[ISN] The United States' battle to secure cyberspace
isn at c4i.org
Thu Jan 27 02:27:36 EST 2005
By Robert Lemos
Staff Writer, CNET News.com
January 26, 2005
Robert Liscouski doesn't hesitate to explain why he's leaving the
Department of Homeland Security: He pledged two years, and time's up.
Liscouski thus becomes the latest high-ranking cybersecurity official
to leave the DHS, where protecting the U.S. information infrastructure
made up only part of his duties.
But Liscouski, formerly the chief information officer for the
Coca-Cola Company, says this is not another sign of the disarray
alleged by DHS detractors. What's more, he believes the department has
received a bad rap from critics who claim the DHS has done little to
protect cyberspace. CNET News.com spoke with Liscouski about the DHS's
commitment to cybersecurity, the criticisms of the agency and why the
DHS resembles nothing so much as a high-pressure start-up--albeit
without stock options.
Q: There's been criticism from the technology industry that the Bush
administration hasn't moved fast enough in implementing the national
strategy. How do you respond?
Put the criticism aside and take a look at what we've done.
There was no organization responsible for cybersecurity prior to the
DHS, and within less than two years we not only created an
organization which is specifically responsible for information
technology and cybersecurity, but we went from an aggregated budget of
about $10 million to $80 million. We've got the National Cyber Alert
System, which was launched this last year, which is delivering
information to American secured computer systems, and we've got
270,000 direct subscribers there. We've increased situational
awareness in the cybercommunity through the US-CERT Web site. We've
established a cybersecurity readiness and response system, which is a
24-7 system, which is effectively responsible for tracking incident
and trend data....We disseminate US-CERT data through classified
I can go through the entire list of accomplishments, but I would say
we've done a very good job and it's all user-focused.
The industry allied with the government to create the National Cyber
Security Partnership and then came up with five different working
groups, which issued reports. But we have seen little else from them
since. Has private industry participation stalled?
No. Actually, I would argue that the private sector is working well
with the department. I've looked at what the task force working groups
have done so far. Software assurance and governance working groups in
particular have done a tremendous job.
We've got more to do, no question about it. But you know, we've got
engagement; we've got good leadership there....It's a classic case of
you can't just rush that process quicker by adding more people and
more resources. Some things do take time to implement.
People are more worried about the physical threats than cyberthreats.
Do you think that's going to change in the future and that
cybersecurity will be a bigger part of the equation? Or do you think
the mix we have right now is about right?
Well, I think you are making an assumption that your perception is
correct. I would challenge you on that. I would suggest that you're
seeing the most visual things, such as the police out in force with
all sorts of SWAT gear standing in front of buildings. Because of the
visual aspect, you see our reaction to a threat--checkpoints and a lot
of things that would make a much better media visual then talking
I don't necessarily agree that we've only been focusing on the
physical side. But I would tell you that the dominant threat that we
face today is a physical threat versus a cyberthreat in terms of where
al-Qaida is focusing, and al-Qaida is still the predominant threat
that we look at. But that's not at the exclusion of the other
There are plenty of examples where cyberattacks have manifested
themselves and they have not been a threat. We've taken coordinated
action, working with our partners in the federal sector to mitigate
the attack, investigate the attack and get awareness about what's
going on. It just doesn't create the visual that the physical side
So you know, when we talk about one dominating the other, much of that
has to do with the fact that we are somewhat driven at a tactical
level by the threats that we face, and we're not going to let another
9-11 happen. But we're surely not going to turn a blind eye to
cyberspace so we can have a 9-11 version of a cyberwar. We've got a
very active and very aggressive approach there. I think it's just not
fair to represent one as dominating the other.
What remains to be done?
I actually employed software (while) working for a Fortune 50 company,
and I would tell you that my biggest push was getting the vendors to
make sure that they are going to give us solid, workable software that
I could rely upon.
While the industry is criticizing the government, they are not vocal
about their own issues. To suggest that this monkey is only on the
government's back takes some pressure off the private sector. But it
doesn't do the user community any service because nobody is looking
out for them. I see that as our job.
I'm going to continue to push that agenda outside the government as
well as inside the government. I think you're going to see more about
the user community being the emphasis and more focus on getting
educated and becoming more aware.
There has been a lot of turnover within the cybersecurity side of the
DHS. Lawrence Hale is leaving. Amit Yoran has left. And it goes back
to Richard Clarke, who left a comparable post just before the DHS was
formed. Is that indicative of some sort of difficulty on the
It's regular government turnover. I would say some of those in the
industry who are getting more vocal would argue that the turnover
indicates a problem. But many of these people have put their time in.
Part of it is, I need more senior positions to which I can promote
people to reward their hard work. I cannot compete with the private
sector in keeping good people.
Lawrence Hale is a very bright guy, a very talented guy, and he's put
in 24 years. Amit told us he would give us a solid year. He's a good
guy, and he gave it a shot, and we got a year.
In my case, I committed to (being assistant) secretary, when I came on
board back in February 2003, for two solid years. You know these jobs
are hard. When you've done a start-up environment--and you know what
the hours are and how hard the pace is--(you know) that particularly
in a constantly changing environment in which you have to keep your
pressure on for execution, you have transitions. I pretty much
fulfilled my commitment to the secretary and had always desired to
move back to the private sector.
This is basically a start-up organization in which the pressure here
is as intense as it is anywhere else in the private sector. Let
somebody else have as much fun as I have.
More information about the ISN