Thursday, July 13, 2006

Top Cyber Security Post Still Unfilled After a Year

washingtonpost.com
Top Cyber Security Post Still Unfilled After a Year
By Brian Krebs
washingtonpost.com Staff Writer

One year after the Department of Homeland Security created a high-level post for coordinating U.S. government efforts to deal with attacks on the nation's critical technological infrastructure, the agency still has not identified a candidate for the job.

On July 13, 2005, as frustration with the Bush administration's cyber security policy grew on Capitol Hill and Congress appeared poised to force its hand, Homeland Security Secretary Michael Chertoff announced the new assistant-secretary job opening.

Critics say the yearlong vacancy is further evidence that the administration is no better prepared for responding to a major cyber attack than it was for dealing with Hurricane Katrina, leaving vulnerable the information systems that support large portions of the national economy, from telecommunications networks to power grids to chemical manufacturing and transportation systems.

"What this tells me is that ... [Chertoff] still hasn't made this a priority ... to push forward and find whoever would be the best fit," said Paul Kurtz, a former cyber security advisor in the early Bush administration and now a chief lobbyist for software and hardware security companies.

"Having a senior person at DHS... is not going to stop a major cyber attack on our critical infrastructures," Kurtz said, "but [it] will definitely help us develop an infrastructure that can withstand serious attacks and recover quickly."

Rep. Zoe Lofgren (D-Calif.), a co-author of the bill that would have forced the department to create the position last year, did not mince words: "I think DHS is pathetic and incompetent. It's a complete mystery what's happening over there."

But a DHS official assured critics that the agency is "in the final stretch" of approving a candidate.

"We are hopeful we'll be able to announce in the not-too-distant future an individual we think would be able to continue the work we've been doing," said George W. Foresman, undersecretary for preparedness.

Around the time of the agency's inception in early 2003, the Bush administration released the "National Strategy to Secure Cyberspace," a detailed roadmap for securing the nation's most critical information networks and for crafting a disaster-recovery and response plan in case of a major cyber attack or other massive malfunction.

The far-reaching plan led many in the high-tech community to hope that DHS would establish a cyber security post with influence over the department's policy and spending priorities. But when administration officials relegated it to a lower hierarchical rung -- one without daily access to DHS top decision-makers -- nearly two years of bureaucratic turf wars ensued. Three different cyber security officials resigned, two of them complaining publicly of their lack of authority.

James Lewis, director of technology and public policy at the Center for Strategic and International Studies in Washington, said the administration had already adopted the position that cyber initiatives would siphon funds away from physical security for high-value potential terrorist targets.

The high-level post "was forced on them by Capitol Hill," Lewis said. "Left to their own devices, the White House wouldn't have created the position."

"A department that has failed [for a year] to find an assistant secretary, even by Washington standards ... has to be some kind of record," said Roger Cressey, former chief of staff of the president's critical infrastructure advisory board, which was dissolved in 2003 just before the formation of the Homeland Security Department.

Foresman maintained that the department is not sitting still: "We've looked at candidates who had solid backgrounds in telecommunications and in cyber security, but we have found a lesser number of candidates who had a great background in both areas."

One candidate for the post -- Guy Copeland, vice president for information infrastructure at El Segundo, Calif.-based Computer Sciences Corp. -- said he was among nearly a dozen similarly qualified industry experts he knew of who were approached. He said he declined for personal and financial reasons, but noted that others were apparently knocked out of the running for political or professional considerations.

Copeland said he hopes DHS can find a worthy candidate soon -- someone who has the clout within industry and government "who can not only go to [Congress] and argue for the resources ... but also someone who can help organize the [post-attack] response from various industry sectors," he said.

John McCarthy, director of the critical infrastructure program at the George Mason University School of Law, agreed and related that just a few months after the administration released its cyber plan in 2003, one of his graduate students submitted a dissertation containing detailed maps zeroing in on key points in the Internet infrastructure that -- if targeted by terrorists -- could wreak a cascading series of outages capable of bringing major U.S. industries to a screeching halt.

Government officials suggested that the dissertation be classified, but ultimately the student simply agreed not to publish the details, according to McCarthy, who said he was also approached about the vacant DHS post but eventually was passed over.

"E-commerce is now the vehicle for delivering a wealth of private sector and government services," McCarthy said. "But cyber is now also the vehicle of choice for the bad guys to deliver and organize their services."

Security experts say many of the computers that operate critical infrastructure -- known as supervisory control and data acquisition (SCADA) networks -- are increasingly being connected to Microsoft Windows systems and to the Internet to offer public utilities a cost-effective way to manage their far-flung assets. But that exposure also makes power, water, sewage and other such systems dangerously vulnerable to online attack, said Alan Paller, director of research for the SANS Institute, a computer security training group based in Bethesda.

"Hackers have discovered that owners of SCADA systems are very sensitive and that they can make money by threatening to do damage," Paller said, adding that he is aware of at least two incidents just this year in which attackers broke into and threatened to disrupt utility operations unless the owners paid a ransom demand.

Foresman defended the agency's progress, noting that DHS recently conducted simulation exercises with IT companies to determine how government and industry could better collaborate to "build better layers of resilience" into critical systems.

But McCarthy said he believes it is a question of when -- not if -- a major portion of the U.S. economy comes under a targeted cyber attack, and that the nation desperately needs the technical and social leadership in place to deal with it when the time comes.

"I believe that as we as a society and economy move towards a greater reliance on these vulnerable communications networks, that those who would wish us harm will find ways to target those infrastructures in ways we haven't thought about yet, and that's going to present a major challenge for whoever is picked for that position."