The fate of a far-flung network of government efforts to protect cyberspace is uncertain, with the leadership of the FBIs cybersecurity office vacant and the shutdown of a primary government cybervigilance office imminent.
The Critical Infrastructure Assurance Office (CIAO) is mandated to close this year and many in industry are looking to the Bush administration to quickly make the necessary decisions to keep the national cybersecurity effort on track.
The CIAO, which was central to the Clinton administrations attempts to work with industry to address cybersecurity, can be saved if President George W. Bush opts to keep it alive, but Bush hasnt decided how to deal with the office or its mandate.
“As with any office that faces the prospect of sunsetting, the office would typically go through a normal review process,” Bush spokesman Jimmy Orr said.
Industry and government officials involved with the effort said they are not wedded to the CIAO per se, but they do not shrink from championing the governments role as vital. The governments efforts, they said, helped centralize a daunting tangle of federal interests in critical infrastructure and encouraged industry to discuss the issue.
“Managing risk is not a new thing, but what is new is the extent to which [utilities, governments and corporations] depend on networks,” said CIAO Director John Tritak. “Many of the systems are becoming plugged into a digital nervous system, which creates a new kind of vulnerability, and we know people will exploit it for kicks, revenge, profit or for strategic advantage.”
The array of federal agencies and public/private partnerships addressing cybersecurity is complicated and growing daily. The National Infrastructure Assurance Council, a government/industry partnership, reports to the president and to Richard Clarke, the assistant to the president for national security affairs. Also reporting to Clarke is Tritak; a host of industry sector alliances called Industry Sector Advisory Committees; and alliances of ISAC and government liaisons called Critical Infrastructure Coordination Groups.
Also in the mix is the Department of Justice and its National Infrastructure Protection Center, which puts law enforcement teeth into critical infrastructure protection efforts.
The National Infrastructure Protection Center has been without a leader since director Michael Vatis left early last month, an FBI spokeswoman said. She said there is no timeline for hiring a new director.
Clarke, a Clinton administration holdover, has said that the arrangement of public and private groups is too scattered and needs to be more centralized.
The FBIs InfraGuard program, for example, has more than 50 local chapters representing 500 companies. Information from this group is channeled specifically to the Justice Department.
Tritak said the CIAO has spent much of its time engaging in important spade work that is just beginning to show results. Industry sectors, like banking, water supply and public health, are working with federal officials to share information about their infrastructures.
Harris Miller, president of the Information Technology Association of America, praised the CIAOs work, calling it “an effective prod,” and saying it may be time for the government to give the effort more money.