WASHINGTON, Sept. 17 (UPI) -- Lawmakers heard calls Tuesday for the Department of Homeland Security to be stripped of its lead responsibility for protecting U.S. computer networks.
"Our view is that any improvement in the nation's cybersecurity must go outside of DHS to be effective," said James Lewis of the Commission on Cybersecurity for the 44th Presidency, a bipartisan effort to develop recommendations for the next administration on the issue, increasingly seen as one of the most important ways in which the United States is vulnerable to attack by potential adversaries.
Lewis and two other experts from the 30-strong commission, set up by the Washington-based Center for Strategic and International Studies, gave evidence alongside a government auditor to the Cybersecurity Subcommittee of the House Committee on Homeland Security.
The chairman and ranking member of the subcommittee, Reps. James Langevin, D-R.I., and Michael McCaul, R-Texas, are co-chairs of the commission.
The federal auditor, David Powner of the Government Accountability Office, gave an unusually blunt and damning assessment of the way the troubled department was handling its responsibilities for defending the nation's cyber networks and coordinating with the private sector, which owns almost all of the U.S. Internet infrastructure.
"Clearly our work has demonstrated that DHS has been completely ineffective in fulfilling their role as the cybersecurity focal point," Powner said.
DHS was given the lead role in defending the nation's civilian computer networks when the department was formed by a merger of 22 federal agencies in 2003, but it has struggled to make progress on the issue -- which has been highlighted in the past 18 months by several cyberattacks on small former Soviet nations, allegedly instigated by Moscow, and by extensive hacking of and data theft from U.S. government systems, which officials have said originates in China.
Earlier this year the White House announced that U.S. intelligence agencies would lead a new, largely secret effort to secure U.S. government networks from attack and espionage. Under the Comprehensive National Cybersecurity Initiative, which reportedly will cost tens of billions of dollars, DHS will continue to be the lead agency dealing with the private sector on the issue.
One expert from the commission, Paul Kurtz, who worked at the White House on cybersecurity issues under Presidents Clinton and Bush, said that, at a late-June briefing for private-sector executives about the new cybersecurity initiative, senior DHS officials had disagreed openly about how to move ahead.
"It demonstrated in spades the lack of leadership, the fact that no one was in charge at DHS," he told the hearing.
Kurtz later told UPI, in an account that has been confirmed by others present, that Undersecretary for National Protection and Programs Robert Jamieson and Undersecretary for Policy Stewart Baker had interrupted each other and Assistant Secretary for Cybersecurity Gregory Garcia had said "almost nothing."
For those attending -- "a who's who in the private sector of those who've been following this issue for years," Kurtz told UPI -- "it was a dose of reality on how bad things are" at DHS.
"The last time I checked, we had at least four people at DHS who claim to be in charge of cybersecurity," remarked subcommittee member Rep. William Pascrell, D-N.J.
Kurtz was keen to stress that "there is good work being done" on the issue, "even at DHS," and fellow commission member Lewis emphasized that the department lacked the authority it needed for the role it had been given -- an observation that has been made about other DHS missions.
"It really doesn't have the authority to direct other departments and agencies," said Lewis. "If anything, its authority has probably declined as other departments have moved out on this issue."
"Only the White House has the authority needed for cybersecurity," he concluded, adding that strengthening the department's authority was no longer a viable option at this point.
"I began in this effort by thinking that we should strengthen DHS," he told the hearing. "We did not receive much encouragement when we put that forward" to the experts and officials the commission had interviewed as part of its inquiry. "In the end," he said, his suggestion that the problems could be solved by strengthening DHS' authority was "shot down by my own commission."
"The train is leaving the station," Kurtz told UPI. "This is a national security issue, and it needs to be dealt with as such." The commission was still drafting the fine print of its recommendations, Lewis said, adding it would be urging some role for Homeland Security.
"There are things that only DHS can do, and it is appropriate that they are in DHS," he told the hearing, but the issue as a whole "needs to be taken under the leadership of the National Security Council."
DHS officials acknowledge there is much room for improvement in their cybersecurity work but argue that they need more time to get it right. Spokeswoman Laura Keehner accused the commission of "political posturing" and "shell games."
"Rearranging the deck chairs is a classic inside-the-Beltway pastime, but all that it ensures … (is) that in two years the government's cyber efforts will be in the same place," she told UPI, adding that the department was "aggressively hiring several hundred analysts to further our mission of securing critical infrastructure."
"Billions of dollars are going into this effort," she said, comparing it to the Manhattan Project -- the famous effort by the United States to develop the first atomic bomb.
