Cyber-Security Chief Resignation Spotlights DHS Woes

Yoran's departure raises new-and old-cyber-security concerns.

Less than a week after the nations top cyber-security official resigned, saying he had done all he could with the resources provided, branches of the U.S. government are now scrambling to strengthen the position to ensure that Amit Yorans successor is equipped for the long haul.

/zimages/3/28571.gifClick here to read more about Yorans resignation.

In the days following Yorans resignation after only one year on the job as director of the National Cyber Security Division of the Department of Homeland Security on Oct. 1, the U.S. House of Representatives hastily resuscitated a bill that would elevate the director position to the level of assistant secretary. The same initiative had been shot down only a week earlier, due mainly to opposition from within the DHS, congressional staffers and industry sources said.

However, the on-again, off-again nature of the measure, authored by Reps. Mac Thornberry, R-Texas, and Zoe Lofgren, D-Calif., is the latest example of the disorganization that continues to roil the governments information security efforts and frustrate the IT community at large.

In fact, the leadership vacuum created by Yorans resignation once again raises uncertainty about exactly where the cyber-security position will end up. Such uncertainty could very well damage efforts to fill the vacancy as well as slow some of the progress Yoran and his group have made, such as the establishment of the National Cyber Security Partnership and the cooperative efforts with the Information Sharing and Analysis Centers and CERT.

One industry executive, who was approached about the position before Yoran accepted it, said the administration will be hard-pressed to find a qualified candidate willing to take the job without assurances about title and authority. Asked whether he would take the job, the executive said, "I dont think so."

Yoran joined the DHS in the fall of 2003 as the director of the NCSD with a mandate to build what amounted to a startup within the department. Secretary of Homeland Security Tom Ridge and other DHS officials laid out goals for Yoran, including devising a plan for implementing the National Strategy to Secure Cyberspace.

"The initial time frame included a one-year timeline to do that," Yoran said in an interview last week. "I feel I accomplished the core mission. But its a herculean task. I had the authority, resources and support to accomplish that core objective, but thats all. A lot of work still needs to be done. There are areas where the ball hasnt moved forward."

Yoran said he wanted the NCSP—which is a public/private partnership responsible for helping implement the national strategy—to make progress on all the initiatives in its reports.

"The national strategy is still something that I fundamentally agree with," he said. "The NCSP has done some things well, others reasonably well, and others it hasnt even begun to address."

Yoran said his future plans include looking at some private-sector opportunities, staying involved with the security effort and working with a childrens charity. His position there was several levels below that of Ridge, and many in the security industry pointed to his position in that multitiered hierarchy as a sign of the Bush administrations limited concern for cyber-security.

Former federal cyber-security official Howard Schmidt, currently chief security officer at eBay Inc. and a personal friend of Yorans, said the departing official deserves credit for the work he did under trying conditions.

"Hes had a really tough job to do, and he contributed his share. I dont fault him [for leaving]," said Schmidt, who late last week agreed to return to the DHS as a consultant, while maintaining his job at eBay.

Andy Purdy, who has been involved in the Bush administrations cyber-security effort for several years, will stand in as acting director of the NCSD until an official director is named.

Cyber-security gained instant political prominence on Capitol Hill with Yorans departure, and legislators who had not previously supported the Lofgren/Thornberry bill reconsidered their positions, according to congressional aides. Last week, language from the measure was drafted back into the 9/11 Recommendations Implementation Act, which aims to reorganize the intelligence community to address the terrorist threat more effectively.

Under the legislation, the new assistant secretary would assume responsibility for the NCS (National Communications System), said James Hunt, an aide to Thornberry. Today, the assistant secretary for infrastructure protection at the DHS heads the NCS.

Meanwhile, members of the House Government Reform Committee—which plays the largest role in overseeing IT—have generally supported legislatively elevating the position at the DHS. But concerns that some authorities attached to the position would create new challenges have surfaced in recent weeks, said Bob Dix, staff director of the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. In particular, several legislators do not feel that all information-sharing duties should fall under the new position because the task has governmentwide implications, Dix said.

The Senate last week passed its version of the 9/11 legislation, which does not include the assistant secretary provision. The House planned to vote on its bill by the end of last week before returning home to campaign. The House is expected to return after next months election to reconcile its bill with the Senate, aides said.

For his part, Yoran said he believes that the title given his successor and the location of the office are far less important than the authority and responsibility he or she is accorded. "There has got to be a careful balance between resources, the position, where it is, all of that. It needs to reflect whats being asked of the person," he said.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Be sure to add our Security news feed to your RSS newsreader or My Yahoo page