By Wayne Rash
September 3, 2006
It has taken a year, but the federal government appears poised to
appoint an overseer for U.S. cyber-security.
Vallee Bunting, a spokesperson for the Department of Homeland
Security, in Washington, said officials there are whittling down the
list of candidates. Once the department decides on the best candidate,
that person will be appointed by the president and the Office of
Management and Budget.
According to Bunting, Senate confirmation is not required for this
For many in the technology industry, the appointment can't come soon
enough. After all, it's the private sector that controls most of the
infrastructure that could crack under a cyber-attack. A leadership
vacuum at the DHS makes the job of securing critical infrastructure
that much tougher.
As it is, the new head of cyber-security will have a lot to fix. It
has been five years since the Sept. 11, 2001, terrorist attacks, and
the DHS has received an F on computer security for three straight
years from the U.S. House of Representatives Committee on Government
Meanwhile, the Government Accountability Office has said in reports
that the DHS is unprepared for a cyber-attack.
"Since [President Bush] issued the national strategy to secure
cyberspace in February 2003, we've been running in place," said Paul
Kurtz, executive director of the Cyber Security Industry Alliance, a
group comprising information security companies, in Arlington, Va.
Why is it so hard to find a cyber-czar? Bunting said the biggest
challenge is finding a qualified person willing to leave a high-paying
job in the private sector for less compensation and more public
"One of the limiting factors is that the department is competing with
private industry, which has virtually unlimited resources for salaries
and benefits which would be an attractive incentive for highly
qualified candidates for this position," Bunting said.
"It takes a uniquely qualified individual to make the personal and
professional sacrifice to join a startup organization like DHS rather
than join the private sector."
The goal is to find the right person for the job, not to fill the
position as quickly as possible, Bunting said. She declined to be more
specific about when an appointment will be announced, saying only that
DHS "should have a candidate named soon."
The new assistant secretary will be responsible for two divisions
within DHS, National Communications System and National Cyber
Security. Currently, these functions are being overseen by Robert
Zitz, deputy under-secretary for preparedness.
Peter Metzger agreed that the DHS needs time to find the right
candidate. A former White House staffer with the Reagan administration
who also worked in the national intelligence community, Metzger is now
vice chairman of Christian & Timbers, an executive search company.
"You have to approach people who come out of one of three
backgrounds," said Metzger in Washington. "[You need to find]
high-net-worth people who want to give back, or it may be someone who
wants to come in and make a high-impact statement and go back out and
The third type "typically is someone who successfully holds a position
in the private sector but who feels that they want to contribute to
the global war on terrorism," Metzger said.
However, even for motivated people, getting hired for such senior jobs
isn't easy. "Typically, these positions require a senior security
clearance. They require full background investigations and full public
financial disclosure, and people aren't crazy about that," Metzger
Metzger declined to speculate on who will be appointed to the
cyber-security post. But he said that if he were making the
appointment, he'd "take a good, hard look at someone who has held very
senior CISO [chief information security officer] roles at some place
that has had a high-transaction volume, such as in financial services,
especially the global credit card companies."
But even if they find an ideal candidate who can get a security
clearance, it's still a hard sell, Metzger said.
"You take someone who is making three times what they could make in
the government [and] tell them that they're going to move to a
high-cost area, be scrutinized and have to disclose their financial
statement publicly, be given a full field investigation, and work 70
to 80 hours a week - that sometimes is a hard sell," he said.
Hard sell or not, someone needs to do the job, said Kurtz. Kurtz, who
was director of counter-terrorism and senior director of
cyber-security for the National Security Council during the Reagan
administration, said the delay in appointing a cyber-czar shows a lack
of leadership by the DHS.
"It's been a year since [DHS] Secretary [Michael] Chertoff announced
the creation of this position," Kurtz said.
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/