Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] US: Homeland Cybersecurity Efforts Doubted,

Homeland Cybersecurity Efforts Doubted

By Michael Fitzgerald
March 11 2003 

It's existed for less than two weeks, but analysts are already
concerned that the newly-formed Department of Homeland Security's
cybersecurity unit may not grow up to be the powerhouse of efficiency
and expertise it was billed as.

Nearly every government cybersecurity agency was swept in to the new
cabinet-level Department's "Directorate of Information Analysis and
Infrastructure Protection" -- making the new directorate the single
largest computer security organization the U.S. government has ever

The Critical Infrastructure Assurance Office (CIAO), formerly part of
the Department of Commerce, made the move, as did the FBI's National
Infrastructure Protection Center. The Federal Computer Incident
Response Center left the General Services Administration to head to
the DHS. Even the Department of Defense's National Communications
System, which handles emergency preparedness for telecom, moved to the
new department.

The DHS also houses the Secret Service, which is expanding its
cybercrime efforts, adding at least one "Electronic Crime Special
Agent" to every field office. The service recently upped the number of
cities with an Electronic Crime Task Force from one (New York) to
nine, and has developed a National Threat Assessment Center with
Carnegie-Mellon's CERT/CC.

But despite the number of agencies involved, cybersecurity generally
seems to have slipped in importance for the Bush Administration. One
obvious sign is the dramatic decrease in the visibility of the
National Strategy to Secure Cyberspace. The strategy was trumpeted by
the White House and taken seriously by industry until its
anticlimactic release as a draft version, followed by an almost
unheralded final release on Valentine's Day as a generally toothless

Last month the President also abolished the high-level Critical
Infrastructure Protection Board, which was established after the
September 11th attacks and run by Richard Clarke, a high-profile
30-year veteran of government. The board will be reborn inside the
DHS, but with lower-level people.

Adding to the confusion, President George W. Bush used his State of
the Union address in January to announce a new Terrorist Threat
Integration Center, that seems to duplicate at least part of what the
DHS is supposed to do, coordinating information flow between the DHS,
FBI, Central Intelligence Agency and the Department of Defense.

"The cybersecurity effort hasn't gotten a lot of support and
enthusiasm from anywhere," says Will Rodger, director of public policy
at the Computer and Communications Industry Association (CCIA) in
Washington, DC. He says the DHS looks like just another federal feint
at security, with no actual structure, and no consequences for

Adding to the lack of clarity is what seems to be a mass exodus by
many long-time cyber policy influencers. The list of departures is
headed by Clarke, who spearheaded the National Strategy for Cyberspace
Security, and was the federal government's most visible cheerleader
for better network security in and out of government.

Tough Job

Brian Stafford also retired as director of the Secret Service, mere
weeks after he appeared at the National Strategy draft unveiling; he
was replaced in January by W. Ralph Basham. Ron Dick, director of the
National Infrastructure Protection Center, retired from that post in
December, and John Tritak recently left his position as director of
the CIAO.

Meanwhile, the key cybersecurity role in the DHS, Undersecretary of
Intelligence Analysis and Infrastructure Protection, remains vacant --
Gen. James Clapper turned down the Undersecretary job in January.  
Insiders say Bush's creation of the Terrorist Threat Integration
Center has killed interest in the position, a significant issue in the
title-happy Beltway. That leaves Infrastructure Protection as the only
directorate that does not have at least a named undersecretary.

"In government, committees without leaders might as well not exist,"  
notes Harris Miller, president of the Information Technology
Association of America, a tech industry trade group. Miller's vote for
the neglected post is Howard Schmidt, the former Microsoft CSO who
took over for Clarke at the White House; Schmidt has been mentioned as
a potential candidate for the undersecretary's job, though his lack of
experience in the intelligence world may hurt his chances. Miller says
that Schmidt can do the job, and if he isn't picked, someone with his
ability and clout has to be named to it. "Otherwise, we will feel the
administration has lost its focus on cybersecurity," Miller says. "If
they don't do that, they're making a mistake."

Miller doesn't want to be overly critical -- it has been less than two
weeks, after all, and senior Bush Administration officials assure him
that cyber security remains a priority. "I trust the people there, but
trust needs to be verified," Miller says. "Right now we're running on
assurances rather than definite information."

For its part, the DHS points to its recent successful handling of the
Sendmail flaw as a sign of its effectiveness. But that event was
handled almost entirely before any of the groups involved were pulled
into the Department, so the incident cannot be treated as even a minor
test of the Department's abilities.

Even DHS supporters say that it isn't clear exactly what sort of cyber
security mandate exists for the Department.

"It's really unsettled," says Jody Westby, president of The Work-IT
Group in Denver, Colo. Westby is the editor of the American Bar
Association's new Guide to Combating Cybercrime. She thinks that the
DHS will improve coordination amongst the government's infrastructure
players, in part because it has a single CIO, Scott Cooper, working
across all 22 of its agencies. Westby also thinks that recent
legislation which guarantees confidentiality for businesses who
present information about cyberattacks to the DHS might increase
private-sector cooperation with the Department. But she's concerned
about a lack of funding for the undersecretary's office. "It has maybe
$25 million," Westby said. "That's not very much money."

Overall, the new DHS's $37.7 billion budget earmarks only $3 billion
for cybersecurity, according to Gartner Group's John Pescatore. So the
Infrastructure Protection directorate, one of five directorates in the
DHS, appears in line for less than 10 percent of funds.

Who ya gonna call?

Observers says the reorganization has muddled the question of where
victims of cybercrime should go to report an incident. "We tell
clients to check with legal counsel before getting law enforcement
involved," said Pescatore, a former Secret Service agent. In part,
that's to protect corporations from potential backlash from
shareholders and customers. Pescatore said that even when there was
good reason to contact law enforcement, "who you go to is tremendously

Indeed, a concerned corporation or citizen could report intrusions to
the local FBI office, to InfraGard, which was part of NIPC but
remained with the FBI, to the Secret Service, to the IAIP, or even to
the new Terrorist Center. In the short term, then, the creation of the
DHS "seems to have exacerbated confusion," said one former government
security official, speaking on condition of anonymity.

To be fair, the DHS is an immense undertaking, the biggest government
reorganization effort since the Department of Defense was created
after World War II. Such a reorganization will require time.  
Department secretary Tom Ridge still needs to fill a number of key
positions across his directorates, and the Department understandably
needs to make physical security a priority, in anticipation of
potential terrorist strikes at America.

Most analysts hold out hope that, given time, the DHS may well improve
the security of the nation's infrastructure. Departed officials may be
replaced by people with fresh eyes and energies. In particular, a new
Undersecretary could galvanize efforts at intelligence analysis.  
Government, too, they say, can't be the only answer -- it can't make
private companies install patches, or end-users stop clicking on
attachments. Still, CCIA's Rodger, for one, is wary of what the DHS
will do for the nation's cybersecurity. "I'd like to say 'hackers
beware.' I'd like to say the Feds are going to get you. But I can't."

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.