaps rhetorically—whether US-CERT has the “ready access to classified information” it needs to be truly useful to the public or private sector.

Theoretically, access to cutting-edge, classified information would induce private and public companies to share their own information security perceptions, including evidence of new attacks and vulnerabilities. DHS would coordinate information capture and distribution. According to the Congressional report, however, it’s unclear whether DHS is creating the structures or finding the needed carrots to make that a reality.

Beyond industry groups, some say more is needed than the “National Strategy,” which isn’t even law. For example, writing in his Crypto-Gram Newsletter in 2002, security guru Bruce Schneier derided the government’s “asking nicely” approach to securing the nation’s infrastructure, saying “this sort of thing never works.” If the government wants to do this, he says, it needs to pass a law.

To date, DHS has made “regulate yourselves, or we’ll regulate you” warnings to critical-infrastructure industries, but there have been no Congressional moves on the latter front.