By Jason Miller
July 3, 2007
A week after grilling Scott Charbo, the Homeland Security Departments
chief information officer, about the agencys cybersecurity posture, the
House Homeland Security Committee took aim at the efforts of DHS Science
and Technology Directorate to improve federal security.
At a June 27 hearing, lawmakers told Jay Cohen, the directorates
undersecretary, that the $37 million slated for research and development
through 2011 is not enough. Rep. Jim Langevin (D-R.I.), chairman of the
committees Emerging Threats, Cybersecurity, and Science and Technology
Subcommittee, asked Cohen why the directorate doesnt have more interest
in cybersecurity research.
Cohen said that because 50 percent of the directorates budget is focused
on meeting customer needs, Greg Garcia, DHS assistant secretary of
cybersecurity and communications, has requested that only 1 percent of
its funds be spent on researching and developing tools for securing
information technology. Cohen said the directorate has satisfied 80
percent of Garcias requests.
I would welcome Garcia or Scott Charbo to come forward and tell me what
they need, Cohen told lawmakers. We need to deliver new and tested
solutions to deal with cyberthreats. One percent is the minimum funding.
We have to do better, and [we] will.
Rep. Michael McCaul (R-Texas), the subcommittees ranking member, said
Cohen should have asked Congress for more money because a 1 percent
budget for cybersecurity is not nearly enough.
McCaul said he hopes to introduce legislation that would require DHS to
conduct a national vulnerability assessment for cybersecurity. This is
something that is long overdue, he said.
Cohen said he supported such an assessment, but it must include all
agencies, not only DHS.
Langevin said the Science and Technology Directorate must be more
proactive in developing next-generation cybersecurity tools to get one
step ahead of hackers.
After the hearing, Robert Hooks, director of transition at the
directorate, said the integrated product team for cybersecurity has
worked on technology to combat insider threats and secure IT.
We should be more proactive, but we have to find cybersecurity
opportunities, Cohen said. We need entrepreneurs and inventors to come
to us with opportunities to solve problems.
Langevin also pushed Cohen to establish a cybersecurity center of
excellence to address the existing R&D gaps.
Cohen said he is changing the centers structure by awarding six-year
contracts that are rebid every two years. He is also realigning the
existing seven centers into five and adding four new ones.
We will consider how best to defend and stay ahead of the cyberthreat,
Cohen said. We may need smaller institutions that have expertise or
develop a critical mass of these institutions.
Langevin said he was also disappointed in the directorates strategic
plan, which was delivered to the committee five years late.
He said he wants to see a high-level strategy and vision and metrics for
measuring the directorates performance.
The failure to include metrics raises questions about the directorates
ability to evaluate its own programs for effectiveness, Langevin said.
Your plan contains gaps between innovative capabilities and basic
Cohen promised to deliver the metrics and other changes Langevin asked
for. Cohen said he would bypass the process of soliciting comments from
other agencies and send the plan directly to the Office of Management
and Budget for approval.
I will get you the national strategy by the end of the fiscal year,
Cohen told Langevin.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com