When the U.S. Department of Homeland Security was created, it was supposed to find a way to respond to serious "cybercrises." "The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the legislation in November 2002.
More than six years later, and after spending more than $400 million on cybersecurity, DHS still has not accomplished that stated goal. "We need to have a plan tailored for a cybercrisis," DHS Secretary Michael Chertoff said on Thursday.
Chertoff told a conference in Washington, D.C., that creating such a plan first requires "a clear awareness of exactly what the dimension of the threat was," meaning the ability to detect intrusions in real time, and probably means taking some of the existing plans for physical attacks and "adapt them and some of the basic principles" to electronic threats.
"I do think that we have work to do in figuring out how to tailor something specific for cybersecurity in the same way that we've done it for natural disasters or terrorist attacks or things of that sort," he added.
Because only a few weeks are left in the Bush administration, any further work will be left to the administration of President-elect Barack Obama.
The Bush administration has spent $115 million on DHS's National Cybersecurity Division for the 2008 fiscal year. Totaling the budgets for the previous four years yields approximately $300 million, or approximately $415 million over five years including 2008.
The cybersecurity division has been plagued by a lack of leadership, with industry representatives unsure of who to contact. The revolving door of leadership within the division prompted a cybersecurity commission to recommend that leadership be moved to the White House, something that DHS opposes.
"There's no one place in charge," said Andy Singer, principal of the cybercampaign team for Booz Allen Hamilton, one of the sponsors of Thursday's conference. "Who does Bank of America go to if they're having a problem?"
Even by Washington standards, the turnover of various cybersecurity "czars" has been remarkable: Richard Clarke, a veteran of the Clinton and first Bush administrations, left the post with a lucrative book deal. Clarke was followed in quick succession by Howard Schmidt, then Amit Yoran and Robert Liscouski. Another DHS cybersecurity official, Jerry Dixon said after he left that "nothing is happening" in the department in this area.
Along the way, DHS was regularly receiving poor grades--including an F--on computer security report cards released by a congressional oversight committee.
Not helping was what Chertoff once described as "initial concerns" about raising the profile of cybersecurity in a bureaucratic culture that was focused on physical threats, and the decision to leave the top DHS cybersecurity post open for over a year. Greg Garcia got the job in September 2006 and is still there, as is Undersecretary Robert Jamison, who oversees "infrastructure protection."
Part of the problem for DHS, though, is out of its immediate control. The commercial Internet has been built by private companies, who constantly monitor their systems for attacks and know the status and performance of their networks much better than a Washington bureaucracy ever could. Moreover, monitoring of private networks by government agencies raises serious security and privacy concerns.
This is what Chertoff said on Thursday:
I want to begin by saying that I'm very sensitive to the fact that the culture of the Internet, as well as the actual architecture, is one which does not lend itself to government regulation and mandates... We are willing to provide capability to those who want us to provide that capability, but we don't make you do it. And if someone doesn't want to have the government involved and they want to live outside of any kind of government assistance or cooperation, I don't know that we would necessarily be wise to try to make them do it...
And that's why I'm really emphatic about the need to not make this a mandatory system but rather a system where we create opportunities for people. I actually think most people in the private sector will take those opportunities and will accept our invitation. But I also know if we try to make it something that we push onto people, the backlash we are going to see will dwarf of the controversies that we've seen with respect to what we've done in the communications field over the last eight years...
And then we're behind the eight ball because we're explaining that we're really not Big Brother. A classic example, before my time, was a search engine--I think it was called Carnivore, which the FBI came up with. And I think it made a lot of sense, but the word "Carnivore" was the absolute wrong thing to have in that program.
Chertoff also said that Bush is has been briefed on these topics as recently as the last week--"he's very, very concerned about making sure this vulnerability is adequately reduced and protected"--and said that the next generation of DHS' early-warning system for cyberincidents, called Einstein 3, would go live in the next six months.
Part of the purpose of arranging this week's cyberthreat simulation conference was to help all the relevant parties develop a plan of response in the event in a cyberattack--something that the DHS National Cyber Response Coordination Group has not accomplished.
Booz Allen Hamilton's Singer said it's too early to tell whether DHS will be able to sufficiently manage cybersecurity.
"If you look at some of the constructs in DHS--they have Undersecretary Jameson and the NCSC, the NCSD--it's a pretty tough task to make sure all of those pieces fit together," he said. "Whenever there's people involved, you always have the potential for seams, for things to fall through the cracks. On the first day of the simulation, people were looking for government to solve problems, but by the end of today, people were saying government can't save everything."
CNET's Stephanie Condon contributed to this report