The office in charge of cyber-security in the Department of Homeland Security is planning to continue moving ahead on the agenda the agency has already set.
According to Lawrence Hale, deputy director of the National Cyber-Security Division at DHS, the agency considers physical and cyber-security so deeply intertwined that it would be impossible to separate them. Hale said the current organization of the IAIP (Directorate of Information Analysis and Infrastructure Protection) has cyber-security and physical security working together.
Earlier this week, the CSIA (Cyber-Security Industry Alliance) released a series of recommendations, including a reorganization that would make the director of the cyber-security division an assistant secretary. Supporters say such a change would raise the profile of cyber-security, thus bringing the area more clout and more funding.
More clout is required to make things happen, said Paul Kurtz, executive director of the CSIA, in Washington. “We strongly believe that we need a higher-level post,” Kurtz said. “In this town, rank and accountability mean a lot. If you dont have it, you cant get things done.”
Kurtz said a change to elevate cyber-security to a higher level was originally proposed in legislation responding to the 9/11 terrorist attacks, but it was not enacted.
While Hale said he thinks CSIAs proposals are an important means to raise the visibility of cyber-security, he doesnt agree that cyber-security should be treated differently from physical security. But he said he thought the CSIA meeting in Washington where the recommendations were presented was helpful.
“We got prominent CEOs talking about cyber-security and what needs to be done,” Hale said. He added that accomplishing real progress in infrastructure protection needs to be the work of the government in conjunction with the private sector. “Its clearly a shared responsibility,” Hale said. “We have to work together to advance those goals.”
Kathleen Mynster, a spokeswoman for the Department of Homeland Security, expanded on the departments view. “The department is still examining options for reorganization at this time,” Mynster said. “We continue to believe the integration of both physical and cyber-security within Infrastructure Protection is the best approach at this time.”
Hale said IT and telecommunications comprise critical parts of the U.S. infrastructure. “We need to press on the priorities we already have set, which include working with the telecom and IT industries to prevent major Internet disruption and protect critical infrastructure of the United States,” he said.
He added that he thinks the combination of telecommunications and IT infrastructure is becoming more critical. “Of all the infrastructures, IT and telecom are converging,” Hale said. “Many functions have already converged.”
Hale said his organization is working with the National Communications System to identify vulnerabilities in the IT and telecommunications infrastructure, and find ways to fix them, or ways to deal with disruptions that result from the vulnerabilities.
“Were not just working to prevent a major Internet disruption,” Hale said. “But it is possible that a zero day exploit could arise that causes major disruptions. Were working on plans for mitigation and recovery from major Internet disruptions.”
Kurtz, meanwhile, said that regardless of the organization of DHS and the cyber-security office, more needs to be done. “The money going toward cyber-security is miniscule,” he said. “When you look at how IT is driving our economy, its hard to fathom why more is not being spent in this area.”
And in fact, Hale said the mission of the cyber-security division is already growing, including new initiatives in software assurance and in protecting control systems. A wide variety of critical infrastructure items are connected to the Internet, he said, making them more vulnerable than ever before.
This means that new industries must be made aware of the risks they are facing, and made aware of the need to protect critical infrastructure. “Were working to address and correct vulnerabilities and raise their awareness of protective measures that can be used,” Hale said.