What were other potential benefits of this kind of reorganization?
A long time ago, the DoD set up the Defense Logistics Agency. What does that mean? That means that those things that are common across Army, Navy, Air Force, and Marine Corps are procured commonly. You have tremendous efficiencies in cost savings. That doesn’t happen at DHS. For example, why does everyone have their own car fleets? Why does everybody buy their own uniforms? The department is currently not benefitting from efficiencies in logistics like the military.
I’ve watched the budget for the past couple of years. The departments got hit hard. In this situation, you have to make every dollar count. You’ve got to figure out ways to take some extraordinary action to increase the efficiency of the operating force. That’s why I really believe the timing for this type of move is now. When you work in DHS, you quickly come to realize that it has essentially one large IT system. Many databases with different program managers in different agencies focused on their specific program with their own budgets, but for the most part they are all interoperable. This begs for centralized management and control to optimize every dollar being spent across the enterprise.
What do you see as DHS’s cybersecurity role?
The government is very proud, and rightly so, of spending a lot of money on cybersecurity. And it’s going to harden the .mil networks and a big chunk goes to DHS to harden the .gov networks, but we have to structure the role of the government to set up partnerships with the private sector. I’m interested in cybersecurity operations centers. These centers would be local or regional and capable of remote sensing and protection. They would alert their subscribers if they were vulnerable and warn them to take the necessary defense. These could be public-private partnerships in the case of state and local governments, or privately run operations that are willing to invest in this concept if there’s a business case.
How prepared are American businesses for cyberattacks?
I personally believe most people don’t know. Unless you’re really big and can afford to do cybersecurity properly, you don’t do it or implement marginal protection. Part of the process that has to happen is learning and education, and I think that is happening. Two years ago, I think most people dismissed this thing out of hand. You can’t read the paper any week without seeing examples. So I think the education is starting to happen. And I really believe that most people are going to opt for a fee for service. Sometime in the future, I believe I’ll have a sign outside my house: “My computer networks are protected by X.”
What’s your nightmare vulnerability that gives you pause?
I worry about a cyberattack—a long, persistent cyberattack. Just think of this: If you’re up in the Northeast in the middle of February and someone really does some serious damage to the utilities. This is not just an eight-hour or two-day power outage. This is long term. People die. And if you can’t find the attribution and figure out how to fix it, then I think the government is in extremis.
One of the things at DHS we were always worried about was emergency response. So we did lots and lots of exercises, like what would happen if an anthrax attack happened here? What would happen if a nuclear device went off in the city? The fact is that, by and large, you have a pretty good handle on what you have to do afterwards. You quarantine the space. You treat survivors. You care about the wind and what direction it’s blowing and decontamination. There are many protocols that are set up to respond. It would be an absolutely terrible situation with tremendous death and destruction. But the fact of the matter is you have the response.
But what happens if the financial industry is under sustained cyberattack? People have no money. People can’t use credit cards. What do you do? What is the federal government’s role in that versus the banking sector’s role? While these things have been clearly identified as critical infrastructure, I am not sure how realistic the plans to respond to such a cyberthreat are. That’s why we have to get real serious about what those next steps are. I don’t think people really understand this in terms of what the threat could ultimately be to them, personally and financially. In many cases, a catastrophic cyberattack is much more serious than a nuclear attack.