Agencies struggling over control of cybersecurity overblown, says DHS

Reports of a struggle among agencies about who should oversee governmentwide cybersecurity are inaccurate, and the biggest problem in locking down federal networks is recruiting enough information security workers, said Homeland Security Department officials.

"The misconception that concerns me most is that infighting is happening" among the federal agencies involved in cybersecurity initiatives, said Phil Reitinger, deputy undersecretary for the National Protection and Programs Directorate in an interview with Nextgov. "I just don't see that. Are there disputes between agencies? Yes. Are there arguments between components of DHS? Yes. We're people -- that's how it works. But the degree of collaboration and joint work around the mission is really amazing. There's hard commitment in DHS and across agencies . . . and a deep well of shared experience."

Stories about the tension over who should manage the government's overall cybersecurity programs have circulated for months, with the debate focusing on DHS and the National Security Agency. It peaked on March 5, when Rod Beckstrom, director of the National Cybersecurity Center, expressed in his letter of resignation frustration over the growing influence of NSA in cybersecurity management.

He pointed to the agency increasing cybersecurity staff, developing technology to support cyber initiatives and a proposed move of two DHS organizations -- the National Protection and Programs Directorate and the National Cybersecurity Center -- to an NSA facility in Fort Meade, Md.

"This is an interagency effort," said Reitinger, who took over cybersecurity responsibility at DHS after Homeland Security Secretary Janet Napolitano moved the National Cybersecurity Center under his leadership. Previously, the center reported directly to the secretary.

"It's absolutely essential we work together," he said. "If you look across government, you'll find people who are committed and want to drive toward success regardless of any jurisdictional concerns. There's a trust that will continue to be enhanced."

People often fail to understand the complexity of the cybersecurity mission, said Bruce McConnell, who advises Reitinger on strategic and policy matters. While tax collection by the Internal Revenue Service this year will be similar to last year, "cybersecurity is very dynamic, and changing all of the time," he said. "The misconception is that we can lay out a plan and move forward in a linear fashion."

The biggest challenge DHS faces is human capital, officials said. The National Protection and Programs Directorate more than doubled its workforce in 2008, bringing the total number of employees to 109. Reitinger expects to increase the staff to 260 by 2010, with additional hires in the Cybersecurity and Communications Office, the division responsible for security of the nation's cyber and communications infrastructure.

"We've got great people here, people with significant expertise and a real commitment and passion around the area of cyber," Reitinger said. "The problem is there are just not enough of them yet. We have to hire highly technical qualified people with high-level security clearances. That's a tough group to get."

A report released by Booz Allen and the Partnership for Public Service, a Washington-based good government advocacy group, showed that recruitment and retention of cyber workers in the federal government were hindered by a cumbersome hiring process, lack of governmentwide certification standards, and insufficient training and salaries.

"You may have some ability in private sector to pay more, but DHS has things to bring to the table as well," said Greg Schaffer, assistant secretary for cybersecurity and communications at DHS. "We are at the center of the universe that is cyber, quite literally. That attracts people that are passionate about this issue and feel it's extraordinarily important to ensure the networks are protected. The fact that they go back into industry at some point -- and that inevitably does happen -- is a good thing, because we educate each other."

DHS lost a top cyber executive this month when Mischel Kwon, director of the Computer Emergency Readiness Team, resigned. In response, Reitinger said, "Change happens. People come into the government and people leave. We want to focus on bringing in the best and the brightest who have a passion of what they'll be doing."

To recruit qualified candidates, DHS participates in the Scholarship for Service program, which provides college scholarships and stipends to students who exhibit above-average cybersecurity skills. The National Science Foundation funds the program. DHS also co-sponsors with NSA the National Centers of Excellence in Information Assurance Education, a program that offers an in-depth cybersecurity curriculum to undergraduate and graduate students.

"The scope of issues that involve cybersecurity is extraordinarily large," Shaffer said. "But the progress we've made to date is also extraordinary, and we don't get the credit for what's already been accomplished and what's being accomplished on a regular basis. That doesn't mean we don't have a ton to do. It's a large beast of a problem."