- By Patience Wait
- Mar 20, 2003
Harris Miller, president of the Information Technology Association of America, is worried because some people in the administration don't believe the government needs a cybersecurity representative.
WT file photo
Demise of critical infrastructure board makes industry 'nervous'The decision by the White House to eliminate the President's Critical Infrastructure Protection Board and fold its responsibilities into the new Department of Homeland Security is raising concerns that cybersecurity is losing the attention of the Bush administration."The White House has given us assurances that they're still deeply concerned about this [issue], but there are no details about it yet, so there's a lot of nervousness," said Dan Burton, vice president of public affairs and policy for Entrust Inc., an Internet security services company in Addison, Texas.But Harris Miller, president of the Information Technology Association of America, Arlington, Va., said he's worried because some people in the administration don't believe the government needs a cybersecurity representative."There seems to be a lot of internal discussion about this. ... This should be a no-brainer," Miller said.These anxieties may be partially offset by the creation March 4 of a subcommittee for cybersecurity, science and research and development by the new House Select Committee on Homeland Security. The committee is being chaired by Rep. Christopher Cox, R-Calif., but a decision has not been made regarding who will serve as chairman of the new subcommittee."We do have a very strong cadre of well-informed supporters on the Hill who have demonstrated leadership on this issue," Miller said.Concerns in the IT business community over possible White House inattention arise, in part, because the law creating the new department makes no mention of cybersecurity. Also, on the Homeland Security Department's organizational chart (http://www.dhs.gov/interweb/ assetlibrary/DHS_Org_Chart.ppt) there is no apparent place that shows who has responsibility for IT issues. For now, cybersecurity is considered an element within the Information Analysis and Infrastructure Protection directorate, which also addresses the security of the United States' physical infrastructure and intelligence analyses to flag threats and identify terrorists.Another source of worry for the IT industry is that the demise of the board and the Feb. 21 departure of cybersecurity czar Richard Clarke leave no one in the White House focused on cybersecurity. It is still unknown where Howard Schmidt, who succeeded Clarke as head of the CIPB, will land. President Bush signed the executive order closing the CIPB Feb. 28."We've urged [the administration] to keep a special adviser for cybersecurity, someone with some functions in the White House," said Mario Correa, director of Internet and network security policy at the Business Software Alliance. "But if they're at the Department of Homeland Security, we want that person to have a specific portfolio focused on cybersecurity."Entrust's Burton said the White House decision to move the responsibilities of the CIPB to the new department makes sense, because it consolidates security activities there, just as it's sensible to have physical and cybersecurity in the same part of the organization.Burton said industry is concerned that this move is a downgrade. "The key question is does the issue of cybersecurity have a seat at the big table for policy questions," he said.Cybersecurity's loss of stature as a policy issue also concerns ITAA's Miller."We have heartburn about [going from] a special adviser to the president and the CIPB to nobody, or someone who's seven steps down on the ladder," Miller said. "That's a sign that the administration has lost its focus."But Miller is pleased that the new House committee is giving cybersecurity high priority. He said Reps. Tom Davis, R-Va., chairman of the Government Reform Committee, and Sherwood Boehlert, R-N.Y., chairman of the Science Committee, also support more emphasis on cybersecurity.
"Agencies are now spending so much money writing reports, they don't have the resources to make [themselves] safer." ? Alan Paller, director of research at the SANS Institute:
[IMGCAP(2)]Alan Paller, director of research at
the SANS Institute, an IT research
and education organization in Bethesda, Md., said there is another drawback to
the loss of White House access. Clarke and his staff had built voluntary support among the corporations and organizations that could help in case of a
cyberattack, he said."Although that network will continue -- because everybody in it agrees with the goals -- it will lose a little energy, because people in California will be less likely to fly all night to attend a meeting because it was at the White House," Paller said.Paller said he was skeptical that forming a congressional subcommittee would do much to address the government's cybersecurity needs, though he said he was willing to suspend his doubts. Up to now, Congress has been more concerned with agencies filing reports than with improving their cybersecurity, he said."Agencies are now spending so much money writing reports, they don't have the resources to make [themselves] safer," Paller said. "Maybe a separate subcommittee would actually help it do things to improve security."Behind the scenes, the White House has been trying to soothe industry worries, promising that cybersecurity responsibilities will be properly filled. Correa and Miller, whose associations represent large segments of the IT industry, both said administration officials have been giving "high-level assurances" that corporate concerns will be addressed.Miller said he is trying to give the administration the benefit of the doubt, but still has nagging concerns. "This bureaucratic game playing is childish and is not accomplishing what needs to be accomplished. ... It sets a terrible example for the business community and the global community," he said. *Staff Writer Patience Wait can be reached at firstname.lastname@example.org.