As the Department of Homeland Security’s cybersecurity responsibilities continue to expand, the agency is beginning to show signs that it may not have the resources to keep up.
Although the department has made significant progress on programs designed to defend federal networks from malware, many key leadership positions remain unfilled, the hiring process for new talent is dangerously slow and the enterprise cybersecurity strategy that was due in March is now six months late with no estimate of when it will be complete.
“I understand the Trump administration did not fill leadership positions relevant to the DHS cybersecurity strategy with any real sense of urgency, and ongoing vacancies may be contributing to the delays. But the strategy is six months overdue and that is not acceptable,” said Rep. Cedric Richmond, D-La., during a House Homeland Security subcommittee hearing Tuesday.
The hearing continued a drumbeat of congressional criticism during the last several months that the Trump administration has neglected the importance of cybersecurity. One estimate places the number of cybersecurity positions that remain unfilled across the federal government at 10,000. In addition, seven members of the 28-person National Infrastructure Advisory Council resigned in August to protest what they characterized as Trump’s “insufficient attention” to national cybersecurity issues.
According to Christopher Krebs, the senior official performing the duties of the undersecretary of DHS’s National Protection and Programs Directorate, a departmentwide cybersecurity strategy will have to wait for DHS to first complete assessments of federal networks, critical infrastructure, and cyber workforce requirements as called for in President Trump’s executive order on cybersecurity, signed in May.
“While those assessments and reports are underway, they are anticipated to have significant impacts on some of the priorities perhaps of the department, including NPPD,” Krebs said. Those reports, including the administration’s broader national security strategy, are likely several months away from being completed.
“We cannot expect DHS to carry out these responsibilities with both hands tied behind its back,” said Rep. Bennie Thompson, D-Miss. “To be successful, the department needs adequate resources, a robust staff, strong leadership and a clear strategy.”
Jeanette Manfra, assistant secretary for Cybersecurity and Communications at NPPD, told lawmakers that her organization is currently staffed at only 76 percent. “We’re averaging about 224 days to hire,” Manfra said. “That sounds long, [but] that includes a top secret [sensitive compartmented information] clearance process.” That timeline also represents a 10 percent improvement over last year, she said.
On the tactical front, Manfra told lawmakers that several non-signature based malware detection pilot programs have shown “positive results,” potentially ushering in new capabilities to detect novel attacks that signature-based technologies can’t see.
In addition, 20 agencies have deployed cybersecurity dashboards that later this month will begin feeding data into the new Federal dashboard that rides on top of DHS’ continuous diagnostics and mitigation program. “That will then allow us to have more near-real-time understanding of what those sensors are identifying on those agency networks and allow us to better prioritize vulnerability management for our agencies,” Manfra said.