Yoran: DHS has made progress, but hurdles remain

Amit Yoran brought the perspectives of an engineer and entrepreneur to his former job as director of the Homeland Security Department's cybersecurity division.

"Maybe that's not the right fit for the job," Yoran said Wednesday. "Like any large organization, there is a fair degree of bureaucracy" at DHS.

Yoran, who abruptly resigned from the department Sept. 30, called his year as the nation's top cybersecurity official "an interesting political experience." Speaking at the Computer Security Institute in Washington, he assessed his tenure with a combination of satisfaction and frustration.

"I believe we were successful in building the startup capability we were asked to build," he said.

On the other hand, "the government really doesn't know what its IT assets are," he said, and is doing an inadequate job of certifying systems and software for security.

Yoran said he tried to take a practical approach to cybersecurity during his time at the helm, with both long- and short-term programs.

At the strategic level, the department has funded research and development into tools to aid in the software development process. Perpetuating known coding errors is a common source of security flaws in software, and automating the quality assurance process could change the attack-and-patch cycle of securing IT systems.

"I think this is going to happen through software assurance tools," Yoran said. "But you have to be realistic about how long it is going to take to produce a more secure infrastructure."

Looking for a more immediate impact, Yoran set out to accurately define the government's IT space.

"The first thing I asked was what does our address space look like?" he said.

When he could not get an answer, he began a program to map government IP addresses.

"It's not yet complete, but we have tabled out what the address space looks like," he said.

The project has identified 5,700 network blocks of varying size, from class A to class C. The department then began a program to identify the Internet exposure of those networks.

"The work is not yet done, but we have been scanning the 127 agencies and the 5,700 network blocks," he said. The next step would be to analyze the data to produce vulnerability profiles that can be acted upon.

Yoran's deputy, Andy Purdy, now is acting cybersecurity director at DHS. Some security experts have complained that the position is buried too far down on the DHS organizational chart and have proposed making the cybersecurity chief an assistant secretary or moving the position into the White House.

Yoran said he felt his position was at the proper level in DHS for the job he was asked to do, but refused to speculate on where his replacement should be.

"Let the folks who do the organizational structures craft the structure that will be most effective," he said.

He said his replacement should be someone who can maneuver through the bureaucracy better than he was able to.

"I am optimistic you will be able to recruit high-caliber folks who will step up to that job," he said.