Cybersecurity? What cybersecurity? Citizens who may have harbored the idea that there was a murderously efficient J. Edgar Hoover of the Internet, working day and night, will be much disappointed at the contents of two recent government reports. They are easy to summarize: not only is very little of use being done, but essentially nobody is doing it. There is barely a boss and hardly any techno-G-men defending us from hackers, terrorists, scam artists, foreign nations, and others who might wish to do our Internet harm.
The major problems in Internet security [many of which are detailed in “The Internet Is Broken”], are nowhere close to being addressed at the federal level, and what little is being done is on the wrong track, favoring summits, partnerships, and “information sharing” over the much more necessary but less visible work of long-term research and development.
These charges seem less outrageous considering the state of the position of assistant secretary for cybersecurity and telecommunications, in the U.S. Department of Homeland Security. This is the office nominally charged with coordinating and overseeing our government’s efforts to secure cyberspace, which have run into a slight problem: there is no assistant secretary of cybersecurity and telecommunications.
And there hasn’t been since July 2005, when secretary of homeland security Michael Chertoff announced the creation of the position as part of a reorganization. The position it succeeded had been the product of a reorganization, too. There is an acting director of the old department, the National Cyber Security Division, but his office will be bumped down a level upon the appointment of the assistant secretary.
That’s business as usual at the DHS, where, in the last four years, three appointees, all solid industry veterans, have reported to head up the various incarnations of the cybersecurity department but packed it in after about a year. One seems to have left out of frustration – the position, whatever it has been called, holds little power but all accountability for anything that might go wrong – and others have seen their department evaporate from beneath them.
All of this is detailed in “Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities,” a report presented by the U.S. Government Accountability Office to Congress in May 2005. By the standards of a document written in government-ese, it’s withering. It contends that “While DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cybersecurity-related responsibilities that we identified…and it has much work ahead in order to be able to fully address them.”
The GAO, in its criticisms, starts with the basics. The DHS has no plan. It has an interim plan, the Interim National Infrastructure Protection Plan, but that “does not yet comprise a comprehensive and complete plan.” It is missing, for one thing, details on “addressing cybersecurity in the infrastructure sectors.” This means there is no plan to defend the financial industry and water and electric utilities from attacks. That’ a serious lack of plan.
The network police also seem to have their own trouble networking. One of the DHS cyber division’s main responsibilities is “information sharing,” among agencies and with state and local government and businesses. Relations with some of these are “disintegrating.” The cyber division has had limited authority to move classified information around, and the private sector, unsure who’s at the bridge, has been slow to share secrets of its own.
Nor is DHS developing the analytic tools needed for an effective defense system. Like the rest of us, the agency can tell when an attack is well under way – hey, my computer keeps shutting down! – but it has failed to produce a reliable early-warning system. The report notes that the GAO made this same complaint four years ago but that “officials have taken little action.”
The GAO also notes a real lack of recovery planning, including a shortage of preparatory exercises. Nor has the DHS done enough to assess the problems it faces, as is called for in policy documents. Failing to assess vulnerabilities will lead to difficulties in deciding which resources to allot to which sector. DHS, in short, isn’t even sure what threats we face. The report also notes a lack of guidance from the cybersecurity department in setting goals for long-term research and the “unclear” effectiveness of awareness efforts – both those directed toward the public and those directed toward other agencies and government entities.
Not surprisingly, the GAO places the blame for all of this inactivity on the deleterious effects of the revolving door in the head office and the consequent lack of stability and authority within the division. With such volatility, the report states, it’s been almost impossible to hire the best people, “key contractors” have had to work without pay, and vendors have even gone unpaid.
The second report, “Cyber Security: A Crisis of Prioritization,” was prepared by the President’s Information Technology Advisory Committee (PITAC) and delivered to the executive branch in February 2005. It’s equally pessimistic but, on the bright side, does in its way offer a solution to the long-term problem of cybersecurity. Whether it will be heeded is another matter. Where the GAO limited itself to assessing how the DHS was doing by the relatively narrow standards of the DHS’s own mission statements and policy, PITAC provides more thoughtful criticism of and advice about the approach of the entire government, focusing on the kinds of research that will ultimately solve our network security problems.
PITAC was a group comprising about equal numbers of academics and representatives of the technology industry, and the Cyber Security Subcommittee, which prepared the report, was chaired by Tom Leighton, MIT prof and Akamai cofounder. Originally appointed by Clinton, the gang was reupped by Bush early in his first term. After it delivered its report, its contract was not renewed. This is not surprising, as it had few encouraging words about the government’ current approach.
The executive branch specifically asked for comments on the state of research and development in Internet security, and PITAC responded with certainty that “the Federal government needs to fundamentally improve its approach to cyber security.” The current security problem, the report argues, derives from a “decades-long failure to develop the security protocols and practices…and to adequately train and grow the numbers of experts needed to employ these mechanisms effectively.”
Research and development funds, the report argues, are increasingly being funneled toward defense-related technology with short-term objectives. Worse, that technology is kept classified, a serious obstacle considering that the majority of the Internet’s infrastructure is in private hands. Nor is the private market picking up the slack, focusing instead on “the application of existing technologies to develop marketable products.”
This, the report points out, is in sad contrast to the larger federal research budgets of old, and the relatively open halls of the Advanced Research Projects Agency in the Department of Defense, which in retrospect comes off as something like Rafael’s School of Athens, and which gave us the Internet in the first place. The National Security Agency is funding such open research through its Information Assurance group, but only 20 percent of that money is headed toward fundamental research, and only $3 million of that toward academic research. In the world of Washington, that’s nothing.
The majority of federal funding for open civilian research is doled out through the National Science Foundation, DHS, the National Institute of Standards and Technology, and the Department of Justice, but the NSF grants the lion’s share of these funds. DHS is barely supporting long-term research, with a mere $1.5 million of its $1 billion science and technology budget. The report recommends an increase of $90 million in the NSF budget alone, noting that merely 8 percent of NSF grant applications for cybersecurity research were filled, or one-third of the agency’s average across disciplines.
As for personnel, the report claims that at U.S. academic institutions today, “there are fewer than 250 active cyber security or cyber assurance specialists,” largely due to “insufficient” and “unstable” funding. PITAC would like to see the size of the research community at least doubled. Lastly, the report points out that “the government-wide coordination of cyber security R&D is ineffective,” with agencies focusing on “their individual missions” and losing sight of “overarching national needs.”
So here we have two major problems: an open position in a dysfunctional department and a serious lack of long-term research. With that in mind, is it too much to hope for a different kind of candidate for the job of assistant secretary than the last few we have seen? Instead of looking for an old Beltway hand or an exec from the IT business, perhaps the administration ought to look for the kind of person who can’t wait to spend a few hours pondering the possibilities of self-aware and self-healing systems. Such a figure might be less useful in overseeing the myriad of talks that go on between agencies at home and abroad, but the handshakes so far haven’t produced much, and given the vulnerabilities of the Internet in its current design, they seem unlikely to pay off with anything more than a very full calendar of seminars and announcements. DHS needs a visionary.
Bryant Urstadt has written for Harper’s, Rolling Stone, and the New Yorker.