[ISN] Top Cyber Security Post Still Unfilled After a Year

From: InfoSec News (alerts@private)
Date: Thu Jul 13 2006 - 01:16:44 PDT


By Brian Krebs
washingtonpost.com Staff Writer
July 12, 2006

One year after the Department of Homeland Security created a high-level 
post for coordinating U.S. government efforts to deal with attacks on the 
nation's critical technological infrastructure, the agency still has not 
identified a candidate for the job.

On July 13, 2005, as frustration with the Bush administration's cyber 
security policy grew on Capitol Hill and Congress appeared poised to force 
its hand, Homeland Security Secretary Michael Chertoff announced the new 
assistant-secretary job opening.

Critics say the yearlong vacancy is further evidence that the 
administration is no better prepared for responding to a major cyber 
attack than it was for dealing with Hurricane Katrina, leaving vulnerable 
the information systems that support large portions of the national 
economy, from telecommunications networks to power grids to chemical 
manufacturing and transportation systems.

"What this tells me is that ... [Chertoff] still hasn't made this a 
priority ... to push forward and find whoever would be the best fit," said 
Paul Kurtz, a former cyber security advisor in the early Bush 
administration and now a chief lobbyist for software and hardware security 

"Having a senior person at DHS... is not going to stop a major cyber 
attack on our critical infrastructures," Kurtz said, "but [it] will 
definitely help us develop an infrastructure that can withstand serious 
attacks and recover quickly."

Rep. Zoe Lofgren (D-Calif.), a co-author of the bill that would have 
forced the department to create the position last year, did not mince 
words: "I think DHS is pathetic and incompetent. It's a complete mystery 
what's happening over there."

But a DHS official assured critics that the agency is "in the final 
stretch" of approving a candidate.

"We are hopeful we'll be able to announce in the not-too-distant future an 
individual we think would be able to continue the work we've been doing," 
said George W. Foresman, undersecretary for preparedness.

Around the time of the agency's inception in early 2003, the Bush 
administration released the "National Strategy to Secure Cyberspace," a 
detailed roadmap for securing the nation's most critical information 
networks and for crafting a disaster-recovery and response plan in case of 
a major cyber attack or other massive malfunction.

The far-reaching plan led many in the high-tech community to hope that DHS 
would establish a cyber security post with influence over the department's 
policy and spending priorities. But when administration officials 
relegated it to a lower hierarchical rung -- one without daily access to 
DHS top decision-makers -- nearly two years of bureaucratic turf wars 
ensued. Three different cyber security officials resigned, two of them 
complaining publicly of their lack of authority.

James Lewis, director of technology and public policy at the Center for 
Strategic and International Studies in Washington, said the administration 
had already adopted the position that cyber initiatives would siphon funds 
away from physical security for high-value potential terrorist targets.

The high-level post "was forced on them by Capitol Hill," Lewis said. 
"Left to their own devices, the White House wouldn't have created the 

"A department that has failed [for a year] to find an assistant secretary, 
even by Washington standards ... has to be some kind of record," said 
Roger Cressey, former chief of staff of the president's critical 
infrastructure advisory board, which was dissolved in 2003 just before the 
formation of the Homeland Security Department.

Foresman maintained that the department is not sitting still: "We've 
looked at candidates who had solid backgrounds in telecommunications and 
in cyber security, but we have found a lesser number of candidates who had 
a great background in both areas."

One candidate for the post -- Guy Copeland, vice president for information 
infrastructure at El Segundo, Calif.-based Computer Sciences Corp. -- said 
he was among nearly a dozen similarly qualified industry experts he knew 
of who were approached. He said he declined for personal and financial 
reasons, but noted that others were apparently knocked out of the running 
for political or professional considerations.

Copeland said he hopes DHS can find a worthy candidate soon -- someone who 
has the clout within industry and government "who can not only go to 
[Congress] and argue for the resources ... but also someone who can help 
organize the [post-attack] response from various industry sectors," he 

John McCarthy, director of the critical infrastructure program at the 
George Mason University School of Law, agreed and related that just a few 
months after the administration released its cyber plan in 2003, one of 
his graduate students submitted a dissertation containing detailed maps 
zeroing in on key points in the Internet infrastructure that -- if 
targeted by terrorists -- could wreak a cascading series of outages 
capable of bringing major U.S. industries to a screeching halt.

Government officials suggested that the dissertation be classified, but 
ultimately the student simply agreed not to publish the details, according 
to McCarthy, who said he was also approached about the vacant DHS post but 
eventually was passed over.

"E-commerce is now the vehicle for delivering a wealth of private sector 
and government services," McCarthy said. "But cyber is now also the 
vehicle of choice for the bad guys to deliver and organize their 

Security experts say many of the computers that operate critical 
infrastructure -- known as supervisory control and data acquisition 
(SCADA) networks -- are increasingly being connected to Microsoft Windows 
systems and to the Internet to offer public utilities a cost-effective way 
to manage their far-flung assets. But that exposure also makes power, 
water, sewage and other such systems dangerously vulnerable to online 
attack, said Alan Paller, director of research for the SANS Institute, a 
computer security training group based in Bethesda.

"Hackers have discovered that owners of SCADA systems are very sensitive 
and that they can make money by threatening to do damage," Paller said, 
adding that he is aware of at least two incidents just this year in which 
attackers broke into and threatened to disrupt utility operations unless 
the owners paid a ransom demand.

Foresman defended the agency's progress, noting that DHS recently 
conducted simulation exercises with IT companies to determine how 
government and industry could better collaborate to "build better layers 
of resilience" into critical systems.

But McCarthy said he believes it is a question of when -- not if -- a 
major portion of the U.S. economy comes under a targeted cyber attack, and 
that the nation desperately needs the technical and social leadership in 
place to deal with it when the time comes.

"I believe that as we as a society and economy move towards a greater 
reliance on these vulnerable communications networks, that those who would 
wish us harm will find ways to target those infrastructures in ways we 
haven't thought about yet, and that's going to present a major challenge 
for whoever is picked for that position."

Copyright 2006 Washingtonpost.Newsweek Interactive

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Thu Jul 13 2006 - 01:34:28 PDT