CYBERSPACE – Months before hurricane Katrina struck the Gulf Coast, federal auditors warned that the Federal Emergency Management Agency (FEMA) did not have effective procedures for sending equipment or human resources into disaster areas, an assessment that appears to have been tragically accurate. Now, similar reporting is coming in from government auditors tasked with overseeing the cybersecurity efforts of the Department of Homeland Security (DHS).“While DHS has initiated multiple efforts to fulfill its responsibilities, it has not fully addressed any of the 13 responsibilities, and much work remains ahead,” the General Accounting Office (GAO) stated in its Critical Infrastructure Protection report, issued in May of this year. “DHS has not yet developed national cyber threat and vulnerability assessments or government/industry contingency recovery plans for cybersecurity, including a plan for recovering key internet functions.”
While DHS rejects the notion that they are ill-prepared on inattentive to issues of cybersecurity – “Cybersecurity has been and continues to be one of the department’s top priorities,” says Homeland Security spokesman Kirk Whitworth – many security experts and watchdog groups dismiss the department’s claims as mere posturing, and an attempt to dodge the sort of criticisms that have dogged FEMA and DHS in Katrina’s aftermath.
“When you look at the events of Katrina, you kind of have to ask yourself the question, ‘Are we ready?’” said Paul Kurtz, president of the advocacy group Cyber Security Industry Alliance, in an interview with Cnet News. “Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no.”
The administration’s top cybersecurity position, Chairman of the Critical Infrastructure Protection Board – more commonly referred to as the “Cybersecurity Czar” – has seen a great deal of turnover in the past 2-plus years. Since Richard Clarke resigned his post in early 2003, the top cybersecurity spot has been filled by Howard Schmidt (a strong backer of the Communications Decency Act, it should be noted), Amit Yoran, and finally Robert Liscouski, who has defended the department’s performance on cybersecurity vigorously, but who has not been replaced since resigning in January. In July, Secretary of DHS Michael Chertoff said he would fill the vacant post quickly, but a successor has yet to be named, some 3 months later.
Part of the problem may be a lack of interest in taking the job on the part of those qualified to fill it. “I sure wouldn’t take that job,” Avi Rubin, a professor specializing in cybersecurity at Johns Hopkins University, told Cnet. “It only has a downside.”
Rubin added that, in the event of a cybersecurity disaster, “The person who was Cybersecurity Czar would be out of a job and would be blamed, even though it might have been someone else not following a policy,” he said.
As the feds are wont to do, they have come up with both a purely symbolic response to the issue (this is “National Cyber Security Awareness Month”, in case you were not ‘aware’) and exercised their bureaucratic reflexes by proposing legislation that would create a new assistant secretary for cybersecurity.
As proposed, the assistant secretary for cybersecurity would report directly to the Homeland Security director; currently, the Cybersecurity Czar is several layers of bureaucracy removed from the DHS director.
“Creating an assistant secretary is far more than just an organizational change,” said representative Mac Thornberry (Republican, TX) when introducing the bill to the House. “It is an essential move to assure that cybersecurity is not buried among the many homeland security challenges we face.”
While it’s not entirely clear why DHS couldn’t simply be restructured so that the (currently vacant) position of Cybersecurity Czar reports directly to the DHS chief, rather than creating the new assistant secretary post, observers are hopeful that the restructuring and new hires announced in July will help sort out the muddle which DHS’ cybersecurity efforts have become.
“It’s been a mess for over four years, and hopefully the new folks will fix this,” said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. “In the previous incarnation, DHS and the Homeland Security Council didn’t really know what to do with cyber – it’s been a deer-in-the-headlights experience for them. It’s not clear who’s even in charge.”
According to Lewis, one cause for concern is the sheer number of different agencies with some level of involvement with cybersecurity. “When you look at all the different committees who assert they have a role in cybersecurity, it’s about a dozen,” Lewis said. “Whenever you have 12 committees in charge, that means no one’s in charge.”
