Paul Schneider, principal at the Chertoff Group, is interviewed.
Paul Schneider is a principal at the Chertoff Group. Previously, he was deputy secretary for the U.S. Department of Homeland Security (DHS), where he managed day-to-day operations of an organization with approximately 220,000 employees and an annual budget of $52.6 billion. Earlier, as under secretary for management, he was responsible for the department’s financial management and for the procurement and management of such mission-critical assets as information technology systems, facilities, and equipment. He has also served as the senior acquisition executive of the National Security Agency, where he oversaw the development and acquisition of information security programs. Between 1998 and 2002, he was principal deputy assistant secretary at the Department of the Navy. In between government service, Schneider was a consultant working on defense and aerospace issues.Testifying before Congress in February, Schneider recommended that DHS begin a fundamental reorganization of how it conducts business as federal budgets get cut. Security Management sat down with him at the Chertoff Group’s office in Washington, D.C., to discuss his recommendations and his cybersecurity concerns.
The DHS, now the government’s third biggest department, has a motto: “One DHS.” Has that been achieved yet?
What’s been accomplished in the period of time it’s been there is kind of remarkable, quite frankly. My view is “How do you make it better in a severely constrained budget environment?” Anyone who says it’s not one department, I think, is not operating on the facts. You have to take a look at what’s the next step. I come from the U.S. Department of Defense (DoD). It’s not unlike how the DoD matured from the time it became the DoD in 1947 until you had Goldwater-Nichols. I think now the impetus is greater with some of the budget realities that heretofore have not existed.
In February, you recommended that DHS undergo reorganization like the Defense Department did under the Goldwater-Nichols Department of Defense Reorganization Act. What exactly did Goldwater-Nichols do?
It fundamentally changed the way the warfighters fight. It came up with a clear delineation between what the services do and what the actual warfighters do. That’s why you have a CENTCOM and a SOUTHCOM. I think it’s absolutely essential when you’re operating in a geographic area that the combatant commander has complete authority over all of his operational forces in that area. That’s straightforward command and control. Then there is an important function that the services do, in terms of recruiting, training, and sustaining.
The other thing you have to do is realize that one of the things the DoD does really well is adapting lessons learned from each of these different areas and then incorporating that into actual doctrine. Look at how we train today inside DHS; it’s somewhat stove-piped. So how does what happens when they actually work together get reflected back into the training? And that’s why I think this is the next phase for DHS. I do not think the department can enjoy the luxury of building up acquisition and logistics expertise at all of these operating components, especially when the majority of the programs are IT programs that are all interconnected.
The other main element is to separate the acquisition function from the warfighters to focus attention on acquisition by the acquisition professionals, not the warfighters.
You stated in your congressional testimony that the Customs and Border Protection (CBP) Commissioner shouldn’t be bogged down in technical details regarding some IT program. Can you speak a bit more about that?
He shouldn’t be. He should be in a situation where it’s like the DoD. He identifies his requirements and it goes to a Joint Requirements Oversight Council (JROC). There have been many attempts at DHS to establish that. For example, the CBP chief would say “I have a requirement for this type of a system that gives me these capabilities; now, you acquisition techies figure out the best way to go do it.”
If I were the head of CBP, I would focus on operational law enforcement. I would be focused on keeping the bad guys and bad stuff out of the country. You would get a lot of buy-in from the rank and file who are out in the field. People think DHS is a bureaucracy here in D.C. It is not. It’s all over the world, and these are the people who are putting their lives on the line every day. Those types of people want to believe that their bosses are focused on what they do. They don’t want their bosses focused on the management of the development of an IT system.
What were other potential benefits of this kind of reorganization?
A long time ago, the DoD set up the Defense Logistics Agency. What does that mean? That means that those things that are common across Army, Navy, Air Force, and Marine Corps are procured commonly. You have tremendous efficiencies in cost savings. That doesn’t happen at DHS. For example, why does everyone have their own car fleets? Why does everybody buy their own uniforms? The department is currently not benefitting from efficiencies in logistics like the military.
I’ve watched the budget for the past couple of years. The departments got hit hard. In this situation, you have to make every dollar count. You’ve got to figure out ways to take some extraordinary action to increase the efficiency of the operating force. That’s why I really believe the timing for this type of move is now. When you work in DHS, you quickly come to realize that it has essentially one large IT system. Many databases with different program managers in different agencies focused on their specific program with their own budgets, but for the most part they are all interoperable. This begs for centralized management and control to optimize every dollar being spent across the enterprise.
What do you see as DHS’s cybersecurity role?
The government is very proud, and rightly so, of spending a lot of money on cybersecurity. And it’s going to harden the .mil networks and a big chunk goes to DHS to harden the .gov networks, but we have to structure the role of the government to set up partnerships with the private sector. I’m interested in cybersecurity operations centers. These centers would be local or regional and capable of remote sensing and protection. They would alert their subscribers if they were vulnerable and warn them to take the necessary defense. These could be public-private partnerships in the case of state and local governments, or privately run operations that are willing to invest in this concept if there’s a business case.
How prepared are American businesses for cyberattacks?
I personally believe most people don’t know. Unless you’re really big and can afford to do cybersecurity properly, you don’t do it or implement marginal protection. Part of the process that has to happen is learning and education, and I think that is happening. Two years ago, I think most people dismissed this thing out of hand. You can’t read the paper any week without seeing examples. So I think the education is starting to happen. And I really believe that most people are going to opt for a fee for service. Sometime in the future, I believe I’ll have a sign outside my house: “My computer networks are protected by X.”
What’s your nightmare vulnerability that gives you pause?
I worry about a cyberattack—a long, persistent cyberattack. Just think of this: If you’re up in the Northeast in the middle of February and someone really does some serious damage to the utilities. This is not just an eight-hour or two-day power outage. This is long term. People die. And if you can’t find the attribution and figure out how to fix it, then I think the government is in extremis.
One of the things at DHS we were always worried about was emergency response. So we did lots and lots of exercises, like what would happen if an anthrax attack happened here? What would happen if a nuclear device went off in the city? The fact is that, by and large, you have a pretty good handle on what you have to do afterwards. You quarantine the space. You treat survivors. You care about the wind and what direction it’s blowing and decontamination. There are many protocols that are set up to respond. It would be an absolutely terrible situation with tremendous death and destruction. But the fact of the matter is you have the response.
But what happens if the financial industry is under sustained cyberattack? People have no money. People can’t use credit cards. What do you do? What is the federal government’s role in that versus the banking sector’s role? While these things have been clearly identified as critical infrastructure, I am not sure how realistic the plans to respond to such a cyberthreat are. That’s why we have to get real serious about what those next steps are. I don’t think people really understand this in terms of what the threat could ultimately be to them, personally and financially. In many cases, a catastrophic cyberattack is much more serious than a nuclear attack.