The phrase "since Sept. 11" has been repeated countless times in the last three-plus years. That has been so because, in fact, since Sept. 11, 2001, our world has changed radically. The number and variety of Opinions that have completed the first part of that sentence, Im sure, could fill a book, but Id like to add just one more that has to do with our corner of the world: Since Sept. 11, the government has completely botched its attempt to foster better security for our critical data networks and computer infrastructure.
This declaration should not shock anyone who has followed the efforts of the Bush administration and the Department of Homeland Security since 9/11. The latest fumble occurred this month when Amit Yoran quit as director of the National Cyber Security Division of the DHS. Yoran, who was considered an able administrator and was respected by the corporate IT community, said he quit to pursue other interests, but his message was clear: He and his department were getting only marginal support from the Bush administration.
In discussing his decision with eWEEK reporters, Yoran said he received "the authority, resources and support to accomplish [his] core objective[s], but thats all." In other words, he had the power, money, personnel and other backing needed to do his basic job, but something was missing: real power to coordinate several branches of the government as well as other public and private entities that have a stake in the safety of the Net, real money above and beyond the $80 million he had to run his department, and real backing beyond the lip service dealt out by DHS Secretary Tom Ridge.
Part of the problem is that Yoran was starting from scratch. Ridge created the position of director of the NCSD in the summer of 2003 to implement the National Strategy to Secure Cyberspace, and Yoran was hired last fall. Two officials, first Richard Clarke and then Howard Schmidt, headed the Presidents Critical Infrastructure Protection Board, which created the plan.
But despite the plan and the formation of the NCSD, still lacking was a clear mandate and acknowledgment of a problem. You dont have to see "Fahrenheit 9/11" to understand that the administration has bigger fish to fry than terrorists targeting the Internet. And to be honest, when much of the news coming out of the Middle East involves car bombings and beheadings, the safety of the Nets routers, switches, fiber optics and data centers seems trivial.
That admission, however, does not make the nations critical infrastructure more secure. In fact, we know that everything, from enterprise networks down to the PCs on corporate desktops and in homes, is vulnerable to a well-coordinated, deliberate attack. And every day those same infrastructure elements are being overwhelmed by viruses, worms, spam, adware and spyware, which collectively are skimming billions of dollars worth of data, personal identity information and productivity from the gross domestic product.
The threat onslaught shows no signs of abating. Nearly anything can be declared a matter of national security, so the question is, At what point does the safety of the cyber-infrastructure enter into that realm? We had intelligence about terrorist activities before Sept. 11 but failed to integrate it into a picture of imminent action. The same goes for cyber-security: Do we wait for a 9/11-type network meltdown before taking action?
Yorans departure may signal a turning of the tide with respect to acknowledging a bigger problem. Two members of Congress who think cyber-security is a real problem, Mac Thornberry, R-Texas, and Zoe Lofgren, D-Calif., are pushing legislation to elevate the position Yoran vacated from director to assistant secretary. That would give whomever occupies the position more clout to coordinate public and private initiatives.
Thats still not enough. For the plan to secure cyberspace to become an act, it will require real, coordinated accomplishments instead of diversions, token efforts and color-coded threat barometers, which are about all we have had since Sept. 11.
Scot Petersens e-mail address is email@example.com.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.