Nation's Top Cyber-Security Post Elevated

By Brian Krebs Staff Writer
Wednesday, July 13, 2005; 5:09 PM

As part of a major reorganization outlined today, the Department of Homeland Security announced plans to give more bureaucratic heft to its top official in charge of keeping computer infrastructure secure, a move that critics of federal cyber-security policy have espoused for years.

Under a restructuring plan detailed by DHS Secretary Michael Chertoff, the upgraded position -- which will now include the nation's telecommunications infrastructure in its area of responsibility -- would be placed inside of a new directorate within the department, just two positions below the Chertoff's. The previous cyber-security director was situated five organizational rungs below the DHS secretary.

The department's current top cyber-security post remains unfilled following several recent high-profile resignations within the division. None of the three officials who held the post remained in the position for much more than a year, and all cited frustration with a lack of consistent access to highly placed administration officials.

Lawmakers in Congress and private sector officials -- many of whom have maintained that DHS cyber-security leaders have been denied the sufficient authority and resources to do their jobs -- roundly praised the reorganization plan, saying it should give the cyber division and its top officials much-needed legitimacy and direction.

Marcus Sachs, a former White House cyber-security advisor for the Bush administration, said the department's cyber division has failed in one of its most basic functions: providing early warning about widespread Internet attacks.

"There still isn't any timely reaction or response to the bad things happening online because they still have a very deeply bureaucratic process that prevents them from sounding the alarm," said Sachs, who now directs the SANS Internet Storm Center in Bethesda. "Hopefully this new position will give the [cyber division] the political clout it needs to push its agenda."

Rep. William "Mac" Thornberry (R-Tex.), who along with Rep. Zoe Lofgren (D-Calif.) co-authored legislation to elevate the authority of the department's top cyber official, said the development would "help ensure that these issues ... don't get buried by layers of bureaucracy," but added that much will depend on the quality of the candidate picked for the new position.

"It's important to have someone who is credible and that [the] industry has confidence in ... someone who can build the kind of trust and information-sharing relationship that you have to have to be successful in an effort where 90 percent of nation's computer infrastructure is in private hands," Thornberry said.

The shift should help the department build greater credibility with both Congress and the IT industry, said Harris Miller, president of the Arlington-based Information Technology Association of America.

"The appropriators on the Hill have been skeptical about [funding] requests from DHS because it's hard to justify spending more money on cyber when everyone thinks you're doing a crappy job with what you've been given," Miller said. "This new position should help the department set some clear priorities and timetables and a way to achieve those goals in a more meaningful partnership with the private sector."

The roles and responsibilities for the department's cyber czar were first laid out in the Bush administration's National Strategy to Secure Cyberspace, a document released in February 2003 -- when DHS came into being -- that envisioned protecting key areas of the Internet from digital sabotage as part of a broader strategy for guarding vital U.S. assets.

At the time, industry officials pushed for the person in charge of those efforts to hold an assistant-secretary-level position with direct access to then-secretary Tom Ridge. Instead, the position was placed several steps down in a job that answered to Robert P. Liscouski, then the department's assistant secretary for infrastructure protection.

Liscouski resigned in January amid criticism that he had impeded initiatives from the cyber-division that might have given it a higher profile, part of a string of resignations in and around the division. In Oct. 2004, former cyber director Amit Yoran unexpectedly quit the post after little more than a year. Yoran's predecessor, Howard Schmidt, stepped down after just three months on the job.

Schmidt replaced Richard Clarke, the department's first director, who abruptly left the department three months earlier after it became clear he would not be included in regular consultations with the Homeland Security director.

Liscouski had argued that cyber-security should be integrated with other security considerations, such as the physical security of power plants and transportation systems. The reorganization plan would give the new assistant secretary position sole responsibility for cyber-security and telecommunications security.

Although no full-scale cyber-attacks have occurred, terrorists and organized online criminal gangs can use the Internet for everything from passing messages to transferring money. And because so many networks interconnect, cyber-security experts warn that a weak link could threaten major avenues of commerce. Digital attacks against governments, businesses and consumers cost companies and individuals tens of millions of dollars a year.

Some of the priorities highlighted in the Bush administration's cyber-security plan including creating and managing a national disaster-recovery and cyber-response system, establishing a national program to reduce software security vulnerabilities, and sharing more information on cyber threats with private-sector companies and state and local governments.

© 2005 The Washington Post Company