Lawmakers to DHS: Spend more on cybersecurity

Only 1 percent of the Science and Technology Directorate's funds are slated for cybersecurity R&D, but Undersecretary Jay Cohen promised to be more proactive.

A week after grilling Scott Charbo, the Homeland Security Department’s chief information officer, about the agency’s cybersecurity posture, the House Homeland Security Committee took aim at the efforts of DHS’ Science and Technology Directorate to improve federal security.At a June 27 hearing, lawmakers told Jay Cohen, the directorate’s undersecretary, that the $37 million slated for research and development through 2011 is not enough. Rep. Jim Langevin (D-R.I.), chairman of the committee’s Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, asked Cohen why the directorate doesn’t have more interest in cybersecurity research.Cohen said that because 50 percent of the directorate’s budget is focused on meeting customer needs, Greg Garcia, DHS’ assistant secretary of cybersecurity and communications, has requested that only 1 percent of its funds be spent on researching and developing tools for securing information technology. Cohen said the directorate has satisfied 80 percent of Garcia’s requests.“I would welcome Garcia or Scott Charbo to come forward and tell me what they need,” Cohen told lawmakers. “We need to deliver new and tested solutions to deal with cyberthreats. One percent is the minimum funding. We have to do better, and [we] will.”Rep. Michael McCaul (R-Texas), the subcommittee’s ranking member, said Cohen should have asked Congress for more money because a 1 percent budget for cybersecurity is not nearly enough.McCaul said he hopes to introduce legislation that would require DHS to conduct a national vulnerability assessment for cybersecurity. “This is something that is long overdue,” he said.Cohen said he supported such an assessment, but it must include all agencies, not only DHS.Langevin said the Science and Technology Directorate must be more proactive in developing next-generation cybersecurity tools to get one step ahead of hackers.After the hearing, Robert Hooks, director of transition at the directorate, said the integrated product team for cybersecurity has worked on technology to combat insider threats and secure IT.“We should be more proactive, but we have to find cybersecurity opportunities,” Cohen said. “We need entrepreneurs and inventors to come to us with opportunities to solve problems.”Langevin also pushed Cohen to establish a cybersecurity center of excellence to address the existing R&D gaps.Cohen said he is changing the centers’ structure by awarding six-year contracts that are rebid every two years. He is also realigning the existing seven centers into five and adding four new ones.“We will consider how best to defend and stay ahead of the cyberthreat,” Cohen said. “We may need smaller institutions that have expertise or develop a critical mass of these institutions.”Langevin said he was also disappointed in the directorate’s strategic plan, which was delivered to the committee five years late.He said he wants to see a high-level strategy and vision and metrics for measuring the directorate’s performance.“The failure to include metrics raises questions about the directorate’s ability to evaluate its own programs for effectiveness,” Langevin said. “Your plan contains gaps between innovative capabilities and basic research activities.”Cohen promised to deliver the metrics and other changes Langevin asked for. Cohen said he would bypass the process of soliciting comments from other agencies and send the plan directly to the Office of Management and Budget for approval. “I will get you the national strategy by the end of the fiscal year,” Cohen told Langevin.