Sec Kelly should call for bottom-up review of DHS cyber [Commentary]

snagfilms-a.akamaihd.netjohn-kelly-23dffeb60ac38d7577d639158e623483a8f9fb8f-1.jpg

You just can’t get away from talk about cybersecurity these days. From the national headlines about foreign government-sponsored hacking to criminal syndicates breaching our largest commerce centers, our country is in for a rocky road.

We are at an important inflection point in our history when it comes to the benefits and risks of advancing technology. One thing is certain, there is no turning back.

While we await President Donald Trump’s executive order on cybersecurity, it is time for Department of Homeland Security Secretary John Kelly to call for a bottom-up review of his department’s cyber capabilities and structures. This is no throw-away exercise. By calling on the best minds in government and the private sector to conduct a thorough review with actionable recommendations, Secretary Kelly can increase the likelihood that our nation’s cyber defenses will withstand the kind of attacks that are on the horizon.

Cyber Silos

In-fighting among government agencies tasked with different aspects of the same mission is nothing new. This has been the recent history with cybersecurity, as well.

Several years ago, it became clear there was sizable dysfunction between DHS, the National Security Agency/DoD Cyber Command and the FBI, with none agreeing on who was in charge. Each entity saw themselves as the lead organization for the federal government’s emerging cyber mission. More recently, with the help of Congress, the roles and responsibilities have become more clear.

Generally speaking, DHS has responsibility for civilian government and interface with the private sector, most notably on critical infrastructure; NSA/DoD Cyber Command has purview over foreign threats and military capabilities; while the FBI is considered the lead cyber investigative and forensics arm.

With a new administration, I am certain all these assumptions are receiving considerable scrutiny. While there is a school of thought that says, “Just give the cyber mission to DoD and let them get the job done,” I would argue that DHS is best suited to continue as the lead department for protecting federal civilian networks.

Cyber Technology

One of the first areas that should receive attention from Secretary Kelly’s Cyber Review Task Force is the state of DHS’s cyber technology.

Today, the bulk of the department’s cyber capability, which it manages for all federal agencies, is delivered through two multi-year acquisitions: The National Cybersecurity Protection System (NCPS, also known as Einstein) and the Continuous Mitigation and Diagnostics program (CDM). The basic question is whether or not these government programs are actually increasing network cyber protections and enhanced threat information sharing.

Some have argued that using signature-based approaches, as the latest iteration of Einstein (E3A) does, is insufficient to counter the kinds of threats that aren’t recognizable to federal computer sensors. Secondly, CDM is a great concept of creating a federated system of continuous monitoring through sensors and dashboards, but agencies have been slow to adopt the technologies offered through this GSA Blanket Purchase Agreement contract.

This is an area where the private sector can really help. Scores of companies, in various critical sectors such as finance and energy are grappling with the same difficult issues, many with greater success. Bringing these industries to the table to help chart a course for what should come next in cyber defenses is essential.

DHS Cyber Organization and Management

One of the biggest challenges with effectively managing federal civilian cybersecurity comes from within DHS itself.

The organization in DHS that is tasked with operating federal cyber is the National Programs and Protection Directorate (NPPD). This collection of programs and entities ranging from cyber to infrastructure protection to the Federal Protective Service, which protects Federal buildings, has struggled to articulate a vision of what a stand-alone cyber agency would look like.

Some good ideas have been generated, yet they often lack the kind of justification and budget rigor necessary to convince Congress to make the much-needed changes in organization and management structures.

Secretary Kelly’s Cyber Review Task Force could provide the leadership and action plan to actually get this done.

Cyber Money

As with most issues, it will take resources appropriated by Congress to make DHS a powerhouse on federal cybersecurity.

Currently, DHS spends about $1.7 Billion dollars each year on federal network and internal cybersecurity. This represents approximately 4 percent of the department’s net discretionary annual budget of about $40 billion; $1.3 billion of this investment is spent on the two cyber acquisitions, Einstein and CDM. A secretary-level task force with public and private sector cyber leaders could help determine what a realistic program of record should be for future cyber investments.

Conclusion

Secretary Kelly and the incoming leadership at DHS have their hands full. Immigration issues, border security, potential natural disasters and possible terrorist threats dominate the day to day tempo. Given all these demands, it would be easy to see how issues of cybersecurity technology policy, cyber management and budgets would not be on the front burner. That’s why Secretary Kelly should form a cyber review task force to conduct a bottom-up review and within 120 days craft an action plan for DHS cyber.

Regardless of where the final language of the president’s executive order lands, DHS must be able to get the job done in protecting essential federal networks and the countries critical infrastructure.

Chris Cummiskey is a former acting undersecretary/deputy undersecretary and chief acquisition officer at the Department of Homeland Security and a senior fellow with the George Washington University Center for Cyber and Homeland Security.