DHS ‘Judicious’ in Lower Cyber Budget Request, Official Tells Approps

It should be kept in mind that the $18 million decrease in the budget request, to $379 million for the National Cyber Security Division (NCSD), is mostly attributable to one-time 2010 costs and projected savings from hiring federal employees to replace contractors for cyber work, Price said. But going at the department’s pace will not “suffice to close the security gaps” in federal systems, he said. Price cited a recent survey of federal information technology administrators that found 74 percent expect a cyberattack from a foreign nation in the next year, while 22 percent said they were already attacked by foreign governments or terrorists.

A recent GAO report on civilian cybersecurity (WID April 13 p4) raises “troubling questions” about interagency collaboration, Price said. It’s not clear why the budget request asks for $5 million to improve collaboration, two years after the Comprehensive National Cybersecurity Initiative (CNCI) was started, he said. Price also cited a “growing leadership vacuum” in businesses who aren’t doing enough to protect critical infrastructure they manage. “DHS has taken limited initiatives in this area,” mostly offering best practices to companies, but “interconnected computer networks are only as safe as their weakest security links,” he said.

"It’s not exactly a state secret” that the U.S. is lagging in protecting its networks, said Ranking Member Hal Rogers, R-Ky. “I'm concerned that cybersecurity is largely misunderstood” and that attacks could harm “virtually all aspects” of physical infrastructure. Rogers criticized “so-called cybersecurity experts” who press for more funding and staffing instead of answering “more tangible questions” like designing better tools and revising legal authorities to protect networks. He asked officials not to engage in “vast IT jargon and reams of data,” and explain the progress on the cyber initiative.

DHS is working with the Office of Management and Budget to reduce Internet access points, and the Einstein 2 system -- which passively monitors networks for malicious traffic -- has been installed in 12 of 21 intended agencies, giving DHS visibility into 180,000 “events” a month, Reitinger said. It’s testing Einstein 3, which adds intrusion prevention capabilities, and is “finding things that work and expanding” them to businesses, such as through a pilot project to share classified information through state fusion centers, he said. NCSD tripled its workforce in 2009 and it’s pushing for a doubling by the end of the fiscal year.

"It’s not clear that DHS can remain on schedule” to deploy Einstein 3 by its 2013 deadline, Price said, given delays in the first two versions. The latest information on the DHS contract for Einstein 3 shows it won’t be awarded until Q2 2011: “What happens in the meantime?” Einstein isn’t a “silver bullet” but part of a “broad spectrum” of protections, and Einstein 2 is actually ahead of schedule, with full rollout pegged for year-end, Reitinger said. Michael Brown, deputy assistant secretary for cybersecurity and communications, said Einstein 3 would wrap its third testing phase in May. The technology has already been shown to work in an “operational environment,” Brown said.

The Trusted Internet Connections (TIC) initiative, also criticized in a recent GAO report, is behind schedule mainly because “we had to essentially create that team” from the ground up, making initiative projections “too aggressive,” Reitinger said. The “vast majority” of agencies say they'll finish TIC by FY 2011, Brown said. That leaves DHS with 40 percent of Internet connections consolidated as of March 31, Rogers said. Brown blamed delays on agencies having to route all their traffic to new physical locations, which takes “time and effort."

"How can you justify coming to us” with a budget request nearly 5 percent lower than last year’s with all these problems, Rogers asked. “We're trying to be judicious in our request,” Reitinger said -- it’s transferring some funding to different parts of DHS, moving data centers and reducing “dedicated expenses.” The request is based on current knowledge but “every day we learn something new,” so DHS may come back with another request, he said. Officials fielded largely the same question from other lawmakers several times after that. Asked why NCSD told the subcommittee that its budget structure was harming operations, Reitinger said it was under a “program, project and activity” structure that didn’t align with the current DHS organizational structure. That’s being changed, he said.

Response Plan Draft by Next Cyber Storm

The department’s coordination with other agencies and state governments drew concerns from lawmakers. Rep. Ciro Rodriguez, D-Texas, said his district helped prep local governments for cyberattacks through a “dark screen” operation led by the University of Texas, a bottom-up approach that seems to be lacking at DHS. Reitinger said the department worked with many local institutions and groups, such as the Multi-State Information Sharing and Analysis Center and the National Association of State Chief Information Officers, and helped in local responses to emergencies. “We're devoting increasing calories” to university collaborations, he told Rodriguez.

The GAO said agencies have overlapping and uncoordinated cybersecurity activities not clarified in the CNCI, and a former National Cyber Security Center (NCSC) chief said lack of coordination was hampering its mission, said Rep. Lucille Roybal-Allard, D-Calif. Reitinger said DHS has made “significant progress” in defining roles and it’s a top priority of federal cybercoordinator Howard Schmidt. The National Cyber Incident Response Plan is the venue for those discussions, and a “full-fledged draft” will be ready this fall before the government’s third Cyber Storm test exercise, Reitinger said. But “we'll never likely be done” with revising roles as situations change. One area of collaboration that isn’t forthcoming is DHS help with broadband expansion, Reitinger told Rep. Sam Farr, D-Calif., who represents a rural district with little broadband.

Farr asked why DHS relies so heavily on contractors for cyber work. “We build out the expertise of our government employees” but cybersecurity experts are hard to find and the market is “highly competitive” between the government and business, Reitinger said. But numbers are rising: The U.S. Computer Emergency Readiness Team had 20 to 25 government workers when Reitinger came on last year and the number is around 50 now, with a goal of 100 by year-end. Farr said his district had masters and Ph.D. programs in cyber-related fields where the government should consider recruiting. The U.S. has a much bigger effort ahead, Reitinger said: “Making sure that people know being a geek is cool” and getting grade-schoolers interested in coding.

Reitinger apologized for the NCSD delivering late its 2010 expenditure plan. Price said he was concerned that the bump in program initiatives in the plan, from six in 2009 to 47 this year, could be a challenge for DHS to carry out under its lower budget request. That’s because the department is planning for a “greater strategic focus” than prior years and adding more employees, having done its first quadrennial review this year and for the first time naming cybersecurity a top-five mission area for DHS, Reitinger said. That’s also why it wants to double funding to $10 million for the NCSC, which handles cybercoordination and wasn’t funded until this fiscal year, he said.

Einstein 3 is about a year behind on the schedule, Reitinger told Rogers, citing time spent in developing contracts and working with agency partners on legal and oversight issues. But he urged lawmakers not to see a “silver bullet” in Einstein 3. “I can assure you that the technology when deployed will significantly enhance our security posture and enable us to do things that we cannot currently do,” Reitinger said. “There will be an Einstein 4 and other parallel protections” going forward. There aren’t plans to expand government security technologies to businesses, Reitinger said. Though companies have “over time gotten more used to reporting” cyberattacks on their systems to the feds, “we still have to make too many de