In the wake of the Sept. 11, 2001, terrorist attacks, President Bush commissioned a sweeping plan to secure the nations cyber-assets. At the time, the president said it was vital to reduce cyber-threats "before they can be exploited to damage the systems supporting our nations critical infrastructures."
But four years and billions of dollars later, the federal agencies charged with locking down the countrys technology infrastructure still cannot, or will not, detail what concrete steps have been taken toward national cyber-security.
Despite a budget of more than $1.7 billion covering 2004 and 2005, the Information Analysis and Infrastructure Protection Directorate, home to DHS core cyber-security activity, has yet to address a single item among its stated cyber-security responsibilities. That judgment comes not from academics or contractors but from the Government Accountability Office.
Officials denied eWEEKs requests for itemized budget figures, including salaries and specific program expenses. DHS spokesperson Michelle Petrovich said salaries for nonappointees are private. In addition, much of the budget is classified because it "typically gets into the intelligence realm," Petrovich said.
Among the initial cyber-duties not yet completed are the development of national cyber-threat and vulnerability assessments and the development of government/industry contingency recovery plans, according to the GAO, which offered an overview of the departments cyber-security challenges in July. The departments failure to accomplish such preliminary tasks after two years is leaving lawmakers increasingly uneasy.
Sen. Joseph Lieberman, D-Conn., the ranking minority member on the Committee on Homeland Security and Governmental Affairs, said he wished more progress had been made over the last year. "I dont expect overnight success, but I do expect visible improvement in DHS ability to protect the cyber-structure that underpins our nations critical infrastructure," Lieberman said.
The tasks of identifying, assessing and analyzing cyber-risks can be amorphous, but a nearly complete absence of measurable goals or quantifiable results has prompted Congress to demand more. Noting that a security plan requires measurable goals and milestones, Sen. Tom Coburn, R-Okla., chairman of the Subcommittee on Federal Financial Management, Government Information and International Security, said, "Vulnerabilities still exist today, only now they are less excusable" than they were two years ago.
"America expects DHS to take every reasonable measure to protect us from terrorism," Coburn said. "I am not convinced that threshold has been met."
The department is hobbled by the massive task of integrating under one roof functions that had been scattered throughout the federal bureaucracy, according to experts. "It was like trying to merge 22 companies," said Bill Hancock, chief security officer of Internet service provider Savvis Communications Corp., of Town & Country, Mo., referring to the 22 government agencies that were folded into the DHS. "The IT problem alone is staggering."
Much of the departments resources and attention have been taken up trying to get its own house in order, Hancock said. "Its a huge organization thats trying to get a grip on its own problems."
Organizational problems stemming from the massive reshuffling were an issue for Amit Yoran, former head of DHS National Cyber Security Division, in his time as the countrys cyber-czar. "The challenge within [the DHS] is the maturity within departments and processes," said Yoran, now president of Yoran Associates, a Reston, Va., consulting company.
For example, conflicts between different financial and accounting systems and controls used within the DHS caused Yorans budget to fluctuate by tens of millions of dollars during the year, making it difficult to do long-term planning. "It made it difficult to get down in the trenches to manage and allocate resources when you have that kind of budget," Yoran said.
The federal cyber-security program has been hampered by persistent management problems, including rapid personnel turnover and organizational instability, according to government overseers. In the last year alone, five high-level officials with oversight responsibilities left the department: the undersecretary for IAIP, the assistant secretary for information protection, the director of the US-CERT (Computer Emergency Readiness Team) Control Systems Security Center, the deputy director of outreach and awareness, and Yoran.
The cyber-security effort also suffered from the absence of a high-level official dedicated solely to the task. Without this position, officials inside and outside government complained, cyber-security was mired in the boondocks of bureaucracy, lacking the necessary clout or access to decision-makers to get things done.
In a departmental reorganization announced in July, DHS Secretary Michael Chertoff created the position of assistant secretary for cyber-security and telecommunications, which has not yet been filled. The restructuring eliminates the IAIP directorate and assigns infrastructure protection and cyber-security responsibilities to two separate offices answering directly to the undersecretary for preparedness, a change experts in industry applaud.
Still, the DHS faces many of the same challenges as other federal departments when it comes to allocating resources to fight threats, especially cumbersome procurement and hiring procedures that make it impossible to snap up good talent and technology, Yoran said.