Cyber Security's Cassandra Syndrome
A proposal to create a senior-level cyber security position at the Department of Homeland Security is killed at the eleventh hour. Why is this issue such a problem for the Bush administration?
The big news surrounding the passage of the Intelligence Reform Act this week was the creation of a new, top-level intelligence director position, which will oversee all aspects of intelligence gathering and dissemination in the U.S. government.
But the technology community was calling foul at the elimination of another proposed high-level post. During last minute, “mercurial” conference sessions, a provision that would have created an assistant secretary of cyber security within the Department of Homeland Security (DHS) was eliminated.
“The executive branch must exert more leadership” in this area, says a statement issued this week by the Cyber Security Industry Alliance, a Washington-based lobbying group.
Many hoped the post would help end the musical chairs nature of the current cyber security director position, which has been a problem since the Bush administration took office in 2000.
President George W. Bush appointed Richard C. Clarke to be the nation’s first cyber security “Czar”, but he resigned in frustration in February 2003. He was followed by Howard Schmidt, now the chief security officer at eBay, who also quit after two months. Most recently, the position was held by Amit Yoran, a former Symantec executive. But by then the position was a part of the DHS, and Yoran, reportedly frustrated by the lack of attention given to the issue, resigned in October after just one year.
No one doubts the necessity of protecting the nation’s airports and infrastructure, but the topic of cyber security doesn’t require a senior-level post says the DHS, which requested the excision, according to Harris Miller, president of the Information Technology Association of America (ITAA).
“We’re still examining respective options for reorganization,” says Katie Mynster, a spokesperson for DHS.” [But] regarding that position specifically, we continue to believe that the integration of physical and cyber security within the Infrastructure Protection Directorate is the best method to protect the nation’s infrastructure.”
Security observers fear that with the elimination of the assistant secretary proposal, cyber security could slip further down the mindshare and budget priority list. Miller says that because the assistant secretary position is a political appointee-level post, requiring congressional approval hearings, it carries far more heft than the current staffing level.
But there’s a more practical consideration as well, Miller says. The assistant secretary position is two people removed from the president’s ear, instead of the five that exist now.
“Unless you’re a senior person, it’s tough to meet other senior people. It’s harder to get face time,” says Miller. “Washington is all about clout, real and perceived.”
Technology industry organizations on the hill that opposed the position’s elimination fear that without a senior-level person pushing for budgets and awareness, the nation risks a critical infrastructure attack, one that could cost multiple billions of dollars and possibly lives.
Right now, much of the discussion around cyber security involves hackers shutting down websites and stealing personal information. But with networked sensors and software-based operations at our nation’s power plants, petroleum refineries, and other critical locations, cyber-security proponents fear that someone might try to gain access to these points as part of a larger, coordinated attack with terrorism – not hacker hijinx – as a motive.
Further complicating the issue is the wide variance in security awareness among different industries and sectors. The finance industry, for example, is very much attuned to the issue of cyber security, whereas the agriculture, energy, and education sectors either don’t have the budget or don’t think the topic is a problem. Proponents say government-led initiatives, shepherded by an assistant secretary-level position, could help educate industries and the public, and work to protect against cyber attacks.
“The message the Department of Homeland Security is sending is that cyber security just isn’t that high of a priority,” says Miller.