Stabilizing DHS Cybersecurity LeadershipExperts: New Secretary Needs to Build Continuity, Consistency
Stabilizing cybersecurity leadership at the Department of Homeland Security - which has experienced significant turnover this past year - should be a priority for Jeh (pronounced Jay) Johnson if the U.S. Senate confirms him as the next DHS secretary, government IT security experts say.
"Although they hired well, the high turnover of senior cybersecurity people - technical and managerial - at DHS has been an unspoken calamity," says Tony Sager, a former National Security Agency information assurance leader who has worked closely with DHS.
President Obama last week nominated Johnson to succeed Janet Napolitano as head of DHS (see Obama Picks New DHS Secretary). In 2013, three different people held the post of DHS deputy undersecretary for cybersecurity, including one in an acting capacity (see Another Leadership Shakeup at DHS and It's Official: Schneck Takes DHS Post).
"One of the basic tenants of strong leadership is continuity and consistency," says Delaware Chief Security Officer Elayne Starkey. "Over the past years, this has been impossible to accomplish at DHS because of the revolving door at the senior leadership ranks."
Minnesota CISO Chris Buse, who, like Starkey, has collaborated with DHS, says the new secretary must support DHS's senior IT security staff in carving out a cybersecurity vision through strategic and tactical initiatives. "DHS has always been blessed to have some very strong leadership in cyberspace, but the agency really needs to figure out ways to keep its top-level executives in place for longer periods of time," he says
Elevating DHS's Cybersecurity Role
Several experts say DHS, under its new leader, should elevate its role as the federal agency leading cybersecurity initiatives in and out of government.
"Cybersecurity ought to be one of the defining issues for the incoming secretary," says Sager, director of programs at the Council on Cybersecurity, a global not-for-profit organization that promotes an open and secure Internet. "The time is right for a stronger, more constructive leadership role for DHS."
DHS should take the lead in getting various parties - the military; the intelligence community; federal agencies, including the National Institute of Standards and Technology; and key privately owned businesses - to define not only best information security practices, but also IT security product standards, Sager says.
"Although the critical infrastructure is overwhelmingly privately-owned, government needs to establish a leadership role to bring together the primary buyers and suppliers of relevant technology, as well as the enforcement parts of the ecosystem [for instance, auditors and insurers] to lead the discussion of the threats we face in common actions and how to establish market-enforced norms of practice," Sager says.
NIST, part of the Commerce Department, is working with other government agencies, including DHS, and the private sector to create a cybersecurity framework that critical infrastructure owners could voluntarily adopt. But NIST doesn't have operational authorities; it doesn't own any content, such as threat indicators and vulnerability repositories. "DHS has all that, plus the ability to do things like convene protected sharing," Sager says. "I just don't think they have maximized the authorities they already have."
Working with Anti-Malware Producers
Robert Bigman, an IT security consultant who spent a decade-and-a-half as CISO at the CIA, says Johnson, if confirmed, should lead an effort to get anti-malware producers to work with the government in making it easier to identify cyberthreat signatures. "We need a truly national strategy that both protects the product sensitivity of the vendor community and gets the best cyber-intelligence in the hands of everyone who needs it in the most efficient manner," he says.
Mark Weatherford, who served as the top cybersecurity official at DHS as deputy undersecretary for cybersecurity until earlier this year, says the department needs to consider establishing a senior leadership role for a private-sector outreach team and launch a campaign that distinguishes DHS cybersecurity information sharing from other government organizations, including the Defense Department. "There is too much at stake," says Weatherford, a principal at the security consultancy Chertoff Group.
But Weatherford adds that leadership doesn't mean DHS and its new secretary can dictate cybersecurity terms. "It's important to remember," he says, "the Internet is primarily a civilian space, not a government space or military domain."