Jeh Johnson may soon be the Obama administration's new face on cybersecurity, but at his confirmation hearing to be the next Homeland Security secretary, he had relatively little to say about the subject.

Johnson pledged to fix internal cybersecurity problems at DHS before seeking further authority to have the department help other federal civilian agencies in getting their IT security houses in order.

 If Homeland Security can't apply the very rules to itself it's asking other agencies to comply with, what authority can they have in executing cybersecurity at other agencies? 

The Obama administration, through executive action, has designated DHS to take the lead role in getting federal executive branch agencies, with the exception of defense and intelligence agencies, to apply new cybersecurity tools and practices.

Comprehensive cybersecurity legislation has stalled in Congress, in part, over disagreement on the role DHS should play in federal government cybersecurity governance, with skeptical lawmakers - mostly Republicans - objecting to provisions in legislation backed by the White House that would give DHS more cybersecurity sway (see Cybersecurity Legislation: What's Next?).

The nominee spoke few words about cybersecurity in his testimony, delivered to a mostly friendly Homeland Security and Governmental Affairs Committee, whose members are expected to recommend Johnson's confirmation soon to the entire Senate, where twice before he won confirmation for other posts.

Johnson did promise to make it a priority to fill the large number of senior management vacancies - including cybersecurity positions - at DHS. A Government Accountability Office report in September revealed that one in five mission-critical cybersecurity-related jobs at a key DHS unit were vacant (see DHS's Huge Cybersecurity Skills Shortage).

Vigorous Pursuit of Cybersecurity

In his opening statement, Johnson listed the five core missions of DHS, including safeguarding and securing cyberspace. "If confirmed, I will vigorously pursue all of these missions - they represent the most basic and important services a government can provide for its people," he told the committee at the Nov. 13 hearing.

But most of the talk about cybersecurity - and there wasn't much during the two-hour session - came from the committee's chairman and ranking member, Sens. Tom Carper, D-Del., and Tom Colburn, R-Okla.

Carper didn't have a specific cybersecurity question for the nominee, but listed a number of cybersecurity initiatives - the cybersecurity framework; reforming the Federal Information Security Management Act, the law known as FISMA that governs federal government IT security; recruiting cybersecurity experts; and protecting the electric grid - that he feels Johnson should address after he's confirmed.

Coburn did have a cybersecurity question for Johnson, but before asking it, he cited two DHS inspector general audits he contends raise questions about the department's ability to successfully manage its own IT security programs.

He said the IG audit, DHS's Efforts to Coordinate the Activities of Federal Cyber Operations Centers, reveals weak or non-existent cyber-threat information sharing, lack of specialized training and poor communications and performance during a cyber-emergency simulation at DHS.

The other IG audit, DHS's latest FISMA evaluation, shows that DHS headquarters along with seven departmental units, failed to implement all required DHS baseline configurations for Windows workstations, including installing patches in a timely fashion or fixing known security threats.

Issue of Competency and Confidence

Coburn said: "It raises the question, 'If Homeland Security can't apply the very rules to itself it's asking other agencies to comply with, what authority can they have in executing cybersecurity at other agencies?'... That's a big issue and it's one of competency and confidence.