[ISN] Cyber Security's Cassandra Syndrome

InfoSec News isn at c4i.org
Fri Dec 10 05:39:19 EST 2004


By Eric Hellweg
December 10, 2004

The big news surrounding the passage of the Intelligence Reform Act
this week was the creation of a new, top-level intelligence director
position, which will oversee all aspects of intelligence gathering and
dissemination in the U.S. government.

But the technology community was calling foul at the elimination of
another proposed high-level post. During last minute, "mercurial"  
conference sessions, a provision that would have created an assistant
secretary of cyber security within the Department of Homeland Security
(DHS) was eliminated.

"The executive branch must exert more leadership" in this area, says a
statement issued this week by the Cyber Security Industry Alliance, a
Washington-based lobbying group.

Many hoped the post would help end the musical chairs nature of the
current cyber security director position, which has been a problem
since the Bush administration took office in 2000.

President George W. Bush appointed Richard C. Clarke to be the
nation's first cyber security "Czar", but he resigned in frustration
in February 2003. He was followed by Howard Schmidt, now the chief
security officer at eBay, who also quit after two months. Most
recently, the position was held by Amit Yoran, a former Symantec
executive. But by then the position was a part of the DHS, and Yoran,
reportedly frustrated by the lack of attention given to the issue,
resigned in October after just one year.

No one doubts the necessity of protecting the nation’s airports and
infrastructure, but the topic doesn't require a senior-level post says
the Bush administration and the DHS, which requested the excision,
according to Harris Miller, president of the Information Technology
Association of America (ITAA).

"We're still examining respective options for reorganization," says
Katie Mynster, a spokesperson for DHS." [But] regarding that position
specifically, we continue to believe that the integration of physical
and cyber security within the Infrastructure Protection Directorate is
the best method to protect the nation’s infrastructure."

Security observers fear that with the elimination of the assistant
secretary proposal, cyber security could slip further down the
mindshare and budget priority list. Miller says that because the
assistant secretary position is a political appointee-level post,
requiring congressional approval hearings, it carries far more heft
than the current staffing level.

But there's a more practical consideration as well, Miller says. The
assistant secretary position is two people removed from the
president's ear, instead of the five that exist now.

"Unless you're a senior person, it's tough to meet other senior
people. It's harder to get face time," says Miller.  "Washington is
all about clout, real and perceived."

Technology industry organizations on the hill that opposed the
position's elimination fear that without a senior-level person pushing
for budgets and awareness, the nation risks a critical infrastructure
attack, one that could cost multiple billions of dollars and possibly

Right now, much of the discussion around cyber security involves
hackers shutting down websites and stealing personal information. But
with networked sensors and software-based operations at our nation's
power plants, petroleum refineries, and other critical locations,
cyber-security proponents fear that someone might try to gain access
to these points as part of a larger, coordinated attack with terrorism
-- not hacker hijinx -- as a motive.

Further complicating the issue is the wide variance in security
awareness among different industries and sectors. The finance
industry, for example, is very much attuned to the issue of cyber
security, whereas the agriculture, energy, and education sectors
either don't have the budget or don't think the topic is a problem.  
Proponents say government-led initiatives, shepherded by an assistant
secretary-level position, could help educate industries and the
public, and work to protect against cyber attacks.

"The message the Department of Homeland Security is sending is that
cyber security just isn't that high of a priority," says Miller.

More information about the ISN mailing list