Jeh Johnson Confirmed as DHS SecretaryComes to Job with Limited Cybersecurity Expertise
Jeh Johnson has been confirmed as secretary of Homeland Security, making the former Defense Department general counsel one of the administration's leading voices on cybersecurity.
The Senate on Dec. 16 voted 78 to 16 to confirm Johnson.
"Jeh [pronounced Jay] has been a critical member of my national security team," President Obama says in a statement. "As secretary of homeland security, Jeh will play a leading role in our efforts to protect the homeland against terrorist attacks [and] adapt to changing threats ... while upholding the values, civil liberties and laws that make America great."
Johnson's predecessor, Janet Napolitano, served as one of the top advocates for the administration's cybersecurity policy, testifying before Congress and appearing at industry forums. The new secretary is expected to continue in that role, in part, because the Obama administration has given DHS increased roles in assuring other non-defense, non-intelligence federal agencies adopt better IT security practices and serving as a liaison on cybersecurity matters with the private sector.
For instance, the expansion of continuous monitoring in federal agencies is being promoted by a program called Continuous Diagnostic and Mitigation that's administered by DHS's National Protection and Programs Directorate (see Feds Tackle Continuous Monitoring).
Like Napolitano, Johnson comes to the job with limited IT security experience. His resume does not show any cybersecurity expertise, though he served as the Defense Department's general counsel when DHS and DoD negotiated a joint approach to defend America's government, military and domestic IT infrastructure (see DHS, DoD to Tackle Jointly Cyber Defense). He stepped down from that DoD position last year to return to a private law practice.
Challenges Johnson Faces
Johnson becomes Homeland Security secretary at a time when cybersecurity reform legislation has stalled in Congress. One of the holdups of the legislation - including updating the 11-year-old Federal Information Security Management Act, the law that governs federal government IT security - is the continuing debate over the role DHS should play in overseeing IT security in the non-military, non-defense part of the federal government.
The administration and Senate Democrats see a need for a stronger role for DHS in implementing cybersecurity among civilian agencies. Republicans, for the most part, seek to limit the role DHS plays on IT security matters.
At Johnson's confirmation hearing on Nov. 13, Sen. Tom Coburn, R-Okla., cited two DHS inspector general audits he contends raise questions about the department's ability to successfully manage its own IT security programs. He said the IG audits reveal weak or non-existent cyberthreat information sharing, lack of specialized training and poor communications and performance during a cyber-emergency simulation at DHS.
"If Homeland Security can't apply the very rules to itself it's asking other agencies to comply with, what authority can they have in executing cybersecurity at other agencies?" asked Colburn, the ranking member of the Senate Committee on Homeland Security and Governmental Affairs. Coburn voted to confirm Johnson.
At his confirmation hearing, Johnson had little to say about IT security, although he pledged to fix internal cybersecurity problems at DHS before seeking further authority to have the department help other agencies to get their IT security houses in order (see Johnson Pledges InfoSec Fixes at DHS).
Need to Stabilize Staff
Top leadership has been in flux at the department for much of 2013. Besides Napolitano, her chief deputy, Jane Holl Lute, and Deputy Undersecretary for Cybersecurity Mark Weatherford resigned earlier this year. Though Phyllis Schneck replaced Weatherford this summer as deputy undersecretary, a post that does not require Senate confirmation (see It's Official: Schneck Takes DHS Post), the Senate has yet to act on the nomination of Alejandro Mayorkas, director of the department's Citizenship and Immigration Services, to become deputy secretary.
Johnson, known as a strong administrator, will put that skill to test as he addresses one of the pressing problems the department faces: finding qualified IT security staff. A Government Accountability Office audit issued in September says more than one in five mission-critical cybersecurity-related jobs at a key Department of Homeland Security unit are vacant personnel (see DHS's Huge Cybersecurity Skills Shortage).
"Although they hired well, the high turnover of senior cybersecurity people - technical and managerial - at DHS has been an unspoken calamity," says Tony Sager, a former National Security Agency information assurance leader who has worked closely with DHS.