[ISN] Nation's Top Cyber-Security Post Elevated

[InfoSec News]

http://www.washingtonpost.com/wp-dyn/content/article/2005/07/13/AR2005071301733.html

By Brian Krebs
washingtonpost.com Staff Writer
July 13, 2005

As part of a major reorganization outlined today, the Department of
Homeland Security announced plans to give more bureaucratic heft to
its top official in charge of keeping computer infrastructure secure,
a move that critics of federal cyber-security policy have espoused for
years.

Under a restructuring plan detailed by DHS Secretary Michael Chertoff,
the upgraded position -- which will now include the nation's
telecommunications infrastructure in its area of responsibility --
would be placed inside of a new directorate within the department,
just two positions below the Chertoff's. The previous cyber-security
director was situated five organizational rungs below the DHS
secretary.

The department's current top cyber-security post remains unfilled
following several recent high-profile resignations within the
division. None of the three officials who held the post remained in
the position for much more than a year, and all cited frustration with
a lack of consistent access to highly placed administration officials.

Lawmakers in Congress and private sector officials -- many of whom
have maintained that DHS cyber-security leaders have been denied the
sufficient authority and resources to do their jobs -- roundly praised
the reorganization plan, saying it should give the cyber division and
its top officials much-needed legitimacy and direction.

Marcus Sachs, a former White House cyber-security advisor for the Bush
administration, said the department's cyber division has failed in one
of its most basic functions: providing early warning about widespread
Internet attacks.

"There still isn't any timely reaction or response to the bad things
happening online because they still have a very deeply bureaucratic
process that prevents them from sounding the alarm," said Sachs, who
now directs the SANS Internet Storm Center in Bethesda. "Hopefully
this new position will give the [cyber division] the political clout
it needs to push its agenda."

Rep. William "Mac" Thornberry (R-Tex.), who along with Rep. Zoe
Lofgren (D-Calif.) co-authored legislation to elevate the authority of
the department's top cyber official, said the development would "help
ensure that these issues ... don't get buried by layers of
bureaucracy," but added that much will depend on the quality of the
candidate picked for the new position.

"It's important to have someone who is credible and that [the]
industry has confidence in ... someone who can build the kind of trust
and information-sharing relationship that you have to have to be
successful in an effort where 90 percent of nation's computer
infrastructure is in private hands," Thornberry said.

The shift should help the department build greater credibility with
both Congress and the IT industry, said Harris Miller, president of
the Arlington-based Information Technology Association of America.

"The appropriators on the Hill have been skeptical about [funding]
requests from DHS because it's hard to justify spending more money on
cyber when everyone thinks you're doing a crappy job with what you've
been given," Miller said. "This new position should help the
department set some clear priorities and timetables and a way to
achieve those goals in a more meaningful partnership with the private
sector."

The roles and responsibilities for the department's cyber czar were
first laid out in the Bush administration's National Strategy to
Secure Cyberspace, a document released in February 2003 -- when DHS
came into being -- that envisioned protecting key areas of the
Internet from digital sabotage as part of a broader strategy for
guarding vital U.S. assets.

At the time, industry officials pushed for the person in charge of
those efforts to hold an assistant-secretary-level position with
direct access to then-secretary Tom Ridge. Instead, the position was
placed several steps down in a job that answered to Robert P.  
Liscouski, then the department's assistant secretary for
infrastructure protection.

Liscouski resigned in January amid criticism that he had impeded
initiatives from the cyber-division that might have given it a higher
profile, part of a string of resignations in and around the division.  
In Oct. 2004, former cyber director Amit Yoran unexpectedly quit the
post after little more than a year. Yoran's predecessor, Howard
Schmidt, stepped down after just three months on the job.

Schmidt replaced Richard Clarke, the department's first director, who
abruptly left the department three months earlier after it became
clear he would not be included in regular consultations with the
Homeland Security director.

Liscouski had argued that cyber-security should be integrated with
other security considerations, such as the physical security of power
plants and transportation systems. The reorganization plan would give
the new assistant secretary position sole responsibility for
cyber-security and telecommunications security.

Although no full-scale cyber-attacks have occurred, terrorists and
organized online criminal gangs can use the Internet for everything
from passing messages to transferring money. And because so many
networks interconnect, cyber-security experts warn that a weak link
could threaten major avenues of commerce. Digital attacks against
governments, businesses and consumers cost companies and individuals
tens of millions of dollars a year.

Some of the priorities highlighted in the Bush administration's
cyber-security plan including creating and managing a national
disaster-recovery and cyber-response system, establishing a national
program to reduce software security vulnerabilities, and sharing more
information on cyber threats with private-sector companies and state
and local governments.

© 2005 Washingtonpost.Newsweek Interactive