DHS Cyber Chief Passes the Buck for Agency Incidents
The structure of the Department of Homeland Security’s cybersecurity efforts drew skepticism from the House Oversight Information Policy Subcommittee at a hearing Tuesday. Greg Garcia, assistant secretary for cyber security and communications, said he couldn’t provide answers to several lawmakers’ questions because the subjects weren’t under his purview. The Oversight hearing followed last week’s Homeland Security subcommittee hearing, in which lawmakers’ attention was focused on quasi-regulatory bodies with cybersecurity oversight duties (WID Oct 18 p2).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Garcia was on the defensive from the start, scolded by Chairman William Lacy, D-Mo., for turning in his written testimony 2-1/2 hours before the hearing’s scheduled start. “It is more than a little disappointing to me as well,” Garcia said. Later he told Rep. Paul Hodes, D-N.H., that the delay was related to DHS wanting to give the subcommittee the “best quality product” it could.
States are highly vulnerable to Internet infrastructure outages from natural disasters, Missouri CIO Daniel Ross told the panel. The St. Louis and eastern Missouri region had 200 tornados last year, which damaged infrastructure. The state fends off about 29,000 cyberattacks every day, which are increasingly targeted, coming from “criminal elements” largely outside the U.S., he said. State CIOs are in partnerships with federal and private counterparts, but funding is a problem. “Cybersecurity is not a tangible asset” and state budgets rarely include any dedicated funding for cybersecurity itself. Several states are struggling to maintain efforts begun with DHS one-time grants, Ross said. A federal “funding pool” for state cybersecurity efforts would be very helpful.
Federal law itself puts up obstacles to the recovery of communications networks after natural disasters, said Greg Wilshusen, Government Accountability Office director of information technology. The Stafford Act provides federal assistance to infrastructure rebuilding efforts after such incidents, but funding for for-profit entities is barred, he said. The federal government couldn’t give such groups “short term tactical assistance” during Hurricane Katrina, even to help them get basic necessities such as food, Wilshusen told Hodes.
Hodes asked Garcia whether he might suffer the same fate as Andy Purdy, the former director of the National Cyber Security Division in DHS. Purdy’s concurrent employment with a DHS contractor -- Carnegie Mellon University -- led to conflict-of-interest questions that “hobbled” his performance for DHS, Hodes said. Garcia came from the Information Technology Association of America. “We work with them as we do with any other major trade association,” Garcia said, noting he was previously employed by the House Science Committee as well. ITAA is “one of many, many stakeholders in this process,” he said.
Hodes was worried about contractors doing “inherently governmental” functions under Garcia’s jurisdiction, which is prohibited by federal law. There are about 100 employees between the NCSD and National Communications System at DHS, two entities whose functions Garcia is trying to merge, Garcia said. There are roughly the same number of contractors for the units, and that “gives us the resiliency we need to respond to urgent initiatives,” he said. He couldn’t answer whether those were individual contractors or contracting companies, but said the largest single contracting company was probably Booz Allen Hamilton. No contractor has a managerial role at NCSD or NCS, and they're supervised by government employees, not their own companies, Garcia said.
DHS has made great strides in getting a handle on the diversity of cyber threats over the past two years, Garcia said. Incident reports to the U.S. Computer Emergency Readiness Team jumped from 24,000 in 2005 to 37,000 in 2006, likely both because of more total incidents and increased reporting of existing threats. More students are taking college curricula on information security as well, he said. But DHS can’t see and stop every threat. “We have to evolve with them. It’s an ongoing technological chess match, if you will, except there is no checkmate,” Garcia said.
DHS has done good work in coordinating cyber exercises such as Cyber Storm and developing sector- specific cyber plans since GAO’s unflattering 2006 report on the agency, Wilshusen said. But it hasn’t yet devised a public-private plan for Internet recovery from a national attack or natural disaster, or set a date for finishing such a plan, and it’s unclear how well other working groups have taken over the duties of the disbanded Internet Disruption Working Group, he said. Specific cyber triggers for a federal response haven’t been developed yet, and the Einstein network security software developed by DHS isn’t yet deployed government-wide, he told Lacy.
Lawmakers seemed perplexed at the organizational structure of DHS when it came to cybersecurity responsibility. Hodes asked Garcia to explain his role in the discovery that a DHS contractor, Unisys, had been concealing attacks on DHS networks that apparently “exposed the entire DHS enterprise.” The DHS CIO actually handles that, Garcia said, explaining his role as “outreach.” Garcia’s divisions treat DHS networks like those of all federal agency “customers,” by finding trends across networks, he said. He couldn’t answer whether Unisys was sanctioned or what punitive action was taken, deferring to the CIO. Hodes wanted to know if Garcia was in contact with the CIO when the breach was being investigated, or if Garcia knew what effect the breach had on his own units. US-CERT was in contact with the CIO, because it was a “contracting matter,” but Garcia wasn’t personally involved, he said.
Garcia took issue with Lacy’s claim that DHS had a “revolving door” when it came to cybersecurity officials. Wilshusen had noted that the directors for the NCSD, control-systems cybersecurity and cyber exercise units had left in recent months. Those departures were for “strictly personal reasons,” Garcia said. “To be honest, the DHS environment and our mission is a very high intensity one, very fast paced and long hours.” Officials didn’t so much leave for more lucrative private sector offers as opt for “a different way of life, closer to family,” he said.
Lacy said the NCSD and NCS had “undefined and conflicting roles” that could hamper their effectiveness in responding to a major attack. Garcia, who oversees both, said the two had “complementary roles” that were “overlapping for the better” -- NCSD handles the security of information infrastructure, and NCS handles the government’s ability to communicate in national emergencies. During the untraced attack on the Estonian government, the two worked together closely, he said. Garcia is working to “colocate” the US-CERT with its sister unit in NCS to have a “more synthesized view” of security, as communications move from circuit- to packed- switched technologies, he said.