It has taken a year, but the federal government appears poised to appoint an overseer for U.S. cyber-security.
Vallee Bunting, a spokesperson for the Department of Homeland Security, in Washington, said officials there are whittling down the list of candidates. Once the department decides on the best candidate, that person will be appointed by the president and the Office of Management and Budget.
According to Bunting, Senate confirmation is not required for this position.
For many in the technology industry, the appointment cant come soon enough. After all, its the private sector that controls most of the infrastructure that could crack under a cyber-attack. A leadership vacuum at the DHS makes the job of securing critical infrastructure that much tougher.
As it is, the new head of cyber-security will have a lot to fix. It has been five years since the Sept. 11, 2001, terrorist attacks, and the DHS has received an F on computer security for three straight years from the U.S. House of Representatives Committee on Government Reform.
Meanwhile, the Government Accountability Office has said in reports that the DHS is unprepared for a cyber-attack.
"Since [President Bush] issued the national strategy to secure cyberspace in February 2003, weve been running in place," said Paul Kurtz, executive director of the Cyber Security Industry Alliance, a group comprising information security companies, in Arlington, Va.
Why is it so hard to find a cyber-czar? Bunting said the biggest challenge is finding a qualified person willing to leave a high-paying job in the private sector for less compensation and more public scrutiny.
"One of the limiting factors is that the department is competing with private industry, which has virtually unlimited resources for salaries and benefits which would be an attractive incentive for highly qualified candidates for this position," Bunting said.
"It takes a uniquely qualified individual to make the personal and professional sacrifice to join a startup organization like DHS rather than join the private sector."
The goal is to find the right person for the job, not to fill the position as quickly as possible, Bunting said. She declined to be more specific about when an appointment will be announced, saying only that DHS "should have a candidate named soon."
The new assistant secretary will be responsible for two divisions within DHS, National Communications System and National Cyber Security. Currently, these functions are being overseen by Robert Zitz, deputy under-secretary for preparedness.
Peter Metzger agreed that the DHS needs time to find the right candidate. A former White House staffer with the Reagan administration who also worked in the national intelligence community, Metzger is now vice chairman of Christian & Timbers, an executive search company.
"You have to approach people who come out of one of three backgrounds," said Metzger in Washington. "[You need to find] high-net-worth people who want to give back, or it may be someone who wants to come in and make a high-impact statement and go back out and make money."
The third type "typically is someone who successfully holds a position in the private sector but who feels that they want to contribute to the global war on terrorism," Metzger said.
However, even for motivated people, getting hired for such senior jobs isnt easy. "Typically, these positions require a senior security clearance. They require full background investigations and full public financial disclosure, and people arent crazy about that," Metzger said.
Metzger declined to speculate on who will be appointed to the cyber-security post. But he said that if he were making the appointment, hed "take a good, hard look at someone who has held very senior CISO [chief information security officer] roles at some place that has had a high-transaction volume, such as in financial services, especially the global credit card companies."
But even if they find an ideal candidate who can get a security clearance, its still a hard sell, Metzger said.
"You take someone who is making three times what they could make in the government [and] tell them that theyre going to move to a high-cost area, be scrutinized and have to disclose their financial statement publicly, be given a full field investigation, and work 70 to 80 hours a week—that sometimes is a hard sell," he said.
Hard sell or not, someone needs to do the job, said Kurtz. Kurtz, who was director of counter-terrorism and senior director of cyber-security for the National Security Council during the Reagan administration, said the delay in appointing a cyber-czar shows a lack of leadership by the DHS.
"Its been a year since [DHS] Secretary [Michael] Chertoff announced the creation of this position," Kurtz said.