Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] Rick Forno zu Homeland Defense Office und dem fehlenden "Zar"



Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
http://securityfocus.com/columnists/32

Homeland Cyber Security ? We Need a Czar, Not a Coordinator
President Bush has appointed a National Advisor on cyber-security; but
without the means to enact real change, the appointment will be another
in a long line of failed initiatives.
By Richard Forno
Oct 23 2001 11:00PM PT

Coordinator ?noun- An equal, one who fosters consensus and agreement
toward a shared goal.
Czar ? noun ? A person with great authority.

In the aftermath of the September 11th tragedy, President Bush announced
the creation of the Office of Homeland Security (OHS), a Cabinet-level
entity charged with counter-terrorism, cyber-security, and critical
infrastructure protection in the domestic United States. One of the
three key leaders in this new organization is Richard Clarke, who had
previously been appointed by President Clinton to coordinate computer
security efforts for the United States. Clarke is one of the few senior
government executives who has a grasp of this issue?s complexity,
although his mantra of an ?Electronic Pearl Harbor? is considered
somewhat sensationalist by many security professionals.

Sadly, for all the fanfare associated with the creation of the OHS, and
despite the definite need for a centralized government body to address
this issue, many security professionals (including this one) view the
OHS as a typical government response to a major tragedy ? namely, the
creation of more bureaucracy to address whatever caused the tragedy in
the first place. 

The OHS is not a new concept, but a rehash of several previous federal
initiatives that have proven ineffective. These previous attempts to
grasp the critical infrastructure security issue have failed, and one
wonders if the OHS will be any more successful. Most of the past
attempts created councils, commissions, and coordinators to research,
publicize, and influence change. However, none had the statutory and
political authority to accomplish its mission. Without such authority,
such entities will never be effective. What we need is not another
coordinator attempting to bring together diverse groups to discuss
watered-down policies. What we need is a security Czar: a single,
knowledgeable leader who understands the issues of ?cyber-security? and
who has the real power to enact and enforce security laws in a climate
of immediate and effective action.
'What we need is not another coordinator attempting to bring together
diverse groups to discuss watered-down policies.'
A brief historical survey of the Federal Government?s attempts to
grapple with information security issues shows that the approach of
coordination by committee has been entirely ineffective. The first major
national effort to address security in the Information Age was The
President's Commission on Critical Infrastructure Protection (PCCIP) of
July 1996. This interagency commission, established by Presidential
Executive Order 13010, was formed to develop a comprehensive national
strategy for protecting national critical infrastructures from physical
and ?cyber? threats. The same Executive Order also established the
Infrastructure Protection Task Force (IPTF) at the FBI, an interagency
entity charged with coordinating computer investigations and
infrastructure threat assessment matters. 

While the PCCIP served its mandated purpose and was dissolved shortly
thereafter, the IPTF evolved into the FBI-based National Infrastructure
Protection Center (NIPC) in early 1998 under Presidential Decision
Directive 63. This new entity was intended to assess, investigate, and
respond to threats and or attacks against components of the national
infrastructure, such as national telecommunications, energy, banking and
finance, water systems, government operations, and emergency services.
However, the NIPC soon evolved to focus exclusively on computer viruses,
hackers, and computer crime events and seemed to ignore other equally
important areas of critical infrastructure protection. The NIPC, for all
intents and purposes, became the US Government?s answer to the Carnegie
Mellon Computer Emergency Response Team (CERT) - the only difference
being that NIPC?s agents have law enforcement and arrest powers. In
early 2001, auditors at the Government Accounting Office (GAO) found
that!
 NIPC had significant shortcomin
gs and was not truly effective in meeting its chartered responsibilities
in the critical infrastructure protection area.

In May 1998, under the same Presidential Directive that established
NIPC, a ?National Coordinator? position was created whose
responsibilities included not only critical infrastructure protection
but also protection against acts of terrorism on U.S. soil. President
Clinton appointed Richard Clarke as the first National Coordinator for
Security, Infrastructure Protection, and Counter-Terrorism. This was
followed shortly by the establishment of the Critical Infrastructure
Assurance Office (CIAO) ? yet another interagency organization to
coordinate protection of national critical infrastructures across the
federal government but having no direct authority to implement its
chartered responsibilities.

In early 2001, the White House, still grasping for solutions, proposed
an ?Infrastructure Assurance Council? that would include 23 senior
officials from across the federal government. Again, this was a group
intended to coordinate the development of infrastructure (particularly
computer) security policy and procedures for the government. Many
security professionals shook their heads at this news ? those of us in
the ?real world? of security operations know that security by committee
never works, particularly in a crisis that requires an immediate
response. Furthermore, senior officials and Cabinet-level persons are no
better than CEOs when it comes to fully understanding the reality of
information assurance topics and devising effective responses. Instead
of calling on CEOs and Cabinet-level officials (the least knowledgeable
folks on this subject) to discuss the matter, the government should
involve technologists and other operational experts that have a
first-hand understand!
ing of the issues, instead of th
ose that simply know of security as a routine corporate function at a
very high level.

>From this brief history, you can see the repeated attempts of the US government to deal with information security matters. Yet, despite these various undertakings, there has been little real, effective work done in this area. Reading the assorted reports, audits, and Congressional testimony on the government?s approach to information security since 1995 is akin to listening to a compact disk with a scratch on it. Six years later, we?re still hearing and seeing the exact same assessments and analysis. Yet there are plenty of reports, presentations, briefings, and calls for more resources and research ? and more ways of ?addressing the problem? while not really addressing the problem.

This brings us to September 2001, with the Presidential Proclamation
creating the Office of Homeland Security, Richard Clarke, the
Clinton-appointed ?cybersecurity coordinator? has been renamed as the
President's Special Advisor for Cyberspace Security, one of two deputies
in this new office. His mission again is to coordinate interagency
efforts to secure information systems and, in the event of a disruption,
coordinate efforts to restore critical systems. Backing him in his
efforts to coordinate policy development and related initiatives is the
Homeland Security Council, which is essentially a reincarnation of the
aforementioned Infrastructure Assurance Council, and its requisite
supporting committees and bureaucracies. 

Clarke has major national security responsibilities but no statutory
authority to enact the change required by those duties. He has little
influence over agency cybersecurity budgets, and he has essentially been
dropped into a turf battle between the security offices of various
government agencies, all of whom have existing budgets and statutory
responsibilities for cybersecurity initiatives within their respective
organizations. Little has changed organizationally and politically since
his last assignment under the Clinton Administration ? as such, Clarke
is facing a difficult, uphill battle. If (more likely when) he meets
resistance by some government department, his sole recourse is to ask
the President to intervene and in essence, fight Clarke?s
almost-inevitable battles for him.

I am a realist and, while I hope that Clarke becomes empowered with
sufficient authority to make a difference and fulfill his
responsibilities, I don?t have much hope that his role as a coordinator
in this new organization will be effective. We don?t need more
bureaucracy, research projects, or audits, we already know what the
problems, threats, and risks are. We don?t need coordinators or
consensus-driven councils of cybersecurity. In order for government
critical infrastructure protection initiatives to be truly effective, we
need the person charged with those responsibilities to be empowered
under law with the requisite authority to force other agencies to get in
step with his office?s policies and direction. 

It?s high time to shed the traditional government mentality that
attempts to solve problems with additional staffing, studies, reports,
and bureaucracies. Richard Clarke is the right man for the job; however,
unless he is designated as a ?director? or ?czar? instead of a
?coordinator?, his role in the Homeland Security Council will result in
yet another failed attempt by the federal government to address
information assurance matters.

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.