Revamp DHS Cyber Authorities, Former Officials Urge Congress

Rep. Michael McCaul, R-Texas

Rep. Michael McCaul, R-Texas Evan Vucci/AP

Ex-NSA Director Keith Alexander also suggested reducing the number of DHS political appointees during a Wednesday hearing.

A quartet of former government cyber specialists stood behind a congressional proposal to elevate the Homeland Security Department’s cyber mission during a Wednesday hearing, saying structural barriers currently hinder the department from doing its best to defend government networks.

That proposal, championed by House Homeland Security Committee Chairman Michael McCaul, R-Texas, has been bedeviled, however, by congressional gridlock and by overlapping jurisdictions among committees.

McCaul polled the four panelists on the bill during a full committee hearing. The panelists, who included George W. Bush and Barack Obama administration cyber officials, all urged some shift in DHS authorities to make it more effective.

McCaul’s 2016 legislation would rebrand DHS’ current lead cyber agency, the National Protection and Programs Directorate, as the Cybersecurity and Infrastructure Protection Agency and break it up into four divisions responsible for cybersecurity infrastructure protection, emergency communications and the Federal Protective Service, the agency’s law enforcement wing.

The bill also would have clarified the cyber division’s authority to scan and protect federal networks, an authority that currently relies on a series of legal analyses from different federal agencies.

McCaul has said passing the bill is a major priority for this Congress.

Trump administration officials including Homeland Security Secretary Gen. John Kelly have spoken positively about McCaul’s proposal but have not formally endorsed it.

The department’s acting cyber lead said Monday she expects an updated cyber strategy for the agency within a few months.

Former National Security Agency Director Keith Alexander went furthest, suggesting combining all civilian cyber defense units into a single agency that might be housed in DHS or elsewhere and that communicated seamlessly with the Pentagon and Justice Department about critical infrastructure and major nongovernmental cyberattacks.

“My experience being on the offense is that offense always wins because the defense is terrible,” Alexander said.

Alexander also suggested reducing the number of political appointees at the top ranks of DHS so more career cyber experts with long experience in the bureaucracy can take leadership positions.

That model of career leaders who rose through the ranks and have a deep understanding of the bureaucracy beneath them has been a great boon to NSA and other military and mixed civilian and military organizations, he said.

Bush-era White House cyber adviser Frank Cilluffo urged DHS to focus more intensely on protecting the “most critical of critical infrastructure,” especially the four “lifeline sectors” of energy, communications, water and transportation. He singled out water treatment systems as an industry insufficiently guarded from cyberattacks based on its importance.

DHS has designated 17 industries as “critical infrastructure” that are especially likely targets of cyber and physical attacks. Those categories can sometimes be overbroad, said Cilluffo, who now leads George Washington University’s Center for Cyber and Homeland Security.  

“If everything’s critical, nothing’s critical,” he said.

Former Obama White House Cyber Coordinator Michael Daniel, who now leads the Cyber Threat Alliance, and Bruce McConnell, who was a top Obama DHS cyber official and now leads the East West Institute, also spoke on the panel.

McConnell urged the committee to investigate cyber vulnerabilities among suppliers of election systems to state and local government not currently vetted in any centralized manner.