By Brian Krebs
washingtonpost.com Staff Writer
July 12, 2006
One year after the Department of Homeland Security created a high-level
post for coordinating U.S. government efforts to deal with attacks on the
nation's critical technological infrastructure, the agency still has not
identified a candidate for the job.
On July 13, 2005, as frustration with the Bush administration's cyber
security policy grew on Capitol Hill and Congress appeared poised to force
its hand, Homeland Security Secretary Michael Chertoff announced the new
assistant-secretary job opening.
Critics say the yearlong vacancy is further evidence that the
administration is no better prepared for responding to a major cyber
attack than it was for dealing with Hurricane Katrina, leaving vulnerable
the information systems that support large portions of the national
economy, from telecommunications networks to power grids to chemical
manufacturing and transportation systems.
"What this tells me is that ... [Chertoff] still hasn't made this a
priority ... to push forward and find whoever would be the best fit," said
Paul Kurtz, a former cyber security advisor in the early Bush
administration and now a chief lobbyist for software and hardware security
"Having a senior person at DHS... is not going to stop a major cyber
attack on our critical infrastructures," Kurtz said, "but [it] will
definitely help us develop an infrastructure that can withstand serious
attacks and recover quickly."
Rep. Zoe Lofgren (D-Calif.), a co-author of the bill that would have
forced the department to create the position last year, did not mince
words: "I think DHS is pathetic and incompetent. It's a complete mystery
what's happening over there."
But a DHS official assured critics that the agency is "in the final
stretch" of approving a candidate.
"We are hopeful we'll be able to announce in the not-too-distant future an
individual we think would be able to continue the work we've been doing,"
said George W. Foresman, undersecretary for preparedness.
Around the time of the agency's inception in early 2003, the Bush
administration released the "National Strategy to Secure Cyberspace," a
detailed roadmap for securing the nation's most critical information
networks and for crafting a disaster-recovery and response plan in case of
a major cyber attack or other massive malfunction.
The far-reaching plan led many in the high-tech community to hope that DHS
would establish a cyber security post with influence over the department's
policy and spending priorities. But when administration officials
relegated it to a lower hierarchical rung -- one without daily access to
DHS top decision-makers -- nearly two years of bureaucratic turf wars
ensued. Three different cyber security officials resigned, two of them
complaining publicly of their lack of authority.
James Lewis, director of technology and public policy at the Center for
Strategic and International Studies in Washington, said the administration
had already adopted the position that cyber initiatives would siphon funds
away from physical security for high-value potential terrorist targets.
The high-level post "was forced on them by Capitol Hill," Lewis said.
"Left to their own devices, the White House wouldn't have created the
"A department that has failed [for a year] to find an assistant secretary,
even by Washington standards ... has to be some kind of record," said
Roger Cressey, former chief of staff of the president's critical
infrastructure advisory board, which was dissolved in 2003 just before the
formation of the Homeland Security Department.
Foresman maintained that the department is not sitting still: "We've
looked at candidates who had solid backgrounds in telecommunications and
in cyber security, but we have found a lesser number of candidates who had
a great background in both areas."
One candidate for the post -- Guy Copeland, vice president for information
infrastructure at El Segundo, Calif.-based Computer Sciences Corp. -- said
he was among nearly a dozen similarly qualified industry experts he knew
of who were approached. He said he declined for personal and financial
reasons, but noted that others were apparently knocked out of the running
for political or professional considerations.
Copeland said he hopes DHS can find a worthy candidate soon -- someone who
has the clout within industry and government "who can not only go to
[Congress] and argue for the resources ... but also someone who can help
organize the [post-attack] response from various industry sectors," he
John McCarthy, director of the critical infrastructure program at the
George Mason University School of Law, agreed and related that just a few
months after the administration released its cyber plan in 2003, one of
his graduate students submitted a dissertation containing detailed maps
zeroing in on key points in the Internet infrastructure that -- if
targeted by terrorists -- could wreak a cascading series of outages
capable of bringing major U.S. industries to a screeching halt.
Government officials suggested that the dissertation be classified, but
ultimately the student simply agreed not to publish the details, according
to McCarthy, who said he was also approached about the vacant DHS post but
eventually was passed over.
"E-commerce is now the vehicle for delivering a wealth of private sector
and government services," McCarthy said. "But cyber is now also the
vehicle of choice for the bad guys to deliver and organize their
Security experts say many of the computers that operate critical
infrastructure -- known as supervisory control and data acquisition
(SCADA) networks -- are increasingly being connected to Microsoft Windows
systems and to the Internet to offer public utilities a cost-effective way
to manage their far-flung assets. But that exposure also makes power,
water, sewage and other such systems dangerously vulnerable to online
attack, said Alan Paller, director of research for the SANS Institute, a
computer security training group based in Bethesda.
"Hackers have discovered that owners of SCADA systems are very sensitive
and that they can make money by threatening to do damage," Paller said,
adding that he is aware of at least two incidents just this year in which
attackers broke into and threatened to disrupt utility operations unless
the owners paid a ransom demand.
Foresman defended the agency's progress, noting that DHS recently
conducted simulation exercises with IT companies to determine how
government and industry could better collaborate to "build better layers
of resilience" into critical systems.
But McCarthy said he believes it is a question of when -- not if -- a
major portion of the U.S. economy comes under a targeted cyber attack, and
that the nation desperately needs the technical and social leadership in
place to deal with it when the time comes.
"I believe that as we as a society and economy move towards a greater
reliance on these vulnerable communications networks, that those who would
wish us harm will find ways to target those infrastructures in ways we
haven't thought about yet, and that's going to present a major challenge
for whoever is picked for that position."
Copyright 2006 Washingtonpost.Newsweek Interactive
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.