The US Department of Homeland Security (DHS) has failed to take several basic steps to protect the nation's cyber infrastructure, including a year-plus delay in naming an assistant secretary for cybersecurity, lawmakers and other critics charged yesterday.
The DHS was asked to explain why it has failed to fill the high-level cybersecurity position despite the position being announced in July 2005. The delay in hiring an assistant secretary shows a "lack of cybersecurity leadership", said Representative John Dingell during a congressional hearing.
The Department said it was working hard to hire someone and pointed to significant progress in cybersecurity in the past year. Some potential candidates for the job have withdrawn their applications because of private work commitments, a department under-secretary George Foresma said. "Had we been inactive the whole time, I think there'd be grave concern," Foresman said. "But I think we've been in overdrive."
Some lawmakers and witnesses disagreed. Representative Anna Eshoo said the lack of a top cybersecurity leader at DHS means the issue is not a top priority. "Simply put, we're putting ourselves in a real ditch here," she said.
Congress may have to get involved in the assistant secretary's hiring, said David Powner, director of IT management issues at the U.S. Government Accountability Office (GAO), which has criticised the DHS cybersecurity effort in a series of reports. "If they can't figure it out soon, perhaps you can help them," Powner told lawmakers.
A June report from GAO found that the DHS had not yet completed a plan involving public and private resources for recovery of the Internet after a major cyberattack, added Representative Ed Markey, a Massachusetts Democrat.
Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) trade group, called on Congress to pass data breach legislation awaiting a vote on the House floor. CSIA also recommended that Congress better define the roles government agencies such as the DHS and the Department of Defense should play after a major cyberattack.
"There is little strategic direction or leadership from the federal government in the area of information security," Kurtz said. "We must move beyond philosophy and statements of aspirations to defining priorities and programs."
The US government has the responsibility of setting priorities and coordinating response to cyberattacks, he added. "Let me be clear - this is not a call for regulation or intervention," he said. "This is a call for leadership."