DHS Cybersecurity Drubbed in Dems’ Homeland Security Report
Staffing problems at the Dept. of Homeland Security and the National Cyber Security Div. (NCSD) hamper cybersecurity efforts, said the annual report by staff Democrats on the House Homeland Security Committee. The report gives DHS a “C” for cybersecurity, science and technology, and a “D-” for critical infrastructure protection. Privacy protection got a “B,” with praise for former Chief Privacy Officer (CPO) Nuala Kelly’s outreach, but flak for the job’s lack of autonomy. Much of the 75-page report is based on Govt. Accountability Office (GAO) evaluations and private-sector criticisms previously reported in the press.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
NCSD is trying to foster partnerships and improve information-sharing between public and private sectors, but DHS “continues to struggle with its outreach efforts,” the report said. Neither has DHS done much to push dissemination of data from the Information Sharing & Analysis Centers (ISACs) to “other components,” the report said, citing a GAO report. NCSD sponsorship of the National Science Foundation’s cyber-workforce grants is “in name alone,” as NSF funds those entirely. The report cited the 2003 cyberattack exercise Livewire and last month’s Cyber Storm coordination exercise (WID Feb 13 p1) as feathers in DHS’s cap, but said it “must work quickly to release lessons learned to the participants” -- the analysis report isn’t due till summer.
The assistant secretary for cybersecurity & telecom job, created amid ballyhoo in July 2005 (WID July 13 p1), remains empty, and NCSD has had an acting director for 16 months -- a black eye, the report said: “Failure to find permanent replacements for both positions raises serious concerns about the Department’s ability to lead the nation in securing cyberspace.”
Funding for cybersecurity is irregular. The President’s FY07 budget comes up $210,000 short for NCSD compared to last year ($92.2 million, down from $92.41 million), though Acting Dir. Andy Purdy predicted a $25 million increase in Jan., the report said. But the cybersecurity budget in the Science & Technology Directorate rose $6.2 million, to $22.73 million.
“Transient leadership” is slowing the honing of cybersecurity, the report said. Detailed sector-specific plans in the Interim National Infrastructure Protection Plan, issued in Feb. 2005, won’t be released until this autumn. The report cited Feb. comments from the Internet Security Alliance to DHS claiming DHS doesn’t treat the private sector, owner of 85% of infrastructure affected by cybersecurity, as a full partner. In Jan. the National Assn. of State Chief Information Officers and Metropolitan Information Exchange released surveys showing poor relationships between the feds and state and local govts. on cybersecurity, the report said.
Privacy protection at DHS got mixed reviews from panel Democrats. Privacy lapses of the sort involving passenger information at the Transportation Security Administration in 2005 not only hurt public confidence, but in the case of the shelved $100 million CAPPS II screening program, “result in tremendous financial waste when they are canceled.”
The CPO’s lack of independence weakens the office, the report said. The CPO, who reports to the DHS secretary, not Congress, has trouble getting access to internal documents without subpoena power. In a 2003 e-mail, then-CPO Kelly told a TSA official: “We're getting better information from outside than we have from our own folks at this time,” the report said. Privacy watchers praised Kelly for creating the Data Privacy & Integrity Advisory Committee, but the job has been filled on an acting basis since Kelly left in Sept. DHS needs to install a permanent CPO to flesh out its privacy agenda, the report said.
Congress needs to empower the CPO to “insulate” the office from “having to compete in a popularity contest,” the report said. It cited a privacy advisory committee member’s summation that Kelly “was not popular” at DHS after a critical report on the agency’s privacy kerfuffle with air passenger data. DHS should draw up a directive letting the CPO, in the official’s judgment: (1) Access records deemed necessary. (2) Undertake any privacy inquiry appropriate for the office. (3) Subpoena necessary documents from the private sector. (4) Obtain sworn testimony. (5) Do as the Inspector Gen. is allowed to do to get answers and relevant documents. Congress should pass a bill “along the lines” of the Privacy Officer with Enhanced Rights Act (HR-3401), set a 5-year appointed CPO term and have that official report directly to Congress. An empowered CPO could avoid problems like those in the NSA’s warrantless surveillance program, the report said.
The National Infrastructure Protection Plan, originally due in Dec. 2004, won’t be out for 6 months, the report said. The 9/11 Commission Dec. report gave the Administration’s critical infrastructure security and vulnerability assessments a “D,” and the National Asset Database of critical infrastructure assets is a “joke” to many in Congress, the report said. The president’s proposal to consolidate infrastructure protection grants into a single pool -- wherein ports, chemical plants and other critical infrastructure must “compete against each other for scarce resources” -- is a bad idea. Each area of infrastructure should have dedicated funding, the report said.