Slim pickings for cybersecurity in DHS budget

Muddled goals

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

As the new Department of Homeland Security swallows nearly every cybersecurity office in the U.S. government, high-profile leaders are jumping ship, and analysts worry that only meager funding and muddled goals remain.

It's existed for less than two weeks, but analysts are already concerned that the newly-formed Department of Homeland Security's cybersecurity unit may not grow up to be the powerhouse of efficiency and expertise it was billed as.

Nearly every government cybersecurity agency was swept in to the new cabinet-level Department's "Directorate of Information Analysis and Infrastructure Protection" -- making the new directorate the single largest computer security organization the U.S. government has ever had.

The Critical Infrastructure Assurance Office (CIAO), formerly part of the Department of Commerce, made the move, as did the FBI's National Infrastructure Protection Center. The Federal Computer Incident Response Center left the General Services Administration to head to the DHS. Even the Department of Defense's National Communications System, which handles emergency preparedness for telecom, moved to the new department.

The DHS also houses the Secret Service, which is expanding its cybercrime efforts, adding at least one "Electronic Crime Special Agent" to every field office. The service recently upped the number of cities with an Electronic Crime Task Force from one (New York) to nine, and has developed a National Threat Assessment Center with Carnegie-Mellon's CERT/CC.

But despite the number of agencies involved, cybersecurity generally seems to have slipped in importance for the Bush Administration. One obvious sign is the dramatic decrease in the visibility of the National Strategy to Secure Cyberspace. The strategy was trumpeted by the White House and taken seriously by industry until its anticlimactic release as a draft version, followed by an almost unheralded final release on Valentine's Day as a generally toothless plan.

Last month the President also abolished the high-level Critical Infrastructure Protection Board, which was established after the September 11th attacks and run by Richard Clarke, a high-profile 30-year veteran of government. The board will be reborn inside the DHS, but with lower-level people.

Adding to the confusion, President George W. Bush used his State of the Union address in January to announce a new Terrorist Threat Integration Center, that seems to duplicate at least part of what the DHS is supposed to do, coordinating information flow between the DHS, FBI, Central Intelligence Agency and the Department of Defense.

"The cybersecurity effort hasn't gotten a lot of support and enthusiasm from anywhere," says Will Rodger, director of public policy at the Computer and Communications Industry Association (CCIA) in Washington, DC. He says the DHS looks like just another federal feint at security, with no actual structure, and no consequences for failure.

Adding to the lack of clarity is what seems to be a mass exodus by many long-time cyber policy influencers. The list of departures is headed by Clarke, who spearheaded the National Strategy for Cyberspace Security, and was the federal government's most visible cheerleader for better network security in and out of government.

Tough Job

Brian Stafford also retired as director of the Secret Service, mere weeks after he appeared at the National Strategy draft unveiling; he was replaced in January by W. Ralph Basham. Ron Dick, director of the National Infrastructure Protection Center, retired from that post in December, and John Tritak recently left his position as director of the CIAO.

Meanwhile, the key cybersecurity role in the DHS, Undersecretary of Intelligence Analysis and Infrastructure Protection, remains vacant -- Gen. James Clapper turned down the Undersecretary job in January. Insiders say Bush's creation of the Terrorist Threat Integration Center has killed interest in the position, a significant issue in the title-happy Beltway. That leaves Infrastructure Protection as the only directorate that does not have at least a named undersecretary.

"In government, committees without leaders might as well not exist," notes Harris Miller, president of the Information Technology Association of America, a tech industry trade group. Miller's vote for the neglected post is Howard Schmidt, the former Microsoft CSO who took over for Clarke at the White House; Schmidt has been mentioned as a potential candidate for the undersecretary's job, though his lack of experience in the intelligence world may hurt his chances. Miller says that Schmidt can do the job, and if he isn't picked, someone with his ability and clout has to be named to it. "Otherwise, we will feel the administration has lost its focus on cybersecurity," Miller says. "If they don't do that, they're making a mistake."

Miller doesn't want to be overly critical -- it has been less than two weeks, after all, and senior Bush Administration officials assure him that cyber security remains a priority. "I trust the people there, but trust needs to be verified," Miller says. "Right now we're running on assurances rather than definite information."

For its part, the DHS points to its recent successful handling of the Sendmail flaw as a sign of its effectiveness. But that event was handled almost entirely before any of the groups involved were pulled into the Department, so the incident cannot be treated as even a minor test of the Department's abilities.

Even DHS supporters say that it isn't clear exactly what sort of cyber security mandate exists for the Department.

"It's really unsettled," says Jody Westby, president of The Work-IT Group in Denver, Colo. Westby is the editor of the American Bar Association's new Guide to Combating Cybercrime. She thinks that the DHS will improve coordination amongst the government's infrastructure players, in part because it has a single CIO, Scott Cooper, working across all 22 of its agencies. Westby also thinks that recent legislation which guarantees confidentiality for businesses who present information about cyberattacks to the DHS might increase private-sector cooperation with the Department. But she's concerned about a lack of funding for the undersecretary's office. "It has maybe $25 million," Westby said. "That's not very much money."

Overall, the new DHS's $37.7 billion budget earmarks only $3 billion for cybersecurity, according to Gartner Group's John Pescatore. So the Infrastructure Protection directorate, one of five directorates in the DHS, appears in line for less than 10 percent of funds.

Who ya gonna call?

Observers says the reorganization has muddled the question of where victims of cybercrime should go to report an incident. "We tell clients to check with legal counsel before getting law enforcement involved," said Pescatore, a former Secret Service agent. In part, that's to protect corporations from potential backlash from shareholders and customers. Pescatore said that even when there was good reason to contact law enforcement, "who you go to is tremendously unclear."

Indeed, a concerned corporation or citizen could report intrusions to the local FBI office, to InfraGard, which was part of NIPC but remained with the FBI, to the Secret Service, to the IAIP, or even to the new Terrorist Center. In the short term, then, the creation of the DHS "seems to have exacerbated confusion," said one former government security official, speaking on condition of anonymity.

To be fair, the DHS is an immense undertaking, the biggest government reorganization effort since the Department of Defense was created after World War II. Such a reorganization will require time. Department secretary Tom Ridge still needs to fill a number of key positions across his directorates, and the Department understandably needs to make physical security a priority, in anticipation of potential terrorist strikes at America.

Most analysts hold out hope that, given time, the DHS may well improve the security of the nation's infrastructure. Departed officials may be replaced by people with fresh eyes and energies. In particular, a new Undersecretary could galvanize efforts at intelligence analysis. Government, too, they say, can't be the only answer -- it can't make private companies install patches, or end-users stop clicking on attachments. Still, CCIA's Rodger, for one, is wary of what the DHS will do for the nation's cybersecurity. "I'd like to say 'hackers beware.' I'd like to say the Feds are going to get you. But I can't."

© SecurityFocus Online

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.