As legislators and department of Homeland Security officials continue to debate whether to give the nations top cyber-security official more authority, the people involved in securing the countrys networks are working out a new arrangement that may portend an unprecedented level of cooperation between the DHS and the private sector.
A plan is under way in the ever-evolving National Cyber Security Division of the DHS to extend the tenure of Andy Purdy, the groups interim chief, and augment the position with a part-time outside consultant with direct ties to the private sector. The move, observers say, would enable the division to tackle head-on such prevalent issues as security vulnerability.
The effort is the result of a power vacuum created when Amit Yoran resigned last month as NCSD director. Subsequently, Purdy, one of Yorans deputies, was appointed interim director of the NCSD. It now appears that top DHS officials are content to leave him in that position for now and, contrary to early reports, are in no hurry to find a permanent replacement for Yoran.
Purdy, a longtime veteran of federal government service, is known for his ability to work inside the Beltway and get things done—a skill vital to moving the National Strategy to Secure Cyberspace forward, insiders say.
“Andy is not just anybody. That is a solid move,” said Alan Paller, director of research at The SANS Institute, based in Bethesda, Md. “They wouldnt have done that if they were going to bring in someone else right away.”
But Purdy will not be going it alone. Howard Schmidt, former chairman of the now-defunct Presidents Critical Infrastructure Protection Board and now chief security officer at eBay Inc., is working with US-CERT as a consultant to the DHS and will be advising Purdy and others.
Schmidt, who also served as Microsoft Corp.s chief security officer and is a former federal agent, is among the more respected members of the security community, both inside Washington and in the private sector. His involvement with the DHS will be indirect and on a part-time basis, but his presence gives the department a trusted conduit into the private sector, a necessity to implement its strategy.
“Were still working on what my role is. But Im not going back to the government,” Schmidt said. “My role now is to work on the partner programs with US-CERT, to work with the trade associations and the private companies.”
One area where cooperation with the private sector is key is in the effort to reduce vulnerabilities. Government officials have little ability to do this on their own and need the aid of software vendors.
“The two key things in security are responding to threats and reducing vulnerabilities. [The DHS] has no leverage to do anything about vulnerabilities, and thats a much higher priority by an order of magnitude,” said Paller.
Schmidts presence also will take some of the pressure off Purdy, who comes to the job at a time when people both inside and outside Washington are questioning the DHS progress on improving cyber-security as well as its commitment.
In addition, while lawmakers continue to push for the NCSD director to have more authority—perhaps moving it to the level of deputy secretary—others inside the DHS, including Assistant Secretary for Infrastructure Protection Robert Liscouski, have consistently resisted the idea.