Help (still) wanted: Cybersecurity czar

Exactly one year after its creation, a high-level cybersecurity czar post within the U.S. Department of Homeland Security remains vacant, drawing new criticism from politicians and technology industry groups.

On July 13, 2005, Homeland Security Secretary Michael Chertoff announced the creation of an assistant secretary for cybersecurity and telecommunications post as part of his "six-point agenda" to reorganize the sprawling agency.

Currently, the agency's top cybersecurity officer is a low- to mid-level position further removed from the secretary. The new official, charged with leading the government's responses to threats and attacks, is supposed to report directly to the undersecretary for preparedness, one of three top level officials who answer directly to Chertoff.

"It's apparent that the department is moving at dial-up speed in hardening this infrastructure to respond to cyberattacks," Rep. Bernie Thompson, a Mississippi Democrat who serves as co-chairman of the U.S. House of Representatives Homeland Security Committee, said in a statement Thursday. The vacancy has also inspired outrage from his colleague, California Democrat Zoe Lofgren.

Homeland Security spokesman Jarrod Agen said the department is "close to the final stages of the hiring process" and should be naming a candidate soon, though he wasn't sure precisely when that would occur.

He admitted, however, that the process has been challenging, since the government must compete with the higher salaries and other perks, such as stock options, dangled by the private sector.

"It takes a unique candidate to make the personal and professional sacrifice to join a relatively young organization like DHS and take on the responsibility and the criticism that they'll encounter in that very demanding role," he said.

But without a strong leader in charge, it's unclear how well the nation would be able to respond to cyber-catastrophes, critics charged.

"It is indicative of the ongoing lack of attention being paid to cybersecurity at the most senior levels of government," said Paul Kurtz, executive director of the Cyber Security Industry Alliance, an advocacy group with security companies as its members. "There is no shortage of qualified candidates to serve as assistant secretary, just as there is no shortage of hackers eager to wreak havoc on our information infrastructure and national economy."

The Business Software Alliance, whose members include Apple Computer, Cisco Systems, Dell and Microsoft, took a gentler tack in voicing its concerns. In a three-paragraph letter to Chertoff dated July 12, President Robert Holleyman said he appreciated the position's creation and was "hopeful" a qualified individual would be appointed "in the near future."

[heystoopid]

All to simple really

All to simple really, they can't find one dumb enough or stupid enough to be a rubber stamp yes man!

[Macsaresafer]

True.

If you take that job, you can't protect Windows and you can't get rid
of it either! That means certain failure, and you're the one that will
be blamed.

[ajbright]

not so tough a decision

Lets see. Should I take a job that
1/Doesn't carry the authority to implement anything worthy of the name security while at the same time being used as the scapegoat whenever the inevitably successful attacks on national security networks take place.
2/Will have to oversee security of disparate and incompatible systems, some of which are over 4 decades old, without any of the personel that remember how to support such equipment.
3/Have to completely replace software in a hostile environment while political backstabbing and preventative tactics attempt to hold onto each person's own little kingdom. In other words not a single user will give new systems time to bed in and adapt because existing managers whose positions will no longer be unassailable due to systems that only they had the required knowledge to support or even operate will do their best to bias their employees against any sort of change.
3/Whenever a new virus or worm trickles out from some Russian mafia's workstation, the ensuing over-reaction and end-of-the-world scenarios are over-hyped by a media with little or no understanding in computer security. This is then exacerbated by antivirus and security software companies hoping to cash in on the fear caused by such hysteria.

So trying to deliver a healthy dose of reality, such as the only people going to be affected are those that can't be bothered to implement patch management systems and the subsequent manual labor involved in cleaning and then patching affected systems is hardly life threatening - especially as no systems exist that control power plants, dams or city water supplies that could be affected by Windows malware will probably go unnoticed or worse, be discredited by CompUSA store employees whose vast knowledge of computer security amounts to little more than how to install overpriced antivirus software.
4/That the real solutions to things like identity theft have more to do with prosecuting companies that store people's personal data without adequate protection or those that dispose of media containing such information without appropriate safeguards (shredding, disk wiping, etc) will definitely be ignored in favour of solutions that will actually make the situation worse - in a similar way that Can Spam has introduced a world with more spam per legitimate email than previously thought possible.

hmm let me think about it for a moment..

My guess is the successful candidate for this position will have absolutely no legitimate background in systems security, but will be a political grandstander, who's career is nothing more than a sleazy climb up the corporate ladder - or will be George Bush's buddy from college that let him copy his science assignments.

[chuchucuhi]

neat

oh sounds like a commercial about the exciting world of joining the army.

The reason why is.....

all the people (er, cronies) they wanted to put in the position were too busy downloading kiddie porn and standing near schools wearing raincoats.

[ml_ess]

Lets make it even easier for high-tech fraudsters..

The government's response to security breaches really is amazing. After the recent laptop thefts, hackings, phishing scams, trojans, etc. something like this should be top priority.
http://www.techknowbizzle.com/2006/06/20788366461-brief-history-of-data.html

Information contained within government computers puts all Americans in risk, if it is something that can be accessed by a creative hacker. Proper safety precautions should be their top priority at this point.

[Ipod Apple]

response to security breaches really is amazing.

http://www.analogstereo.com/lexus_gs_owners_manual.htm

[mveronica]

Much needed change....

Although I agree with previous comments made by ajbright, and how the position would most likely turn into a lose/lose scenario, I can't help but feel that the government is in dire need of a leader in tech security.

I'm somewhat relieved to see that the government is even taking action into trying to refresh the position. It shows that they atleast recognize that they're facing a huge security problem....one that's going global.

http://www.techknowbizzle.com/2006/06/data-security-gets-worse-as-hackers-go.html

http://www.techknowbizzle.com/2006/06/us-government-finally-sets-standards.html

But yeah, it's good to finally see some action taking place over at homeland security. But if it's going to take over a year for the government to start making some much needed changes, we should probably take our own private security into our own hands.

www.essentialsecurity.com