The hiring decision is a big one for the DHS, which is beginning to implement President Obama’s executive order on cybersecurity amid a broader push to secure federal and private-sector computer networks against online attacks.
“I'm biased beyond any shadow of a doubt ... [but] I think there are two important cybersecurity jobs in the nation right now: Gen. [Keith] Alexander's role at the National Security Agency and the deputy undersecretary for cybersecurity at DHS,” Weatherford told The Hill. “Not just because of the executive order, but when you look at DHS's responsibility of working with the 16 critical infrastructure [sectors across] the nation, there is no single person that has broader influence over those.”
Weatherford announced his departure shortly after President Obama signed an executive order on cybersecurity in February. The order tasked the department with running a cybersecurity program in which critical infrastructure companies — such as the power grid, water systems and financial networks — would agree to follow a set of security practices.
His departure presents the DHS with a chance to refresh its reputation and decide how it wants to proceed with the role. Privately, companies say they have traditionally opted to work with the National Security Agency (NSA) rather than Homeland Security when they have been hit with a cyberattack because the spy agency has the best cybersecurity expertise in the federal government.
“[The job] could be very important if they pick the right person,” said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.
A DHS spokesman declined to comment on the search for Weatherford’s replacement.
Candidates that are said to be in the running for the job include Debora Plunkett, a top official at the NSA; Tiffany Jones, head of Symantec’s public-sector programs and strategic initiative teams; and Jeff Moss, a prominent hacker that founded the annual Black Hat hacker conference and also serves as the chief security officer at the Internet Corporation of Assigned Names and Numbers.
Some observers say the department needs to look to the tech world and make a bold selection that will attract young talent.
“It's good to get a different perspective. If you have all government people involved, you just get only one kind of thinking,” said a person familiar with the discussions at the Department of Homeland Security. “The Silicon Valley mindset is about as different from government thinking as you can get.”
Moss, who served as co-chairman for the department’s Homeland Security Advisory Council Task Force on CyberSkills, said the DHS would appear “more open-minded” if it chose to hire someone with ties to the tech and hacker communities.
“That would probably help them win over some skeptics,” he said.
Lewis, of the Center for Strategic and International Studies, disagreed, arguing that an executive used to a “freewheeling” corporate culture has a hard time adjusting to the hierarchy in Washington.
“They don't know how to operate in the government — it's different,” Lewis said. “A CEO in a corporation is like God, they say ‘Do this’ and it's done. It isn’t like this in the civil service, particularly in the agencies.”
“We've seen this movie over and over again, and the ending is always unhappy.”
Alan Paller, research director of the SANS Institute, echoed a similar message. He said a candidate like Moss “would be a wonderful breath of fresh air, and would last about 100 days before he would just throw up his hands in frustration.”
For this reason, Rick Wesson, CEO of San Francisco-based network security company Support Intelligence, suggests having two people fill the role — one based on the West Coast working on the technical side of DHS's cybersecurity efforts, and one in Washington to deal with the policy side.
"That’s part of the problem with D.C. is it doesn’t really understand technology and the people who do technology. Technologists on the West Coast don’t understand how to work within the confines of D.C. They don’t enjoy it, so hire two people — split them," Wesson said. "You’re not going to find one person that fills that role."
Homeland Security has to decide whether it wants a “super chief information security officer” with a strong technical security background, or someone who acts as a “strategist and policy person,” according to Lewis.
Weatherford, for his part, said the department should look for a candidate with credibility in the security community and relationships in the hacker community.
“Somebody that has security credibility is just really, really important, and to have that kind of credibility, you'd have to have been in the business for a while,” Weatherford added. “You have to know people.”