title:

Insecurity (or is that frustration) at the top

By Scott Bradner

A couple of months after getting a bad report card and a few days after one reorganization plan was stripped out of a House security bill the U.S. Cybersecurity Chief resigned his job with one day's notice. He claimed it was because he had finished his work and hinted that another reason was a desire to spend more time with his family and 3-month old twins. But the Washington buzz is that there is less to the story than that.

Anit Yoran was the third U.S. cybersecurity chief to resign in the last two years starting with Richard Clarke who was followed in resignation by Howard Schmidt. Both of Yoran's predecessors publicly expressed frustration that cybersecurity was getting far less emphasis in the minds of government officials than they felt it should. Reports that Yoran felt the same way have been circulating around Washington for the last few months.

I expect that the report of the Department of Homeland Security (DHS) Inspector General (http://www.nwfusion.com/columnists/2004/080904bradner.html) did not make Yoran feel all that good. Nor, I expect, did the removal, less than a week before he resigned, of a provision in a U.S. House of Representatives security bill that would have moved the DHS cybersecurity effort to the U.S. Office of Management and Budget where it might have gotten more resources. In what may be a rewriting of history, no one now admits that there was ever such a provision in spite of a number of believable reports at the time. Another effort, to raise the status of the cybersecurity chief within DHS, is still alive but may be dying.

This effort has a staff of 60 people and an annual budget of $70 million or so but does not seem to be doing much that anyone can see, as the Inspector General's report card pointed out.

It is hard for me to understand why so little is being done. Various reports put the annual loss due to cybersecurity problems in the US at tens of billions of dollars. Even in Washington I would think that someone would notice numbers of this size. Note that this is a time of relative cyber peace. I say cyber peace because there does not seem to be much evidence I've seen that we are under a general attack by organized groups. The evidence seems to be that the big problems at this time are the result of cyberpunks trying to out do each other or from plain old capitalism where hackers are selling the use of networks of compromised computers to spammers or to people who want to order a denial of service attack on someone else. Things could get a lot worse if some anti-US group or government decided to try to trash the US cyber infrastructure to make a political point.

I'm not quite sure what a good and effective US government led cybersecurity effort would actually do but the way things are going there does not seem too much of a risk of finding out.

disclaimer: Some of what Harvard does is seen as good, some effective, a little is seen as both and some is seen as none of the above but this commentary is my own.