The power vacuum atop the Department of Homeland Securitys cyber-security division is straining the DHS relationship with key private-sector allies and hampering government efforts to improve security on public and private networks.
According to insiders, the situation has industry representatives set to take action on their own after five reports on security have failed to produce any federal action.
The federal governments relations with vendors and independent security experts have never been ideal, but by the time Amit Yoran resigned as director of the National Cyber Security Division last fall, many in the private sector were optimistic that tensions between the factions were easing.
Yorans departure, however, was followed by the resignations of several other officials at the top of the Information Analysis & Infrastructure Protection directorate, including Assistant Secretary Bob Liscouski and Under Secretary Frank Libutti.
With none of the departed officials formally replaced, many in the security community worry that cyber-security—never a top priority on the Bush agenda—is now in danger of falling off the map.
“Theres a lack of strategy and a lack of a consistent way for folks to interact with DHS,” said one source who works closely with DHS and other government bodies on cyber-security issues. “Theyll have the meeting of the month or whatever; we all make recommendations and go away, and then nothing gets done until the next problem bubbles up.”
DHS officials were not available to comment.
Andy Purdy, one of Yorans former deputies, has been acting director of the NCSD since the fall. Many of those involved in various DHS cyber-security efforts say Purdy has done an admirable job holding the division together and maintaining some of the relationships Yoran built. They point to a recent meeting of DHS officials and outside experts to discuss a cyber-security war game being planned for later this year as evidence that the department still values working with the private sector.
But the lack of direction from the top of the department and the uncertainty surrounding the search for a permanent NCSD head have been tough to overcome.
“Its not that DHS isnt involving the private sector. The problem has been leadership and attention paid to cyber-security at a high level,” said Paul Kurtz, executive director of the Cyber Security Industry Alliance, in Arlington, Va. “The entire division doesnt have leadership.”
That lack of leadership has led industry officials to put more energy into private efforts, such as the National Cyber Security Partnership, a coalition of vendors, industry organizations and others concerned with information security. Formed in 2003, the NCSP last spring delivered to DHS five reports with recommendations on improving security.
But DHS officials never responded to the recommendations, and little progress has been made on implementing them. As a result, NCSP members have decided to move ahead on their own. The group met last week to set priorities for the coming year and discuss a handful of key recommendations, culled from the more than 500 in the DHS reports, that it plans to emphasize. The NCSP hopes to make an announcement this month.
Yoran said its important for DHS to articulate a cyber-security strategy soon.
“Theyve got hard-working folks there, but theyre not well-resourced and dont have a well-defined mission,” he said. “The department needs to define the mission so people know what to expect.”