Another View | Getting the facts straight on cybersecurity
Commentary | DHS Under Secretary refutes Cyber Commission findings
- By Robert D. Jamison
- Oct 09, 2008
Government Computer News' editorial 'Elevate cybersecurity'
identified potential conclusions from a new study to be released in November by the Center for Strategic and International Studies' Commission on Cyber Security for the 44th Presidency. Unfortunately, the conclusions outlined are simply incorrect. They do not represent the facts and clearly do not reflect the significant progress that the federal government has made in cybersecurity in the past year.
Just in the last week, the center has finally begun meeting with the Homeland Security Department's operations leadership to discuss our plan. I look forward to continuing to work with them as they finalize their conclusions and go public with their recommendations. In the interim, however, I would like to address each of the points raised in the GCN editorial.'The nation is not organized ' and the government lacks a comprehensive national strategy ' to deal with these challenges.'
Homeland Security Presidential Directive (HSPD) 23, which the president signed in January, established both the strategy and organization to deal with our cybersecurity challenges. It defined cybersecurity roles and responsibilities across the federal government and established the Comprehensive National Cybersecurity Initiative.
CNCI is a robust strategy with defined goals, measures, projects and timelines. For the first time in our nation's history, we have more than just words on paper. We have an integrated interagency implementation effort that is translating strategy into action.CNCI 'remains overly classified and provides little direction or coordination to government agencies.'
CNCI has 12 projects aligned with the overall strategy, and measurable progress is being made on all of them. Each project has accountable leaders or co-leaders, and coordination meetings occur on at least a weekly basis at the White House. With the completion of an interagency classification guide, which required extensive vetting and coordination, the high-level details of those projects have now been made unclassified. Certain elements of CNCI must remain classified for national security reasons, but classified briefings and updates are given to congressional oversight bodies on a regular basis.'Interaction between the federal government and critical infrastructures in the private sector'remains disjointed and inadequate to meet national security objectives.'
DHS recognizes that at least 85 percent of critical infrastructure is owned or operated by the private sector, and a comprehensive cybersecurity effort must include close collaboration with industry. To facilitate that collaboration, DHS uses a public/private partnership framework that was created through the National Infrastructure Protection Plan. We are using that framework to develop short- and long-term recommendations for increasing information sharing on cyberthreats and vulnerabilities among government and private-sector entities and for enhancing government and private-sector collaboration on cyber protection efforts.'DHS lacks the employees, capability, authority and culture to do the job entrusted to it by the president and Congress.'
The law is clear. DHS' National Protection and Programs Directorate leads the federal government's efforts to protect federal civilian networks (i.e., government networks) and coordinate cybersecurity efforts with state, local and private-sector stakeholders. That authority is derived from a variety of sources, including the Homeland Security Act of 2002, the Federal Information Security Management Act of 2002 and HSPD-7.
In terms of capabilities, we are successfully providing leadership on a number of CNCI projects and are strongly supported by our interagency partners at the Defense, Justice and Commerce departments. Our budget has tripled in the past two years, and more growth is planned for the future.'Deterrence against national threats also requires effective offensive capabilities in cyberspace for the defense and intelligence communities.'
That is why one of the CNCI projects focuses on developing a deterrence strategy for cybersecurity. DHS, along with other agencies, is engaged with a broad, multidisciplinary group of experts to consider the range of available strategic options and develop alternative constructs for warning and communication, possible roles for private and international partners, and appropriate responses for both state and nonstate actors.
The facts associated with CNCI speak for themselves. Dramatic improvements have been made to our nation's cybersecurity posture in a relatively short amount of time, and we must continue on that course. When measuring the progress of an undertaking of this scope, it is not a matter of weeks or months but sometimes a matter of a couple of years. We must continue to devote the energy and investment in both the financial and human effort. Our future security in the cyber arena hinges on our continued progress.Robert D. Jamison is undersecretary for the National Protection and Programs Directorate at the Homeland Security Department.