Napolitano’s Departure at DHS May Slow Progress on Cybersecurity Action, Experts Say
Department of Homeland Security (DHS) Secretary Janet Napolitano said Friday she will resign in September. Napolitano, who was one of the first cabinet officials President Obama appointed at the start of his first term in 2009, said she’s stepping down to become president of the University of California system. While Napolitano’s departure is unlikely to fundamentally alter DHS’s role in federal cybersecurity matters, it may slow progress on implementing President Obama’s cybersecurity executive order, industry experts told us.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
President Obama did not immediately offer his nominee to replace Napolitano as DHS secretary. Obama gave Napolitano an increased role in protecting the nation’s critical infrastructure from cyberattacks when he issued his cybersecurity executive order earlier this year (CD Feb 14 p1). The executive order directs DHS to identify which critical infrastructures are at the greatest risk for attacks that could result in catastrophic effects on public safety, economic security or national security. The order also tasks DHS with overseeing the private sector’s implementation of the National Institute of Standards and Technology’s forthcoming cybersecurity standards and offering incentives to adopt them. DHS and the departments of Commerce and Treasury have submitted recommendations to the White House Office of Management and Budget on the feasibility and effectiveness of possible incentives, but those recommendations have not been made public (CD July 8 p9). A policy directive that accompanied the cybersecurity order requires DHS to update the 2009 National Infrastructure Protection Plan (CD July 10 p12) .
Cybersecurity issues were not a primary focus for DHS for much of Napolitano’s tenure, but “that can be seen as both a good thing and a bad thing,” said Allan Friedman, research director at the Brookings Institution’s Center for Technology Innovation. Napolitano repeatedly urged Congress to enact a suite of comprehensive cybersecurity laws during her tenure (CD March 8 p1) but even piecemeal cybersecurity legislation failed to clear both houses of Congress. This session Napolitano criticized the House-passed Cyber Intelligence Sharing and Protection Act (HR-624), which she said had a lack of privacy protections to govern its provisions for information sharing, among other issues. She previously backed the Senate Cybersecurity Act, which would have given the DHS secretary the authority to lead the nation’s cybersecurity response and fortify the nation’s critical infrastructure and federal networks, but the bill failed to pass last year.
Napolitano did not push “very strongly” for a comprehensive cybersecurity program, “but at the same time it wasn’t clear what we had in place that would have sufficed,” Friedman said. “So the lack of a comprehensive program should not be seen as a failing.” DHS instead focused on smaller programs to cull civilian cybersecurity expertise within the government, along with programs within the National Protection and Programs Directorate that have increased funding for the U.S. Computer Emergency Readiness Team and improved NPPD’s relationship with the rest of government and the private sector, he said.
Napolitano was also a key voice pushing Obama to issue the cybersecurity executive order, which was “so badly needed in the absence of legislation,” said Chad Sweet, CEO and cofounder of the Chertoff Group. Although the order lacks key benefits that can only be provided through legislation, such as liability protections for industry players, “she deserves credit for moving the ball down the field,” Sweet said. The work Napolitano and lead cybersecurity officials within DHS did to secure additional funding for R&D money for cybersecurity research was “no small task given the current budget environment,” Sweet said.
DHS’s role in creating and implementing cybersecurity standards for critical infrastructure became a major sticking point among Republicans last year in the Cybersecurity Act debate (CD Dec 27 p6). That opposition stemmed from “a reluctance to have what was perceived as a command-and-control regulatory framework in place without knowing what the regulations were going to be,” Friedman said. “DHS focuses on security, but didn’t have the background or tradition of working closely with the private sector that Treasury or Commerce traditionally has.” Newer approaches in Congress have given DHS a “noticeably smaller” role in cybersecurity enforcement, but it’s also a role that is more targeted, he said. “As such, it wasn’t as critical to place a single catch-all agency in charge; they can go for more specific challenges."
Napolitano’s departure is “actually well timed” given that DHS will re-emerge as a key player in the administration’s cybersecurity effort once NIST finishes work on the Cybersecurity Framework, Friedman said. “The important thing to watch for is how anyone coming in will be able to handle that challenge,” he said. “The incoming secretary will need to not only have a particular interest and spend the time on cybersecurity, and prioritize it among other important DHS responsibilities, but also have political capital to spend while working with Capitol Hill and the private sector."
Execution of Obama’s cybersecurity order is not reliant on any one individual, but “there’s no question that something like this needs the weight of the office of the secretary of Homeland Security to move it forward,” Sweet said. “Her absence will, to some degree, leave a vacuum that could potentially slow progress on the executive order.” Although many DHS-related aspects of the order required Napolitano’s action within 120 days after Obama signed it, other portions “require ongoing leadership on the part of the secretary of Homeland Security,” Sweet said. For instance, Napolitano’s absence will be felt in the consultative process for improving cybersecurity in critical infrastructure because her office’s voice “adds more gravitas to the discussion,” he said. “There could be some slowing of the effort there."
Lawmakers urged the president to quickly name a successor in separate news releases Friday. Sen. Chuck Schumer, D-N.Y., recommended Obama select New York Police Commissioner Ray Kelly, according to a news release. House Homeland Security Committee Chairman Mike McCaul, R-Texas, said it’s “crucial that the Administration appoints someone who does not underestimate the threats against us, and who is committed to enforcing the law and creating a unified Department.”
A vacancy at DHS may cause cybersecurity to get less attention on the Hill, Sweet said. Cybersecurity is already not receiving as much focus as it needs because of the debate over immigration reform and the ongoing NSA leak and IRS scandals, he said. “The lack of a … secretary to champion it will mean it will get that much less visibility.” Turnover at other key cybersecurity posts within DHS makes it all the more critical that the White House move quickly to find a replacement for Napolitano to avoid leaving a further “vacuum of cybersecurity expertise,” Sweet said.