"Despite spending millions of dollars over the past year, DHS continues to struggle with how to effectively form and maintain effective public-private partnerships in support of cybersecurity," Sen. Tom Coburn of Oklahoma said at a hearing convened by a Senate Homeland Security subcommittee, of which he is chairman.
Coburn, the only politician present at the 90-minute hearing, grilled top computer security officials from Homeland Security, the National Security Agency, the Office of Management and Budget, and the Government Accountability Office (GAO). He also asked private-sector companies for suggestions for government action.
The Oklahoma senator joined industry groups and congressional colleagues in chiding the agency for failing to appoint a high-level cybersecurity chief one year after the post's creation. He said having a strong leader in charge is critically important to defend against a crippling cyberattack that could take out not only e-commerce and communications capacities, but also "electrical transformers, chemical systems and pipelines" controlled by computers.
"There's going to be an assistant secretary (for cybersecurity and telecommunications), I promise you, even if we have to raise the salary for the position," he said.
Homeland Security's top cybersecurity post has remained a low- to mid-level position ever since Congress passed a 2002 law that melded 22 federal agencies and made the department chiefly responsible for protecting cyberspace. Numerous audits have faulted the sprawling cabinet department for its lack of readiness to handle large-scale attacks and for shortcomings on its internal networks.
That blistering critique continued on Friday with a new GAO report (click here for pdf), which accused Homeland Security of failing to finalize clear plans that detail the responsibilities of state and local governments, other federal agencies and the private sector before, during and after Internet disruptions. "Today, no such plan exists" despite a federal mandate to devise one, Keith Rhodes, the GAO's chief technologist, told the committee.
DHS Undersecretary of Preparedness George Foresman acknowledged that his department still has much to accomplish, but he suggested the federal auditors' assessment "is much bleaker than what is the actual progress to date."
Government officials have been meeting with corporations from vulnerable industries through committees and working groups, the official said, and the department conducted its first major cybersecurity exercise in February, with plans to release a report on lessons learned in the near future. "These lessons, like those of Katrina, will not sit idle," Foresman said.
Coburn questioned why Homeland Security has not let private companies take on an even greater role in devising policy. "It just seems to me that if 75 percent of (the nation's infrastructure) is private-sector owned, your bottom line depends on this staying up and working...Why don't you tell us what to do?" he asked.
"That's exactly what we're doing," Foresman responded, though he acknowledged it's challenging to work with companies that don't always trust the government with proprietary information that could aid their competitors.
An icy Coburn also couldn't resist taking a jab at DHS officials on another front: He said the agency's prepared testimony for the Friday hearing didn't arrive at his office until late Thursday night, despite receiving notice of the event on June 12. The last-minute submission speaks volumes, he said, providing "an example of exactly what's happening in DHS on cybersecurity."
Foresman, for his part, assured the senator that the tardiness will not occur in the future and added, "By no means were we trying not to get information to you."
