Lessons in Homeland Security

The Homeland Security Department lost one of its top voices in early May when Deputy Secretary Jane Holl Lute left the agency after four years. In addition to her homeland security experience, Lute has a history of public service in national security and diplomacy. During her last day on the job, Lute sat down with Government Executive to discuss her time at DHS and what the agency’s future might hold.

GE: What do you see as the three most significant accomplishments during your four years at DHS?

Lute: I think the first and foremost accomplishment is answering the question of whether this country can protect itself. The answer is yes. We can pool our strengths and we can be successful in protecting ourselves. It is clear that the government cannot do all that needs doing here. State and local governments and even the public must be brought in to help reach the common goal.

We cannot be complacent. The deterioration of al Qaeda has not ended the objectives of those who want to do harm to the United States and our citizens. We have made an investment in this country, in the state and local government partnerships, as well as with the private sector, to be able to respond rapidly and effectively. This is the most significant accomplishment.

A second accomplishment is that we put on the map the importance of cybersecurity to our national and economic security. There was not much of a national dialogue four years ago. It was not clear what role the federal government would play. We have learned that we must improve cybersecurity by working together with our partners across government and with the private sector to build the world’s most secure cyber economy. 

A third accomplishment is what I would call the plumbing and wiring of the department. In less than 10 years, we achieved a qualified audit opinion. We have created administrative and operational systems more responsive and efficient than ever for dealing with all kinds of disasters. We continue to improve on individual preparedness, community resilience and the capability of the entire homeland security enterprise.

GE: One issue that has emerged as we get farther away from 9/11 is how do we balance the need for people to be aware of potential terrorism without producing fear fatigue or making them overly complacent?

Lute: I am a New Yorker. That’s a city with a grip on itself from a security standpoint, and it is exciting and vibrant as it ever has been. Buses, subways, taxis—everywhere are the signs: “If You See Something, Say Something.” We have taken a page out of that book and rolled it out nationwide. We have said to the public: If something looks suspicious, report it to the local authorities. We have taken the lessons of 9/11 and built a security framework where Americans take and understand that homeland security is a shared responsibility. America can protect itself, and we must do it together.

GE: Does moving the focus away from al Qaeda and organized terrorist groups to lone wolves change the dynamics of homeland security?

Lute: State and local law enforcement has always known about the threat of lone wolves and the potential harm they can inflict. We continue to build on what we know. Police departments are more prepared and capable of responding. We have learned from past experiences and how to respond as effectively as possible. We also know it is unwise to generalize about a particular ethnicity or religious group based on the actions of a few. We will continue to work rapidly and responsively to recognize the signs of lone wolf actors. We also need to break barriers that isolate communities. And we must all stay vigilant.

GE: One of the first things the department undertook in this administration was the first-ever Quadrennial Homeland Security Review. What were the lessons learned? What should the agency focus on as it turns to the next QHSR, due out in the next year?

Lute: The first QHSR answered the questions: What is Homeland Security? What do we do? The upcoming QHSR will answer the question: How will we do it? How will we ensure Homeland Security while protecting civil rights, civil liberties and individual privacy?

GE: There is a lot of discussion around cybersecurity. Is it national security? Is it law enforcement? Is it preparedness? Is it the private sector’s responsibility?

Lute: At the heart of cybersecurity is the reliability and integrity of your personal identity and your information. The Internet is an extraordinary innovation for humanity in and of itself, and at its core cyberspace is a public space. It is growing organically and instantaneously. We must have norms in cyberspace. We need to understand what property means in cyberspace, what is the role of government.

Generally speaking, security is an assignment that society gives to government. We expect that government runs the police and makes law; government runs the military and makes treaties. Cybersecurity, however, has not been given to the government as a primary responsibility. It is still open, accessible, and what security exists is largely maintained by the public and the private sector. Again, the key to securing cyberspace is securing people’s identities and information, and that will mean identifying roles and responsibilities for individual hardware manufacturers, software developers, Internet service providers, governments, international partners and others.

We will not be able to run the cybersecurity of the nation exclusively like an intelligence program. Is there a role for the intelligence community? Yes, but it is not the leading role. Is there a role for law enforcement? Yes, in that law enforcement must bring law to bear when crimes happen in cyberspace. We must manage cybersecurity as a civilian responsibility—one that recognizes the need to bring reliability and integrity to identity and information protection.

GE: Is cybersecurity more of a priority for noncritical infrastructure and tech companies—e.g. the rest of the Fortune 500—than it has been in the past?

Lute: Yes, cybersecurity is so interesting in that we all have responsibility for it. We all have to be attentive and collaborative on security so that we are all more secure. All critical infrastructure owners and operators, Fortune 500 CEOs, and even owners of small companies and individuals must—and are—paying attention to cyberspace. Every business connects to cyberspace. They manage business systems, employee communications, customer records and more. So every business has a responsibility to safeguard systems and prevent unauthorized use.

GE: As more commercial sites are hacked—beyond critical infrastructures—has DHS seen its role change?

Lute: When we did the first QHSR four years ago, we listed five missions that are critical to our homeland security: preventing terrorism, securing our borders, administering and enforcing our immigration laws, building national resilience, and we called out the need to ensure the nation’s cybersecurity as an important part of the value proposition we call homeland security. Cybersecurity is a national mission and is part of the federal government’s responsibility because, in many ways, cyberspace is the endoskeleton of modern life.

The government doesn’t have all the expertise or information to do it alone. We must make use of the information and tools we have. We must work to help educate the public, engage the private sector and partner in the larger international community in all the issues that fall under the word cybersecurity.

GE: Any thoughts on the path forward for homeland security and DHS?

Lute: I get asked questions about the relative youthfulness of the department and its status as a new agency. Enough with the new. DHS is 10 years old. It has learned and matured an enormous amount in the last 10 years. I’m also often asked to compare national and homeland security. As someone who spent a career in national security, I can say it is different.

National security is strategic, centralized, top-driven. Homeland security is transactional, decentralized and bottom-driven—driven by the needs of the public and of state and local municipalities.

So when you think of the Internet and of cybersecurity, it is not strategic, centralized or top-driven. It is transactional, decentralized and driven by the billions of transactions that happen in cyberspace every day. It is a lot like homeland security. For me, it has been an extraordinary learning experience and a privilege to serve at DHS.

Jessica R. Herrera-Flanigan writes for Nextgov’s Cybersecurity Report.