-security Gets Bogged Down by Bureaucracy"> "Theres limited bandwidth within the department to let in new contracts or bring new capabilities on board," Yoran said. Often, that means DHS cyber-security leaders have to try to shoehorn new hires and purchases into existing contracts to speed them up.To read an interview with Marcus Sachs, click here. Political opposition killed Sachs plans for a strong, centralized national response center for cyber-security that would have wrapped the NCSD and current CERT functions together under the US-CERT banner. Instead, the agency chose to run the two groups separately. Within the DHS, political concerns have made it harder to get and keep funding for cyber-security than for physical security, such as protecting against chemical, nuclear and biological attacks, in the wake of the Sept. 11 terrorist attacks, Sachs said. "Pre-9/11, if you wanted money for telecommunications [security], it was easy. Cyber-security was considered the soft underbelly. [After 9/11], interest flipped like a light switch ... and those same dollars shifted from being cyber-centric to being physical-centric," he said. With the devastation of Hurricane Katrina foremost in the minds of the Bush administration, Sachs worries that cyber-security dollars could again be poached, within the DHS, for disaster relief. "Its shortsighted," he said. "Our nation is becoming more dependent on cyberspace. Weve got to be distance-focused as opposed to focused only on protecting the near-term infrastructure." Despite the criticisms, however, Sachs, Yoran and others said that the DHS has done an admirable job, given the challenge of creating a new department from scratch. The department has been especially effective at encouraging communication and coordination among different government agencies, such as the departments of Defense and Commerce, said Savvis Hancock. The DHS deserves credit for fostering communications with private-sector industry groups and ISACs (Information Sharing and Analysis Centers), said Howard Schmidt, chairman of US-CERT and former eBay Inc. chief security officer. Read more here about Howard Schmidts recent job change. NCSD Acting Director Andy Purdy, who took over when Yoran left, said that he does not see his division hindered by organizational instability and that he is pleased with the progress made on the two overarching priorities of building a National Cyberspace Security Response System and implementing a cyber-risk management program for critical infrastructure. "In terms of getting the work done, we havent had instability," Purdy said, adding that he and his colleagues have striven to strengthen objectives and milestones that are not dependent on individual personalities. "We have quite a story to tell." The response system includes the US-CERT Operations Center, which was established in September 2003. US-CERT maintains the DHS round-the-clock cyber-watch, warning and incident response center. It also analyzes malicious code, conducts threat and vulnerability analyses, manages a situational awareness program for monitoring network activity in federal agencies, and manages programs for communication and collaboration among public agencies and key network defense service providers. Purdy concedes, however, that easily measurable results are not readily available when it comes to progress in cyber-security. NCSD has put together a Performance Metrics Team to ensure that its objectives can be measured, but no private-sector participants have been invited yet, he said. "Youre looking for quantifiable metrics. We dont have specific metrics," he said. "Were forming a partnership with the private sector to build quantifiable metrics." Much of the divisions nonsalary budget goes toward costly risk management programs, such as the Control Systems Security Program, which cost about $15 million this year and includes an R&D component and a testbed component, Purdy said. Looking ahead, NCSD plans to develop a set of security assurance levels for control systems owners and operators, which monitor and control pipelines, water stations, chemical processing, rail and many other critical infrastructures. The division also plans to assess at least three core systems and offer recommendations to protect against threats. NCSDs Software Assurance Program also commands a hefty portion of the divisions budget. The program aims to make patch management a thing of the past by encouraging developers to improve their products. However, like other federal agencies, the DHS is sensitive to the wishes of policy-makers on Capitol Hill who themselves are often in the sway of special interests, industry insiders say. In the case of cyber-security, lobbying by software vendors and Internet service providers has succeeded in keeping the DHS from pushing software vendors to improve security, said Alan Paller, research director at The SANS Institute, in Bethesda, Md. "Lobbying money is being spent on people who have drunk the [IT industry] Kool-Aid, and theyre the ones who are going to meetings with government officials," Paller said. Next page: Gaining trust from the private sector remains a challenge.
Political exigencies also continue to play a role in how much DHS money finds its way to cyber-security, say Yoran and others. "DHS is highly politicized, it goes without saying," said Marcus Sachs, deputy director in the Computer Science Laboratory of SRI International, based in Menlo Park, Calif., and a former DHS employee who helped create the NCSD in 2003.