The U.S. Department of Homeland Security (DHS) has failed to take several basic steps to protect the nation’s cyber infrastructure, including a year-plus delay in naming an assistant secretary for cybersecurity, lawmakers and other critics said Wednesday.
Lawmakers and representatives of cybersecurity trade groups questioned why the DHS has failed to fill the high-level cybersecurity position after DHS Secretary Michael Chertoff announced plans to create the position in July 2005.
The delay in hiring an assistant secretary shows a “lack of cybersecurity leadership” at the DHS, said Representative John Dingell, a Michigan Democrat, during a congressional hearing.
But DHS is working hard to hire an assistant secretary for cybersecurity, and the agency has continued to make significant progress in improving cybersecurity in the past year, George Foresman, the DHS under secretary for preparedness, told the House of Representatives Subcommittee on Telecommunications and the Internet.
He spends about a quarter of his time working on cybersecurity issues, while Andy Purdy, acting director of the DHS National Cyber Security Division, spends about three quarters of his time on cybersecurity issues, Foresman said.
Some potential candidates for the job have withdrawn their applications because of private work commitments, Foresman said. Still, the agency may be close to naming an assistant secretary, he said.
“Had we been inactive the whole time, I think there’d be grave concern,” Foresman said. “But I think we’ve been in overdrive.”
Some lawmakers and witnesses seemed to disagree. Representative Anna Eshoo, a California Democrat, said the lack of a top cybersecurity leader at DHS means the issue is not a top priority. “Simply put, we’re putting ourselves in a real ditch here,” she said.
Congress may have to get involved in the assistant secretary’s hiring, said David Powner, director of IT management issues at the U.S. Government Accountability Office (GAO), which has criticized the DHS cybersecurity effort in a series of reports.
“If they can’t figure it out soon, perhaps you can help them,” Powner told lawmakers.
A June report from GAO found that the DHS had not yet completed a plan involving public and private resources for recovery of the Internet after a major cyberattack, added Representative Ed Markey, a Massachusetts Democrat.
Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) trade group, called on Congress to pass data breach legislation awaiting a vote on the House floor. CSIA also recommended that Congress better define the roles government agencies such as the DHS and the Department of Defense should play after a major cyberattack.
“There is little strategic direction or leadership from the federal government in the area of information security,” Kurtz said. “We must move beyond philosophy and statements of aspirations to defining priorities and programs.”
The U.S. government has the responsibility of setting priorities and coordinating response to cyberattacks, he added. “Let me be clear — this is not a call for regulation or intervention,” he said. “This is a call for leadership.”