Slim pickings for cybersecurity in DHS budget
As the new Department of Homeland Security swallows nearly every cybersecurity office in the U.S. government, high-profile leaders are jumping ship, and analysts worry that only meager funding and muddled goals remain.
It's existed for less than two weeks, but analysts are already concerned that the newly-formed Department of Homeland Security's cybersecurity unit may not grow up to be the powerhouse of efficiency and expertise it was billed as.
Nearly every government cybersecurity agency was swept in to the new cabinet-level Department's "Directorate of Information Analysis and Infrastructure Protection" -- making the new directorate the single largest computer security organization the U.S. government has ever had.
The Critical Infrastructure Assurance Office (CIAO), formerly part of the Department of Commerce, made the move, as did the FBI's National Infrastructure Protection Center. The Federal Computer Incident Response Center left the General Services Administration to head to the DHS. Even the Department of Defense's National Communications System, which handles emergency preparedness for telecom, moved to the new department.
The DHS also houses the Secret Service, which is expanding its cybercrime efforts, adding at least one "Electronic Crime Special Agent" to every field office. The service recently upped the number of cities with an Electronic Crime Task Force from one (New York) to nine, and has developed a National Threat Assessment Center with Carnegie-Mellon's CERT/CC.
But despite the number of agencies involved, cybersecurity generally seems to have slipped in importance for the Bush Administration. One obvious sign is the dramatic decrease in the visibility of the National Strategy to Secure Cyberspace. The strategy was trumpeted by the White House and taken seriously by industry until its anticlimactic release as a draft version, followed by an almost unheralded final release on Valentine's Day as a generally toothless plan.
Last month the President also abolished the high-level Critical Infrastructure Protection Board, which was established after the September 11th attacks and run by Richard Clarke, a high-profile 30-year veteran of government. The board will be reborn inside the DHS, but with lower-level people.
Adding to the confusion, President George W. Bush used his State of the Union address in January to announce a new Terrorist Threat Integration Center, that seems to duplicate at least part of what the DHS is supposed to do, coordinating information flow between the DHS, FBI, Central Intelligence Agency and the Department of Defense.
"The cybersecurity effort hasn't gotten a lot of support and enthusiasm from anywhere," says Will Rodger, director of public policy at the Computer and Communications Industry Association (CCIA) in Washington, DC. He says the DHS looks like just another federal feint at security, with no actual structure, and no consequences for failure.
Adding to the lack of clarity is what seems to be a mass exodus by many long-time cyber policy influencers. The list of departures is headed by Clarke, who spearheaded the National Strategy for Cyberspace Security, and was the federal government's most visible cheerleader for better network security in and out of government.
Brian Stafford also retired as director of the Secret Service, mere weeks after he appeared at the National Strategy draft unveiling; he was replaced in January by W. Ralph Basham. Ron Dick, director of the National Infrastructure Protection Center, retired from that post in December, and John Tritak recently left his position as director of the CIAO.
Meanwhile, the key cybersecurity role in the DHS, Undersecretary of Intelligence Analysis and Infrastructure Protection, remains vacant -- Gen. James Clapper turned down the Undersecretary job in January. Insiders say Bush's creation of the Terrorist Threat Integration Center has killed interest in the position, a significant issue in the title-happy Beltway. That leaves Infrastructure Protection as the only directorate that does not have at least a named undersecretary.
"In government, committees without leaders might as well not exist," notes Harris Miller, president of the Information Technology Association of America, a tech industry trade group. Miller's vote for the neglected post is Howard Schmidt, the former Microsoft CSO who took over for Clarke at the White House; Schmidt has been mentioned as a potential candidate for the undersecretary's job, though his lack of experience in the intelligence world may hurt his chances. Miller says that Schmidt can do the job, and if he isn't picked, someone with his ability and clout has to be named to it. "Otherwise, we will feel the administration has lost its focus on cybersecurity," Miller says. "If they don't do that, they're making a mistake."
Miller doesn't want to be overly critical -- it has been less than two weeks, after all, and senior Bush Administration officials assure him that cyber security remains a priority. "I trust the people there, but trust needs to be verified," Miller says. "Right now we're running on assurances rather than definite information."
For its part, the DHS points to its recent successful handling of the Sendmail flaw as a sign of its effectiveness. But that event was handled almost entirely before any of the groups involved were pulled into the Department, so the incident cannot be treated as even a minor test of the Department's abilities.
Even DHS supporters say that it isn't clear exactly what sort of cyber security mandate exists for the Department.
"It's really unsettled," says Jody Westby, president of The Work-IT Group in Denver, Colo. Westby is the editor of the American Bar Association's new Guide to Combating Cybercrime. She thinks that the DHS will improve coordination amongst the government's infrastructure players, in part because it has a single CIO, Scott Cooper, working across all 22 of its agencies. Westby also thinks that recent legislation which guarantees confidentiality for businesses who present information about cyberattacks to the DHS might increase private-sector cooperation with the Department. But she's concerned about a lack of funding for the undersecretary's office. "It has maybe $25 million," Westby said. "That's not very much money."
Overall, the new DHS's $37.7 billion budget earmarks only $3 billion for cybersecurity, according to Gartner Group's John Pescatore. So the Infrastructure Protection directorate, one of five directorates in the DHS, appears in line for less than 10 percent of funds.
Who ya gonna call?
Observers says the reorganization has muddled the question of where victims of cybercrime should go to report an incident. "We tell clients to check with legal counsel before getting law enforcement involved," said Pescatore, a former Secret Service agent. In part, that's to protect corporations from potential backlash from shareholders and customers. Pescatore said that even when there was good reason to contact law enforcement, "who you go to is tremendously unclear."
Indeed, a concerned corporation or citizen could report intrusions to the local FBI office, to InfraGard, which was part of NIPC but remained with the FBI, to the Secret Service, to the IAIP, or even to the new Terrorist Center. In the short term, then, the creation of the DHS "seems to have exacerbated confusion," said one former government security official, speaking on condition of anonymity.
To be fair, the DHS is an immense undertaking, the biggest government reorganization effort since the Department of Defense was created after World War II. Such a reorganization will require time. Department secretary Tom Ridge still needs to fill a number of key positions across his directorates, and the Department understandably needs to make physical security a priority, in anticipation of potential terrorist strikes at America.
Most analysts hold out hope that, given time, the DHS may well improve the security of the nation's infrastructure. Departed officials may be replaced by people with fresh eyes and energies. In particular, a new Undersecretary could galvanize efforts at intelligence analysis. Government, too, they say, can't be the only answer -- it can't make private companies install patches, or end-users stop clicking on attachments. Still, CCIA's Rodger, for one, is wary of what the DHS will do for the nation's cybersecurity. "I'd like to say 'hackers beware.' I'd like to say the Feds are going to get you. But I can't."