Coburn: What DHS Isn't Doing RightSenator's Swansong Critical of DHS's Cybersecurity Leadership
Days before he retired this past week, Tom Coburn - who served as the ranking member of the Senate Homeland Security and Governmental Affairs Committee - issued an oversight report that questions the way the Department of Homeland Security approaches its cybersecurity responsibilities.
The Oklahoma Republican writes that DHS seeks to emphasize the critical role it's been assigned to safeguard cyberspace for the federal government and private sector, but says it struggles to execute the responsibilities delegated to it by the White House Office of Management and Budget. "A review of DHS's cybersecurity programs identifies serious challenges that the department must overcome before it will succeed in executing its responsibilities or making a measurable difference in the security of the nation's information systems," he writes.
DHS's strategy for cybersecurity, which primarily focuses on vulnerability mitigation, will not protect the nation from the most sophisticated attacks and cybersecurity threats.
Coburn is gone, but his views are shared by others in Congress, including many Republicans who now control both houses. Don't be surprised if the Senate panel with a new Republican majority takes a more critical look at how DHS leads in cybersecurity. And the Coburn report serves as a primer for those lawmakers on what to pursue.
"The nature of cybersecurity threats - and the ability of adversaries to continuously develop new tools to defeat network defenses - means that DHS's strategy for cybersecurity, which primarily focuses on vulnerability mitigation, will not protect the nation from the most sophisticated attacks and cybersecurity threats," Coburn says in his report.
Failing to Set a Good Example
Coburn also assails DHS for not setting a good example in its approach to cybersecurity, noting that some of the department's units didn't properly patch their systems or furnish DHS managers with required information to determine compliance with the Federal Information Security Management Act, the law that governs federal government IT security.
In July, as he notes, a DHS Inspector General audit revealed that its Domestic Nuclear Detection Office failed to do enough to secure against potential cybersecurity vulnerabilities, including insider threats and the potential that insiders could steal sensitive data about nuclear systems through exfiltration.
Coburn characterizes such actions as "alarming" examples of DHS's poor cybersecurity practices. "DHS is not setting a good example of effective cybersecurity," he says.
Even the way DHS manages its vaunted continuous diagnostic and mitigation initiative - the continuous monitoring program known as CDM that's aimed at identifying security flaws in government IT systems - has been picked apart by Coburn. The arrangement DHS has with the General Services Administration for agencies to contract CDM services to private providers hasn't resulted in many agencies acquiring those services, he says. "The limited usage of these contracts to date calls into question whether and when DHS can successfully implement this component of its cybersecurity mission."
Helping to lead IT security for perhaps the world's largest enterprise - the U.S. government - is a massive undertaking, and it shouldn't come as a surprise that Coburn says DHS grapples with the task. He cites another IG report that contends DHS struggles in coordinating the sharing of cyber information among federal cybersecurity operations.
DHS Questions Coburn's Analysis
DHS doesn't entirely agree with Coburn's assessment, and a departmental spokesperson says the now-former Senator overlooked much of the concrete progress made over the past year to improve homeland security and the way DHS conducts business. DHS issued a fact sheet that it contends shows the department is steadily performing its work better, maturing as an organization and taking steps to protect Americans.
For instance, the spokesperson says progress is being made with CDM, with 63 departments and agencies having agreed to deploy the program. DHS expects to award contracts to provide the continuous diagnostics and mitigation services at 25 departments and agencies this fiscal year.
Another example of that progress the spokesperson cites: DHS Secretary Jeh Johnson recently standing up the Office of Cyber Policy, which recognizes the department faces a wide range of responsibilities in cybersecurity, including risk prevention and deterrence.
"The team is currently in the process of developing a cross-departmental cybersecurity strategy that will balance preventative programs and migratory response capabilities with cyber law enforcement operations," the spokesperson explains. "Additionally, the Office of Cyber Policy has initiated an effort to define roles, responsibilities, capabilities and assets across the department in order to best align departmental resources to the cybersecurity mission."
Coburn won't be around to ask Johnson and other DHS officials about how DHS is progressing in aligning its cybersecurity mission. But as the newly composed Homeland Security and Governmental Affairs Committee holds oversight hearings in the 114th Congress, his presence will, nevertheless, be felt, thanks to his insightful oversight report.