In the wake of the Sept. 11, 2001, terrorist attacks, President Bush commissioned a sweeping plan to secure the nations cyber-assets. At the time, the president said it was vital to reduce cyber-threats “before they can be exploited to damage the systems supporting our nations critical infrastructures.”
But four years and billions of dollars later, the federal agencies charged with locking down the countrys technology infrastructure still cannot, or will not, detail what concrete steps have been taken toward national cyber-security.
Despite a budget of more than $1.7 billion covering 2004 and 2005, the Information Analysis and Infrastructure Protection Directorate, home to DHS core cyber-security activity, has yet to address a single item among its stated cyber-security responsibilities. That judgment comes not from academics or contractors but from the Government Accountability Office.
Officials denied eWEEKs requests for itemized budget figures, including salaries and specific program expenses. DHS spokesperson Michelle Petrovich said salaries for nonappointees are private. In addition, much of the budget is classified because it “typically gets into the intelligence realm,” Petrovich said.
Among the initial cyber-duties not yet completed are the development of national cyber-threat and vulnerability assessments and the development of government/industry contingency recovery plans, according to the GAO, which offered an overview of the departments cyber-security challenges in July. The departments failure to accomplish such preliminary tasks after two years is leaving lawmakers increasingly uneasy.
Sen. Joseph Lieberman, D-Conn., the ranking minority member on the Committee on Homeland Security and Governmental Affairs, said he wished more progress had been made over the last year. “I dont expect overnight success, but I do expect visible improvement in DHS ability to protect the cyber-structure that underpins our nations critical infrastructure,” Lieberman said.
The tasks of identifying, assessing and analyzing cyber-risks can be amorphous, but a nearly complete absence of measurable goals or quantifiable results has prompted Congress to demand more. Noting that a security plan requires measurable goals and milestones, Sen. Tom Coburn, R-Okla., chairman of the Subcommittee on Federal Financial Management, Government Information and International Security, said, “Vulnerabilities still exist today, only now they are less excusable” than they were two years ago.
“America expects DHS to take every reasonable measure to protect us from terrorism,” Coburn said. “I am not convinced that threshold has been met.”
The department is hobbled by the massive task of integrating under one roof functions that had been scattered throughout the federal bureaucracy, according to experts. “It was like trying to merge 22 companies,” said Bill Hancock, chief security officer of Internet service provider Savvis Communications Corp., of Town & Country, Mo., referring to the 22 government agencies that were folded into the DHS. “The IT problem alone is staggering.”
Much of the departments resources and attention have been taken up trying to get its own house in order, Hancock said. “Its a huge organization thats trying to get a grip on its own problems.”
Organizational problems stemming from the massive reshuffling were an issue for Amit Yoran, former head of DHS National Cyber Security Division, in his time as the countrys cyber-czar. “The challenge within [the DHS] is the maturity within departments and processes,” said Yoran, now president of Yoran Associates, a Reston, Va., consulting company.
For example, conflicts between different financial and accounting systems and controls used within the DHS caused Yorans budget to fluctuate by tens of millions of dollars during the year, making it difficult to do long-term planning. “It made it difficult to get down in the trenches to manage and allocate resources when you have that kind of budget,” Yoran said.
The federal cyber-security program has been hampered by persistent management problems, including rapid personnel turnover and organizational instability, according to government overseers. In the last year alone, five high-level officials with oversight responsibilities left the department: the undersecretary for IAIP, the assistant secretary for information protection, the director of the US-CERT (Computer Emergency Readiness Team) Control Systems Security Center, the deputy director of outreach and awareness, and Yoran.
The cyber-security effort also suffered from the absence of a high-level official dedicated solely to the task. Without this position, officials inside and outside government complained, cyber-security was mired in the boondocks of bureaucracy, lacking the necessary clout or access to decision-makers to get things done.
In a departmental reorganization announced in July, DHS Secretary Michael Chertoff created the position of assistant secretary for cyber-security and telecommunications, which has not yet been filled. The restructuring eliminates the IAIP directorate and assigns infrastructure protection and cyber-security responsibilities to two separate offices answering directly to the undersecretary for preparedness, a change experts in industry applaud.
Still, the DHS faces many of the same challenges as other federal departments when it comes to allocating resources to fight threats, especially cumbersome procurement and hiring procedures that make it impossible to snap up good talent and technology, Yoran said.
Next page: Cyber-security gets bogged down by bureaucracy.
-security Gets Bogged Down by Bureaucracy”>
“Theres limited bandwidth within the department to let in new contracts or bring new capabilities on board,” Yoran said.
Often, that means DHS cyber-security leaders have to try to shoehorn new hires and purchases into existing contracts to speed them up.
Political exigencies also continue to play a role in how much DHS money finds its way to cyber-security, say Yoran and others. “DHS is highly politicized, it goes without saying,” said Marcus Sachs, deputy director in the Computer Science Laboratory of SRI International, based in Menlo Park, Calif., and a former DHS employee who helped create the NCSD in 2003.
Political opposition killed Sachs plans for a strong, centralized national response center for cyber-security that would have wrapped the NCSD and current CERT functions together under the US-CERT banner. Instead, the agency chose to run the two groups separately.
Within the DHS, political concerns have made it harder to get and keep funding for cyber-security than for physical security, such as protecting against chemical, nuclear and biological attacks, in the wake of the Sept. 11 terrorist attacks, Sachs said. “Pre-9/11, if you wanted money for telecommunications [security], it was easy. Cyber-security was considered the soft underbelly. [After 9/11], interest flipped like a light switch … and those same dollars shifted from being cyber-centric to being physical-centric,” he said.
With the devastation of Hurricane Katrina foremost in the minds of the Bush administration, Sachs worries that cyber-security dollars could again be poached, within the DHS, for disaster relief.
“Its shortsighted,” he said. “Our nation is becoming more dependent on cyberspace. Weve got to be distance-focused as opposed to focused only on protecting the near-term infrastructure.”
Despite the criticisms, however, Sachs, Yoran and others said that the DHS has done an admirable job, given the challenge of creating a new department from scratch.
The department has been especially effective at encouraging communication and coordination among different government agencies, such as the departments of Defense and Commerce, said Savvis Hancock.
The DHS deserves credit for fostering communications with private-sector industry groups and ISACs (Information Sharing and Analysis Centers), said Howard Schmidt, chairman of US-CERT and former eBay Inc. chief security officer.
NCSD Acting Director Andy Purdy, who took over when Yoran left, said that he does not see his division hindered by organizational instability and that he is pleased with the progress made on the two overarching priorities of building a National Cyberspace Security Response System and implementing a cyber-risk management program for critical infrastructure.
“In terms of getting the work done, we havent had instability,” Purdy said, adding that he and his colleagues have striven to strengthen objectives and milestones that are not dependent on individual personalities. “We have quite a story to tell.”
The response system includes the US-CERT Operations Center, which was established in September 2003. US-CERT maintains the DHS round-the-clock cyber-watch, warning and incident response center.
It also analyzes malicious code, conducts threat and vulnerability analyses, manages a situational awareness program for monitoring network activity in federal agencies, and manages programs for communication and collaboration among public agencies and key network defense service providers.
Purdy concedes, however, that easily measurable results are not readily available when it comes to progress in cyber-security. NCSD has put together a Performance Metrics Team to ensure that its objectives can be measured, but no private-sector participants have been invited yet, he said. “Youre looking for quantifiable metrics. We dont have specific metrics,” he said. “Were forming a partnership with the private sector to build quantifiable metrics.”
Much of the divisions nonsalary budget goes toward costly risk management programs, such as the Control Systems Security Program, which cost about $15 million this year and includes an R&D component and a testbed component, Purdy said. Looking ahead, NCSD plans to develop a set of security assurance levels for control systems owners and operators, which monitor and control pipelines, water stations, chemical processing, rail and many other critical infrastructures. The division also plans to assess at least three core systems and offer recommendations to protect against threats.
NCSDs Software Assurance Program also commands a hefty portion of the divisions budget. The program aims to make patch management a thing of the past by encouraging developers to improve their products.
However, like other federal agencies, the DHS is sensitive to the wishes of policy-makers on Capitol Hill who themselves are often in the sway of special interests, industry insiders say. In the case of cyber-security, lobbying by software vendors and Internet service providers has succeeded in keeping the DHS from pushing software vendors to improve security, said Alan Paller, research director at The SANS Institute, in Bethesda, Md.
“Lobbying money is being spent on people who have drunk the [IT industry] Kool-Aid, and theyre the ones who are going to meetings with government officials,” Paller said.
Next page: Gaining trust from the private sector remains a challenge.
It Gets Worse
When government agencies such as the DHS fail to disclose detailed expenses, the possibility for mismanagement increases, critics say. The DHS has already been hit with complaints that DHS funds are being wasted on contracted projects such as a $10 billion system to screen foreign visitors based on outdated technology, $500 million for cargo radiation detectors that rarely work and myriad purchases by local police departments—in areas at little risk for terrorism—of items ranging from biohazard containment trucks to underwater robot cameras.
Taking issue with the assertion that the DHS is not leading by example, Purdy said NCSD is pushing the countrys largest software vendors very hard to improve their products.
“They know how important it is for them to raise the bar,” he said. “Its going to be a longer-term challenge. Its really hard to measure.”
Many of NCSDs programs involve establishing forums and coordinating meetings and workshops among government agencies and between the government and the private sector. This month alone, NCSD will host or co-host meetings in Silicon Valley; Annapolis, Md.; and Washington. There will be a major software assurance conference with the private sector next month as well.
However, successfully partnering with the private sector remains one of DHS greatest cyber-security challenges, according to the GAO, which judged the department as having failed in the task so far.
Some of the partners the DHS seeks, however, remain reluctant to turn over sensitive data to the government because they do not see the gesture as reciprocal and because they fear the data will end up in the wrong hands.
Acknowledging the difficulty of developing trusting relationships, Coburn recently urged the department to take greater strides in information sharing, saying that “there can be no excuse for not effectively engaging the private sector, even though it is hard.”
The information-sharing problems are not within NCSD, according to Purdy.
While the DHS cyber-security goals and achievements remain too murky to quantify, its too early to tell whether the agency has let its guard down on cyber-security. DHS watchers should look for evidence of a “sharpening blade” in coming years—signs that the DHS is becoming a more potent force in cyber-security, Sachs said.