A Year Later, Cybersecurity Post Still Vacant

By Brian Krebs
Special to The Washington Post
Thursday, July 13, 2006

One year after the Department of Homeland Security created a high-level post for coordinating U.S. government efforts to deal with attacks on the nation's critical technological infrastructure, the agency still has not identified a candidate for the job.

On July 13, 2005, as frustration with the Bush administration's cybersecurity policy grew on Capitol Hill, Homeland Security Secretary Michael Chertoff announced the new assistant-secretary job opening.

Critics say the year-long vacancy is further evidence that the administration is no better prepared for responding to a major cyber-attack than it was for dealing with Hurricane Katrina, leaving vulnerable the information systems that support large portions of the economy, from telecommunications networks to power grids to chemical manufacturing and transportation systems.

"What this tells me is that [Chertoff] still hasn't made this a priority," said Paul Kurtz, formerly a cybersecurity adviser in the Bush administration and now a chief lobbyist for software and hardware security companies. "Having a senior person at DHS . . . is not going to stop a major cyber-attack on our critical infrastructures," he said, "but [it] will definitely help us develop an infrastructure that can withstand serious attacks and recover quickly."

George W. Foresman, DHS undersecretary for preparedness, assured critics that DHS is "in the final stretch" of approving a candidate.

Around the time of the agency's inception in early 2003, the administration released the "National Strategy to Secure Cyberspace," a detailed road map for securing the nation's most critical information networks and for crafting a disaster-recovery and response plan in case of a major cyber-attack or other massive malfunction.

The far-reaching plan led many in the high-tech community to be optimistic that DHS would establish a cybersecurity post with influence over the agency's policy and spending priorities. But when administration officials relegated it to a lower hierarchical rung -- one without daily access to DHS top decision-makers -- nearly two years of bureaucratic turf wars ensued. Three cybersecurity officials resigned, and two complained publicly about their lack of authority.

James Lewis, director of technology and public policy at the Center for Strategic and International Studies in Washington, said the administration had already decided that such computer initiatives would siphon funds away from physical security for high-value potential terrorist targets. The high-level post "was forced on them by Capitol Hill," Lewis said. "Left to their own devices, the White House wouldn't have created the position."

"A department that has failed [for a year] to find an assistant secretary, even by Washington standards . . . has to be some kind of record," said Roger W. Cressey, chief of staff of the president's critical infrastructure advisory board, which was dissolved in 2003 just before the formation of the Department of Homeland Security.

Foresman said that DHS has "looked at candidates who had solid backgrounds in telecommunications and in cybersecurity, but we have found a lesser number of candidates who had a great background in both areas."

One candidate -- Guy Copeland, vice president for information infrastructure at a California-based Computer Sciences Corp. -- said he was among nearly a dozen similarly qualified industry experts who were approached. He said he declined for personal and financial reasons, but he noted that others were apparently eliminated for political or professional considerations.

Copeland said he hopes DHS finds someone soon "who can not only go to [Congress] and argue for the resources . . . but also can help organize the [post-attack] response from various industry sectors."

John McCarthy, director of the critical infrastructure program at the George Mason University School of Law, agreed. He noted that a few months after the administration released its cybersecurity plan, one of his graduate students submitted a dissertation containing detailed maps showing key points in the Internet infrastructure that -- if targeted by terrorists -- could wreak outages capable of bringing major U.S. industries to a halt. Government officials suggested that the dissertation be classified, but the student ultimately agreed not to publish the details, according to McCarthy, who said he was approached about the vacant DHS post but was eventually passed over.

Security experts say many of the computers that operate critical infrastructure are increasingly connected to Microsoft Windows systems and to the Internet to offer public utilities a cost-effective way to manage their far-flung assets. But that exposure makes power, water, sewage and other such systems vulnerable to an online attack, said Alan Paller, director of research for the SANS Institute, a computer security training group in Bethesda.

Foresman defended the agency, noting that DHS recently conducted simulation exercises with IT companies to determine how government and industry could collaborate to "build better layers of resilience" into critical systems.

But McCarthy said it is a question of when -- not if -- a major portion of the U.S. economy comes under a cyber-attack. "I believe that as we as a society and economy move towards a greater reliance on these vulnerable communications networks, that those who would wish us harm will find ways to target those infrastructures in ways we haven't thought about, and that's going to present a major challenge for whoever is picked for that position."

Krebs is a washingtonpost.com staff writer.

© 2006 The Washington Post Company