John Gilligan is president and COO of Schafer Corporation in Arlington, Va. Previously, Gilligan served as CIO of the Air Force; CIO of the Energy Department; and program executive officer for the Air Force's Battle Management/Command and Control. (Maria Rock)
From the beginning of the Homeland Security Department, there has been vigorous debate about its cybersecurity mission, questioning the wisdom of trying to grow a new capability in DHS rather than handing this task to the well-resourced and better-skilled NSA. In DHS’s early years, there was criticism that there was not enough emphasis on cyber issues. Over time, new senior level cybersecurity leadership and additional funding and positions have been established. Frequent turnover among cybersecurity leadership as well as difficulty in recruiting skilled cybersecurity experts have been a continual challenge. In recent years, a focus of criticism has been on whether DHS had sufficient skilled experts and whether sufficient overall leadership was being provided by DHS to improve security in both the government and the private sector.
In discussions with current and former government executives, I found no one who believes that DHS is doing a very good job in cybersecurity, much less an outstanding one. Offsetting these opinions, however, is my appreciation of the enormous difficulty of DHS’s role. Much of this appreciation is influenced by my many years in government and having been a technical expert in cybersecurity earlier in my career.
As useful context in this regard, I note that until a few years ago, there was little sharing of cyber threat information. Most public and private sector organizations were blissfully ignorant of what was happening within their infrastructures and systems. Convincing someone to change is hard, especially if they don’t see the need. Moreover, as a CIO, I found that individuals and organizations have a disproportionate personal attachment for their IT systems. This causes them to vigorously resist pressure from the outside to make them more efficient or more effective, or, in this context, more secure. Also, some individuals believe that increased security reduces privacy and seek to block deployment of additional security capabilities. Finally, the complexities of cybersecurity require a sound systems engineering foundation to devise technical solutions. Let’s face it, cybersecurity is truly hard!
Despite the pessimism that many have voiced, there are clearly bright spots for DHS’s cyber efforts. The US-CERT is a world class organization that with little fanfare goes about its job on a day-to-day role of alerting organizations to potential or actual cyber-attacks. The Immigration and Customs Enforcement organization continues to be effective in their support to fight cyber-crime. The National Cybersecurity and Communications Integration Center is also beginning to show real progress in effectively sharing real time cyber threat information across critical infrastructure sectors.
Beyond the obvious bright spots, progress in other areas can be observed by retrospective examination. DHS’s progress in improving government network security through standardization and consolidation of access points and deployment of Einstein and has been significant. However, it has taken a long time to achieve this improvement. DHS’s oversight of compliance with FISMA has achieved improved measurement, but agencies spent too much energy measuring document artifacts that have little correlation to true security. The new continuous diagnostics and monitoring initiative is clearly headed in the right direction. CMD is very promising although challenges lie ahead for DHS in how to orchestrate this program and to rapidly deploy these capabilities.
I recently had the opportunity to participate in the DHS Task Force on Cyber Skills. I was tremendously impressed by the very strong commitment to improving cyber skills and the active participation of top leaders in the task force efforts. DHS aggressively embraced implementation of the task force’s recommendations. Nevertheless, progress in hiring highly skilled technical individuals has clearly been slower than the Task Force members or even the DHS leaders would like.
There is no doubt that DHS has come a long way from the early 2000’s in being able to fulfill their cybersecurity mission. There are clear examples of success and other areas are showing significant improvement. I continue to be supportive of DHS’s cybersecurity role and applaud their progress. I exhort DHS’s cybersecurity leadership to be aggressive and innovative. As a nation we are in desperate need of strong and visible leadership in cybersecurity. DHS is clearly our best option. Edward Snowden has effectively closed the door on other options for the foreseeable future.