The Homeland Security Department should have the power to force civilian agencies to comply with cybersecurity guidance from DHS's U.S. Computer Emergency Readiness Team, asserted DHS Inspector General Richard Skinner before a House panel June 16.

US CERT "cannot compel compliance, and until they have that authority...we're going to continue to experience problems," Skinner said while speaking before the House Homeland Security Committee. A report from Skinner's office timed for release on the day of the hearing also makes the same assertion.

"US-CERT does not have the appropriate enforcement authority," the report states, without defining what appropriate enforcement authority is, nor recommending how it would be implemented.

In testimony and the report, Skinner also said that US CERT lacks manpower and the ability to monitor federal networks in real time.

Whether DHS could force other agencies to do what US CERT tells them to do is questionable, said Stewart Baker, a partner in the law firm Steptoe and Johnson and a former DHS assistant secretary for policy.

"The difficulty with telling agencies what to do is that you're telling them to spend money that they were going to spend on something else," he said. "There needs to be support from OMB to either say, 'We can find the money,' or 'I'm sorry, take the cut,'" he added.

In any case, the President would ultimately be responsible for inter-agency efforts in the case of a massive cyber attack, Baker said. "Rather than focusing too much on which box goes where or who has what authorities, the important thing is to make sure that the resources are there," he added.

The DHS official present at the hearing, Gregory Schaffer, assistant secretary for the office of cybersecurity and communications within the national protection and programs directorate, said the federal government is looking to change cybersecurity tactics. A defensive posture, he said, cannot withstand attacks "because the ecosystem was not designed and built from the beginning to a good place to defense yourself, and so offense has the advantage."

"Until we change that, we will continue to have some challenges," he added.

The House hearing was held one day after the Senate Homeland Security and Governmental Affairs Committee also held a cybersecurity hearing, albeit one tied directly to legislation that committee members have just introduced, the "Protecting Cyberspace as a National Asset Act of 2010."

During the House hearing, Rep. Jane Harman (D-Calif.), chairwoman of the House Homeland Security subcommittee on intelligence, information sharing, and terrorism risk assessment, said she supports the Senate bill and intends to offer a complementary House version. The bill, sponsored by Sen. Joe Lieberman (I-Conn.), would grant DHS new statutory authority over federal cybersecurity. Among other authorities, the director of a proposed National Center for Cybersecurity and Communications within DHS would analyze the budgets of other federal agencies and make recommendations to OMB regarding their adequacy on cybersecurity matters.

For more:
- go to the House Homeland Security Committee's webpage on the hearing, complete with webcast (broken into two parts)
- read the DHS inspector general report on US CERT, OIG 10-94 (.pdf)
- go to the Senate Homeland Security and Governmental Affairs webpage on the Protecting Cyberspace as a National Asset Act of 2010

Related Articles:
Lieberman says Internet cyber attack response crippled by liability woes
Lieberman wants to give federal government power over Internet cybersecurity
Congressional cybersecurity bill roundup UPDATED