After months of escalating criticism from the IT industry that the Bush administration is devoting insufficient resources and attention to cyber-security, the fledgling Department of Homeland Security is already restructuring to give network safety a higher profile.
The organizational changes, due to take place over the coming months, will show that the executive branch is taking cyber-security seriously, according to Charles McQueary, undersecretary for science and technology at the new department.
McQueary addressed lawmakers here last week at a hearing of the House Committee on Science. The session took on a very un-Washington, almost-surreal quality as legislators chided civil servants for not chasing after enough funding for cyber-security research and development, and civil servants answered that there is plenty of money already being spent.
"Were not lacking for funds," Anthony Tether, director of the Pentagons Defense Advanced Research Projects Agency, told the committee. "I funded every idea thats come forth in this area this year. Were more idea-limited right now than we are funding-limited."
Acting on ramped-up industry lobbying, legislators took to task the DHS, DARPA, the National Science Foundation, and the National Institute of Standards and Technology for not seeking out or setting aside adequate funds for cyber-security. The preoccupation with national security since the terrorist attacks of Sept. 11, 2001, was expected to unleash a torrent of government spending on IT goods and services, but the federal funds have not been as forthcoming as the industry had hoped.
According to committee Chairman Sherwood Boehlert, R-N.Y., there have been complaints from throughout the research community that the DHS is not focusing on solving network vulnerabilities and that DARPA is operating under reduced resources.
"Its impossible to conclude that far more needs to be done," Boehlert said, directing DARPAs Tether to "enlighten us as to why were moving in the wrong direction."
Most of DARPAs resources are directed at classified projects, according to Tether, who said that a peek at the agencys classified budget would make lawmakers more comfortable with the funding level.
"Were not concerning ourselves [with] the commercial networks," Tether said, adding that DARPA is focused on solving problems that the private sector currently does not confront. The military faces threats from "attackers whose life depends on taking the network down," he said, and projects are under way to make those networks increasingly wireless and peer to peer.
"Were really far ahead of the commercial world in this regard," Tether said, adding that a prototype military network with 400 nodes to use for simulated attacks is in the works.
Last week, DARPA sent its data mining report to Congress. Following public outcry over the research last year, the agency changed the projects name from Total Information Awareness to Terrorism Information Awareness.
When President Bush disbanded the Presidents Critical Infrastructure Protection Board earlier this year following the resignation of its chairman, Richard Clarke, responsibilities for cyber-security were transferred to DHS Secretary Tom Ridge. However, the subject was not given a sufficiently high profile or a sufficiently high-ranking executive to satisfy the industry.
Turning the tables and taking a shot at the private sector, federal research officials told the Science Committee last week that if there is less-than-optimal attention devoted to cyber-security today, it is a result of problems in industry, not the government.
"As a nation, our greatest vulnerability is indifference," said Arden Bement, NIST director, citing recent surveys indicating that private enterprises "dont really see themselves as a target."
"They just havent quite stepped up to the plate," said Bement, in Washington.