The Department of Homeland Security’s cybersecurity policy role is increasingly central to the nation’s overall cyber strategy, an evolution that was underscored last week when the White House eliminated its cyber coordinator position.
Confidence in DHS’s ability to manage a large cyber portfolio has grown slowly but steadily over the past few years on Capitol Hill and within the industry. Last week, the department submitted to Congress a long-awaited document that “addresses strategic and operational goals and priorities to successfully execute the full range of the DHS Secretary’s cybersecurity responsibilities,” according to DHS.
But DHS cybersecurity initiatives are often overshadowed by unrelated issues. For instance, DHS reauthorization legislation, containing numerous cyber provisions aimed at solidifying the department’s role as lead cyber agency, has stalled on its way to the Senate floor amid immigration concerns.
“We warded that off in committee” during reauthorization markup, said Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis. “I’m worried about where some of my colleagues are on this.”
The Senate is also heading toward a vote on Christopher Krebs to lead the National Protection and Programs Directorate, which would be renamed the Cybersecurity and Infrastructure Security Agency under the pending Senate DHS reauthorization legislation. The House has passed DHS reauthorization as well as a stand-alone bill creating the cyber agency, known as CISA.
In the one-step-forward, one-step-back world of DHS, Sen. Ron Wyden, D-Ore., is holding up the Krebs vote because he wants access to a presentation that DHS gave employees on “stingrays,” a type of unauthorized mobile device.
“We need to get CISA done,” said House Homeland Security Chairman Michael McCaul, R-Texas, suggesting he may look for other vehicles if the Senate can’t move the cyber agency measure as part of the larger DHS reauthorization bill. McCaul has argued that creation of the cyber agency is essential to solidifying DHS’ position as the lead civilian department on cybersecurity.
President Trump’s recent rebuke of DHS Secretary Kirstjen Nielsen — again, on immigration — also cast a pall over DHS work on cyber. A joint DHS-Commerce Department report on “botnets,” which are automated cyber attacks that secretly infect millions of computers, was expected on May 11 but has been hung up at DHS ever since that tongue-lashing at a White House Cabinet meeting. It’s not clear that the two things are related, but sources noted that some of the steam went out of the push to release the report in the days after Trump chastised the secretary.
At the same time, the White House decided to abolish its cybersecurity coordinator position and shift the responsibilities to two directors at the National Security Council. That could put an added premium on DHS’ efforts to encourage cooperation among federal departments and agencies, a top priority of former coordinator Robert Joyce, who recently resigned and returned to his previous job at the National Security Agency.
On the positive side, business sources are citing improvements at DHS particularly on cyber threat indicator sharing, collaboration with the private sector and as a source of funding for state and local cyber activities.
“DHS’ guidance to the critical infrastructure community is good,” said Sean Berg of the Texas-based security firm Forcepoint. “DHS’ work on [continuous diagnostics and monitoring] is very helpful. They are providing funding and things like best practices and vetted products lists.”
Sources emphasized the effectiveness of the department’s collaborative outreach to industry. Several years ago, business groups were concerned that DHS might take a prescriptive regulatory role on cybersecurity.
“DHS’ non-regulatory role is turning out to be one of its greatest strengths,” said Tom Finan, a former senior official at the department now with the firm Willis Towers Watson, a “global advisory, broking and solutions company.”
“DHS has taken some time to mature and figure out its position” in the cyber policy universe, Finan said. But the department has a very limited regulatory role on critical infrastructure – the exception is chemical facilities, Finan noted. “Once the private sector realized that, people wanted to work with DHS – they saw the department as a safe space.”
Lawmakers and former DHS officials said the positive feedback comes after years of work to clarify and stabilize DHS’s mission.
“More and more we’re seeing DHS stepping up to the role we gave them in 2014-2015,” House Homeland Security chair McCaul said, pointing to the landmark Cybersecurity Act of 2015 and a set of bills passed in 2014 that gave DHS direction and statutory authority on cyber.
“Good to hear that the work of DHS is appreciated by the tech companies,” said Suzanne Spaulding, DHS’ former undersecretary in charge of cyber issues. “This reflects work over many years, starting before I arrived and continuing today. It’s been helped by bipartisan efforts in Congress, particularly by Chairman McCaul and ranking member [Bennie] Thompson [D-Miss.], to strengthen DHS’ role.”
Spaulding said lawmakers could help even more by completing action on the cyber agency bill.
“The Senate now needs to pass the legislation to codify the Cyber and Infrastructure Security Agency at DHS to reflect this important role and to help more companies understand it,” Spaulding said. “While [companies] have come to appreciate the work of DHS, too many companies don’t know that DHS has such a significant role. In part, this is because the work is done by an organization named National Protection and Programs Directorate, which tells you nothing about what they do.”
However, some industry sources cited significant problems in the info-sharing arena, as well as a lack of clarity on overall mission and priorities.
“While it is clear that DHS has made progress, there is a long way to go,” said one industry source active on information-sharing issues. “I don’t want to be overly critical. DHS has a lot of smart and well-intentioned people doing good work. But it is important to not lose sight of all that needs to be done.”
The source said DHS’ “most high-profile” info-sharing program “remains of little to no benefit for small and medium sized businesses who cannot consume the indicators. I am not aware of any coordinated strategy to reach this community.” And the information DHS shares with the private sector tends to be “old,” the source said.
“From a policy and planning perspective, it seems everything is a priority,” the source added. “For example, the integrity of elections, systemic risk, combating botnets and securing [the Internet of Things] and identifying and securing critical national functions have all been identified as being their number one priority. There has been no real effort to work with industry to prioritize these.”
A House Homeland Security Committee source said DHS is actively working on ways to extend assistance and tools to small businesses, and DHS announced in early April that it was testing a new system in conjunction with several companies to improve the quality of the info-sharing program.
