In its national strategy to secure cyberspace, the federal government says it wants to show us how security should be done. Now, with a leadership crisis gripping the Bush administrations primary cyber-security unit, officials may have their best opportunity yet to provide a positive example.
The sudden resignation last month of cyber-security czar pro tem Howard Schmidt left the Presidents Critical Infrastructure Protection Board in the lurch for the second time in three months. The departure highlights a challenge faced by many organizations both public and private as well as the Bush administration: to make sure key cyber-security people get appropriate resources and exposure, even as they join the team that bars the doors and windows.
Its an uneasy balance. When federal officials first hinted that the PCIPB would be folded into the Department of Homeland Security—in a unit to be known as the Information Analysis and Infrastructure Protection Directorate—former federal security chief Richard Clarke was the first to bail out. Clarke reportedly said privately that he saw the move as a demotion and feared that vital network security would get lost in the DHS. Sources close to the department said Schmidt quit for much the same reason, resigning after failing to get what he considered a decent job offer.
Clarke or Schmidt, with their name recognition, could have kept network security in the spotlight. Both chose to return to the private sector. That task will likely fall to someone with less clout but with the same challenge of championing a vital cause while relegated to a small part of a big bureaucracy.
The concern that network security gets short shrift in a larger security scheme is not the federal governments problem alone. The issue is emerging in enterprises as private companies recognize that network security and physical security rightfully belong together.
We agree with charges that the lack of a well-known contender for the top federal cyber-security post is damaging government network security initiatives and leaving much of the high-profile work outlined in the National Strategy to Secure Cyberspace undone. This country needs a recognized leader to champion federal network security efforts, but whoever is in charge will have to accept reporting to Tom Ridge and working at the DHS.
Can the federal government lead the way for enterprises that face a similar challenge? While successive annual General Accounting Office reports show continuing decline in federal IT security, the way that DHS handles the naming of an IAIP head can still prove a valuable lesson for security pros and those who hire and inspire them.
We support the vision of an integrated security architecture that treats network security as one element of an organizations protection plan. But that element should not be minimized. The nations cyber-security boss must have significant leadership skills and public standing. And he or she should report directly to Ridge and get the resources and support this important block in our nations protective barrier deserves.