Johnson Pledges InfoSec Fixes at DHSBut Nominee Says Little on Cybersecurity at Confirmation Hearing
Jeh Johnson may soon be the Obama administration's new face on cybersecurity, but at his confirmation hearing to be the next Homeland Security secretary, he had relatively little to say about the subject.
Johnson pledged to fix internal cybersecurity problems at DHS before seeking further authority to have the department help other federal civilian agencies in getting their IT security houses in order.
If Homeland Security can't apply the very rules to itself it's asking other agencies to comply with, what authority can they have in executing cybersecurity at other agencies?
The Obama administration, through executive action, has designated DHS to take the lead role in getting federal executive branch agencies, with the exception of defense and intelligence agencies, to apply new cybersecurity tools and practices.
Comprehensive cybersecurity legislation has stalled in Congress, in part, over disagreement on the role DHS should play in federal government cybersecurity governance, with skeptical lawmakers - mostly Republicans - objecting to provisions in legislation backed by the White House that would give DHS more cybersecurity sway (see Cybersecurity Legislation: What's Next?).
The nominee spoke few words about cybersecurity in his testimony, delivered to a mostly friendly Homeland Security and Governmental Affairs Committee, whose members are expected to recommend Johnson's confirmation soon to the entire Senate, where twice before he won confirmation for other posts.
Johnson did promise to make it a priority to fill the large number of senior management vacancies - including cybersecurity positions - at DHS. A Government Accountability Office report in September revealed that one in five mission-critical cybersecurity-related jobs at a key DHS unit were vacant (see DHS's Huge Cybersecurity Skills Shortage).
Vigorous Pursuit of Cybersecurity
In his opening statement, Johnson listed the five core missions of DHS, including safeguarding and securing cyberspace. "If confirmed, I will vigorously pursue all of these missions - they represent the most basic and important services a government can provide for its people," he told the committee at the Nov. 13 hearing.
But most of the talk about cybersecurity - and there wasn't much during the two-hour session - came from the committee's chairman and ranking member, Sens. Tom Carper, D-Del., and Tom Colburn, R-Okla.
Carper didn't have a specific cybersecurity question for the nominee, but listed a number of cybersecurity initiatives - the cybersecurity framework; reforming the Federal Information Security Management Act, the law known as FISMA that governs federal government IT security; recruiting cybersecurity experts; and protecting the electric grid - that he feels Johnson should address after he's confirmed.
Coburn did have a cybersecurity question for Johnson, but before asking it, he cited two DHS inspector general audits he contends raise questions about the department's ability to successfully manage its own IT security programs.
He said the IG audit, DHS's Efforts to Coordinate the Activities of Federal Cyber Operations Centers, reveals weak or non-existent cyber-threat information sharing, lack of specialized training and poor communications and performance during a cyber-emergency simulation at DHS.
The other IG audit, DHS's latest FISMA evaluation, shows that DHS headquarters along with seven departmental units, failed to implement all required DHS baseline configurations for Windows workstations, including installing patches in a timely fashion or fixing known security threats.
Issue of Competency and Confidence
Coburn said: "It raises the question, 'If Homeland Security can't apply the very rules to itself it's asking other agencies to comply with, what authority can they have in executing cybersecurity at other agencies?'... That's a big issue and it's one of competency and confidence.
"What I want to do, under your leadership, is to see that competency and confidence restored. You have some great people under you in that area. And, what we have to do is make sure Homeland Security is doing it well before we ask everybody else to do it well."
Coburn asked Johnson if he'd commit to work with the Senate panel to make DHS an example of good cybersecurity before seeking new authority. Johnson answered, "Yes."
From the glass-half-full perspective, such cooperation could help tear down one of the barriers that have prevented Congress from enacting cybersecurity reform, including updating FISMA. In fact, Johnson's reputation as a collaborator - he served as the Defense Department's general counsel when DHS and DoD negotiated a joint approach to defend America's government, military and domestic IT infrastructure - was cited by President Obama when he nominated him (see DHS, DoD to Tackle Jointly Cyber Defense).
"Jeh (pronounced Jay) also knows that meeting these threats demands cooperation and coordination across our government," Obama said in a Rose Garden ceremony (see Obama Picks New DHS Secretary).
But even with a great collaborator heading DHS, the prospect of getting significant cybersecurity legislation enacted in the toxic political milieu known as Washington remains iffy, at best.