Who can solve the CYBERPUZZLE?
DHS cybersecurity post raises questions of power, budget and qualifications<@VM>It's all who you know<@VM>One to watch: Baker's role will impact cyber efforts<@VM>Hot cyber contracts
- By Alice Lipowicz
- Aug 14, 2005
Homeland Security Secretary Michael Chertoff's announcement last month that he would create a new assistant secretary post for cybersecurity and telecommunications has been warmly welcomed by the IT community. But amidst the applause, questions arise.
"Will it have any teeth? If it has no teeth, it will have no power, just like its predecessors," said Richard Steimnon, vice president of anti-spyware developer WebRoot Inc. of Boulder, Colo.
The new position, announced July 13 but not yet filled, has been greeted with much jubilation among IT executives eager to see a more aggressive and comprehensive federal approach to cybersecurity.
The new post may help strengthen the nation's economic security and also expand business opportunities in the $8 billion federal cybersecurity and information security sector.
Chertoff elevated the department's top cybersecurity position by at least one level in the management chart. Previously, the top post was below assistant secretary and at least three levels below secretary.
The former post was filled for a year by Amit Yoran, who resigned in October 2004. Yoran's deputy, Donald "Andy" Purdy Jr., is acting director.
Yoran was the first director of DHS' National Cyber Security Division, created in June 2003. He took over as federal cyberczar as White House cybersecurity special advisers Howard Schmidt and Richard Clarke resigned in early 2003.
"Over the past two years, cybersecurity was a revolving door at DHS," said Dan Burton, vice president of government affairs for global digital security company Entrust Inc. of Addison, Texas. "Chertoff certainly is giving it more clout."
"Elevating it sends a strong message about the importance that Secretary Chertoff is placing on it," said Renato DiPentima, president and CEO of systems integrator SRA International Corp. of Fairfax, Va.
The new title, although a major advancement, has not removed uncertainties about authority, priorities and budget that may need to be resolved for the new DHS cyberchief to be fully effective.
"We've been very supportive of creating an assistant secretary position, but what it needs more than the title is the authority and the resources to get the job done," said Ken Silva, chief of security for Internet security services provider VeriSign Inc. of Mountain View, Calif. "A fair amount is unfinished."
"We're very pleased, but the jury is still out," said Adam Rak, director of government and corporate affairs for security software developer Symantec Corp. of Cupertino, Calif.
Creating the new post brings to the fore questions about whether or not it will have adequate authority to improve cybersecurity operations at DHS' 22 agencies and governmentwide, and how its duties will intersect with those of other federal agencies that have significant cybersecurity responsibilities, including the Office of Management and Budget, and the Commerce, Defense and Justice departments.
DHS has been criticized for a lack of effectiveness in safeguarding information security among its own agencies, in assisting chief information security officers at federal agencies to improve their cybersecurity operations, in facilitating information exchanges with the private sector, and in spearheading cybersecurity research and development, among other activities.
Industry officials hope that a strong cybersecurity assistant secretary takes on these high-priority tasks and more.
"It will be easier to fill than the last position, but it won't be an easy job," Rak said. "The new assistant secretary position creates a better chance of success rather than being buried in bureaucracy."
A higher profile for cybersecurity at DHS and across the federal government would enhance opportunities for systems integrators and vendors. The federal cybersecurity market stands at about $1.6 billion and is projected to grow by 27 percent by fiscal 2009, according to market research firm Input Inc. of Reston, Va.
The federal information security market will grow nearly as fast, Input said, to $7.3 billion by fiscal 2010, from $6.1 billion now, a 20 percent rate of growth.
"We're seeing the focus on information security gain momentum," Chris Campbell, senior analyst at Input, said in a recent news release.
FRONT AND CENTER
Cybersecurity became a significant issue for the federal government within the last decade, and President Bush released a National Strategy to Secure Cyberspace in October 2002. It states that DHS will play a central role in implementing the strategy and serve as the primary federal point of contact for state and local governments, the private sector and the public. It also assigns the director of OMB to ensure that federal agencies, with the exception of the Pentagon and CIA, secure their IT systems.
DHS, in partnership with Carnegie Mellon University of Pittsburgh, set up the Computer Emergency Readiness Team Operations Center in September 2003 to coordinate information sharing about preparedness, attacks, responses and recoveries from cyberattacks. With the Justice Department and Pentagon, DHS formed a national cybersecurity response entity and will conduct a national exercise, Cyber Storm, in November.
But many gaps remain. The Government Accountability Office in May cited DHS for failing to address fully the 13 responsibilities set for it by Congress: DHS has not developed vulnerability assessments or recovery plans, and it "continues to have difficulties in developing partnerships," GAO said.
Separately, GAO in July criticized DHS for failing to fully implement programs to protect its own information security within the department. Shortcomings include incomplete risk assessments, lack of security plans and incomplete or nonexistent testing and evaluation of policies and procedures. DHS officials did not respond to requests for comment.
Nearly all federal agencies are receiving failing grades on their compliance with the Federal Information Security Management Act, the primary law for federal agencies' cybersecurity, and both OMB and DHS have some responsibility for pushing agencies to raise their grades.
OMB is in charge of policy; DHS provides "operational-level assistance," said OMB spokesman Scott Milburn, who declined further comment.
But there has been uncertainty about OMB's and DHS' respective roles. For example, although DHS sponsors a chief information security officer forum to address cybersecurity concerns, OMB in April co-sponsored a similar effort, the CISO Exchange, which the agency disbanded following criticism of its structure and fees.
Separately, GAO July 13 blamed both DHS and OMB for not clarifying for federal agencies where and how they should be reporting IT security intrusions. Rep. Tom Davis (R-Va.) has raised concerns about whether a new DHS cybersecurity chief would duplicate activities OMB is performing.
One source of problems is fragmentation of security efforts, as most federal agencies have several units and divisions pursuing cybersecurity programs.
"The irony is that a large company would never have a bunch of CIOs and CISOs and so many different cybersecurity programs. It would be a unified effort," VeriSign's Silva said.
Those problems are likely to be ameliorated as enterprise-level architectures are strengthened at DHS and elsewhere, he said.
Another high priority for the new cyberchief at DHS is improving information sharing about IT security threats, viruses, hack attempts and fraud, IT experts said. Private-sector participation in IT threat reporting systems and networks has evolved by sector -- agriculture, energy, financial services, water, health care -- and many view the new DHS cyberchief position as an opportunity to strengthen reporting across sectors.
The cross-sector sharing is very limited, Symantec's Rak said.
"Before, each sector would work with each separate agency," he said. "Now, they are working on a centralized location."
In addition, IT experts would like DHS to be a single conduit of information on IT security threats, such as FBI information about computer crimes and details about the latest activities of those committing such crimes. Such details are only available in an ad hoc fashion. "Someone has to coordinate it," VeriSign's Silva said.
In research also, the new cyberczar at DHS should play an important role, the Cyber Security Industry Alliance recommended in July.
Specifically, the group said, the cyberchief should coordinate IT security research and development funding, which is distributed among the Defense, Commerce and Justice departments. The bulk of the $238 million spent on federal IT research in 2004 went to the military.
The alliance urged the Bush administration and Congress to designate a single entity, most likely the new assistant secretary at DHS, to coordinate cybersecurity research and development and prepare a long-term plan with more federal funding.
The new cyberchief at DHS is the logical choice to head the efforts, the alliance said. However, it also noted that DHS is not a member of the Networking and Information Technology Research and Development Program, which has more than a dozen federal agency members.
In addition to meeting the specific challenges, the new cybersecurity chief also ought to bring greater visibility to the issue overall, IT executives said.
"One of the first benefits will be DHS' internal compliance and renewed focus within DHS, but there also is a benefit externally to send a message of cybersecurity needs to the broader population," SRA's DiPentima said. "It's a bully pulpit."
Staff Writer Alice Lipowicz can be reached at firstname.lastname@example.org
A roundup of government, industry and private-sector organizations involved in cybersecurity issues:INDUSTRY
Business Software Alliance
Corporate Information Security Working Group
Cyber Security Industry Alliance
Financial Services Information Sharing and Analysis Center
Information Technology Association of America
Internet Corporation for Assigned Names and Numbers
Trusted Computer Group
U.S. Chamber of CommerceGOVERNMENT
President's Information Technology Advisory Committee
Homeland Security Department: Computer Emergency Readiness Team, National Cyber Security Division
Office of Management and Budget
National Institute of Standards & Technology
National Science FoundationACADEMIA
University of Pennsylvania: Cyber Incident Detection Data Analysis Center
Carnegie Mellon University: Computer Emergency Readiness TeamGLOBAL
Convention on CyberCrime
IT executives anticipate that the Homeland Security Department's new cybersecurity czar position and its responsibilities may be shaped by another newcomer to the department with an even higher profile in the IT world: Stewart Baker, DHS' newly named assistant secretary for policy.
Baker is one of Washington's most influential technology lawyers, and has been at odds with civil libertarians in the past. He was chief counsel to the 9/11 Commission and general counsel to the National Security Agency under the Bush and Clinton administrations. Baker was nominated for the new DHS position July 14, but the Senate has not confirmed him.
A lawyer at Steptoe and Johnson LLP in Washington, Baker has been prominent in major IT privacy and data security debates over the last 15 years, including his advocacy on behalf of the NSA in the early 1990s of the Clipper Chip. It is based on the Skipjack algorithm and an encryption standard with a "back door," allowing spy agencies to access encrypted voice, fax and computer records for national security purposes.
His appointment sends a positive message about the importance of IT and technology at DHS, said Dan Burton, vice president of government affairs at Entrust Inc.
"Stewart Baker knows cybersecurity, the IT industry and government," Burton said. "To bring in someone of his stature sends a strong signal."
"You would assume Stewart Baker would play a role, and it's natural that he would have some influence" on the cybersecurity post, said Patrick Burke, senior vice president and director of command, control, communications and intelligence for SRA International Corp. of Fairfax, Va.
Baker declined a request to comment for this story. However, he has espoused some detailed views on IT for homeland security in the past.
In his testimony to the 9/11 Commission in December 2003, Baker said he wants investigators to be able to search, within 30 seconds, a terrorism suspect's address, phone, e-mail, financial, travel and organization records. The government also needs to have access to private-sector data about a specific attack site within four hours after that site is threatened, and to be able to locate critical infrastructure nodes in the vicinity of an attack within five minutes, Baker said.
To protect against abuses, DHS should make use of IT for electronic auditing and rules-based access control, as well as anonymization and one-way hashing, which allow data searching between private and public databases while also controlling access to protect privacy, Baker wrote in his testimony.
But Mark Rothenberg, director of the Electronic Privacy Information Center, a nonprofit advocacy group, said he is worried about Baker's views on privacy because he has crossed swords with him many times on issues such as the Patriot Act and wiretapping.
"It's disturbing that DHS, which will now have broad authority within the United States, selects someone who spends a great deal of time looking at means to expand electronic surveillance," Rothenberg said.Defense informations systems agencyContract:
Threat Solution to Protect DOD from Activity Against Networks, Systems or DataStatus:
Request for information was released May 26. Comments were due by June 21 and are under review.Purpose:
DISA believes that the Defense Department isn't adequately
protected from malicious insider attacks. The agency is looking for a software product to help identify and respond to such attacks.General Services AdministrationContract:
Security Line of BusinessStatus:
Opportunities are expected to begin showing up in the 2007 budget cycle. A request for information was released in April.Purpose:
GSA, the Office of Management and Budget and the Homeland Security Department are looking for ideas on how to manage information security risks, identify and defend against threats, correct vulnerabilities and effectively manage a governmentwide information systems security program. A task force is expected to submit recommendations to OMB by Sept. 1.Navy and DHSContracts:
Alliant and Alliant Small BusinessStatus:
RFPs are expected in September, awards in October 2006.Purpose:
Alliant is open to all bidders, while Alliant Small Business is open only to contractors in one of the government's small-business categories. Alliant has a ceiling of $50 billion, and Alliant Small Business has a $15 billion ceiling. The contracts will consolidate several large, multiple-award contracts and will be used to acquire a broad range of IT services, including information assurance and operations, security and systems design and development.NAVY AND DHSContract:
Information Assurance Engineering Support ServicesStatus:
A request for proposals is expected later in August. The Space and Naval Warfare System Center in Charleston, S.C., is managing the contract.Purpose:
The Navy and DHS are cooperating on two contracts: one for small businesses, and one that is open to all bidders. They want to acquire services in the full range of information assurance including network security, security life-cycle management, governance, certification and accreditation, risk management, security awareness, training and education, security engineering, cryptographic repair, cryptomodernization and cross-domain solutions.Veterans AffairsContract:
Enterprise Privacy Program Portal SupportStatus:
A statement of work was released March 15.Purpose:
The enterprise privacy program with VA's Office of Policies, Plans and Programs wants a contractor to help the office with requirements stemming from several laws including Health Insurance Portability and Accountability Act, E-Government Act, Federal Information Security Management Act, Freedom of Information Act and Privacy Act. Services will include training, security awareness and information security.