Private Sector Partnerships ‘Crucial’ to DHS Cybersecurity Mission, Department Secretary Says
Continued DHS work to build its relationships with private sector stakeholders is “crucial” to its continued mission to address cybersecurity in the private sector and on government networks, Secretary of Homeland Security Jeh Johnson told the House Homeland Security Committee Wednesday. Johnson, who took office in December, outlined his vision for DHS and addressed concerns about the department’s programs. DHS’s private sector outreach on cybersecurity has been most public on the department’s role in implementing President Barack Obama’s cybersecurity executive order, Johnson said.
DHS is responsible for implementing many of the order’s provisions, including encouraging voluntary industry adoption of the Cybersecurity Framework, which the National Institute of Standards and Technology has collaborated on with industry stakeholders. DHS unveiled its voluntary program for framework adoption -- the Critical Infrastructure Cyber Community (C3) -- earlier this month in conjunction with NIST’s release of the “Version 1.0” framework. Cybersecurity experts have said they believe the C3 program as currently structured is inadequate to encourage initial implementation of the framework (CD Feb 20 p7). Johnson said Wednesday that the C3 program will give companies implementing the framework “direct access to cybersecurity experts within DHS who have knowledge of the threats we face,” but acknowledged “there is more to do.” The government should also “recruit the next generation of cybersecurity talent” to aid in its cyber efforts, Johnson said, saying he’s visiting college campuses -- including Georgia Tech -- as part of a “personal recruitment campaign” for DHS.
The committee had said DHS’s cybersecurity role was one of several issues it wanted to address, but members of the committee barely mentioned the issue during the hearing. Committee Chairman Michael McCaul, R-Texas, said he believed the National Cybersecurity and Critical Infrastructure Protection Act (HR-3696) would be important to DHS’s mission because it would codify DHS’s current cybersecurity mission. The committee approved HR-3696 earlier this month, moving it to the full House for further consideration. The committee “would like to see a greater emphasis on building an experienced and streamlined cyber workforce and increasing the security and resiliency of federal networks,” McCaul said. Johnson told the committee he believes HR-3696 is “a good step forward."
Ranking Member Bennie Thompson, D-Miss., said he believes “more needs to be done” to make DHS “the agency that Congress envisioned” and to make DHS more effective in addressing cybersecurity and other issues. Johnson said he intends to “inject a new energy” into DHS by improving the department staffers’ morale, in part by continuing to reduce the department’s leadership vacancies. The department has filled several top DHS cybersecurity posts, but the Senate still needs to confirm Suzanne Spaulding as DHS undersecretary-National Protection and Programs Directorate. Spaulding is currently acting head of NPPD, which is in charge of many DHS cybersecurity programs. McCaul said DHS has a 38 percent vacancy rate among its top leadership positions.