Cybersecurity? What cybersecurity? Citizens who may have harbored the idea that there was a murderously efficient J. Edgar Hoover of the Internet, working day and night, will be much disappointed at the contents of two recent government reports. They are easy to summarize: not only is very little of use being done, but essentially nobody is doing it. There is barely a boss and hardly any techno-G-men defending us from hackers, terrorists, scam artists, foreign nations, and others who might wish to do our Internet harm.
The major problems in Internet security [many of which are detailed in “The Internet Is Broken”], are nowhere close to being addressed at the federal level, and what little is being done is on the wrong track, favoring summits, partnerships, and “information sharing” over the much more necessary but less visible work of long-term research and development.
These charges seem less outrageous considering the state of the position of assistant secretary for cybersecurity and telecommunications, in the U.S. Department of Homeland Security. This is the office nominally charged with coordinating and overseeing our government’s efforts to secure cyberspace, which have run into a slight problem: there is no assistant secretary of cybersecurity and telecommunications.
And there hasn’t been since July 2005, when secretary of homeland security Michael Chertoff announced the creation of the position as part of a reorganization. The position it succeeded had been the product of a reorganization, too. There is an acting director of the old department, the National Cyber Security Division, but his office will be bumped down a level upon the appointment of the assistant secretary.
That’s business as usual at the DHS, where, in the last four years, three appointees, all solid industry veterans, have reported to head up the various incarnations of the cybersecurity department but packed it in after about a year. One seems to have left out of frustration – the position, whatever it has been called, holds little power but all accountability for anything that might go wrong – and others have seen their department evaporate from beneath them.
All of this is detailed in “Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities,” a report presented by the U.S. Government Accountability Office to Congress in May 2005. By the standards of a document written in government-ese, it’s withering. It contends that “While DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cybersecurity-related responsibilities that we identified…and it has much work ahead in order to be able to fully address them.”