October 10, 2005 4:00 AM PDT

U.S. cybersecurity due for FEMA-like calamity?

In the wake of Hurricane Katrina, the Federal Emergency Management Agency has been fending off charges of responding sluggishly to a disaster.

Is the cybersecurity division next?

Like FEMA, the U.S. government's cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago.

Auditors had warned months before Hurricane Katrina that FEMA's internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies.

"When you look at the events of Katrina, you kind of have to ask yourself the question, 'Are we ready?'" said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. "Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no."

The department, not surprisingly, begs to differ. "Cybersecurity has been and continues to be one of the department's top priorities," said Homeland Security spokesman Kirk Whitworth.

But more so than FEMA, the department's cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups. The department is charged with developing a "comprehensive" plan for securing key Internet functions and "providing crisis management in response to attacks"--but it's been more visible through press releases such as one proclaiming October to be "National Cyber Security Awareness Month."

Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials. First there was Richard Clarke, a veteran of the Clinton and first Bush administrations who left his post with a lucrative book deal. Clarke was followed in quick succession by Howard Schmidt, known for testifying in favor of the Communications Decency Act, then Amit Yoran and Robert Liscouski.

The top position has been vacant since Liscouski quit in January. In July, Homeland Security Secretary Michael Chertoff pledged to fill the post but has not named a successor.

"I sure wouldn't take that job," said Avi Rubin, a professor specializing in cybersecurity at Johns Hopkins University. "It only has a downside."

If an Internet meltdown happened--perhaps a present-day rendition of the 1988 worm created by Robert Morris, which forced administrators to disconnect their computers from the network to try to stop the worm from spreading--Homeland Security's cybersecurity official would wield little power yet shoulder all the blame, Rubin said. "The person who was cybersecurity czar would be out of a job and would be blamed, even though it might have been someone else not following a policy."

Other top-level staff have been departing: The deputy director of Homeland Security's National Cyber Security Division, a top official at the Computer Emergency Response Team, the undersecretary for infrastructure protection and the assistant secretary responsible for information protection have all left in the past year.

A promotion in the works
Raising the profile of cybersecurity efforts inside Homeland Security has garnered some support in the U.S. House of Representatives.

Earlier this year, Rep. Zoe Lofgren, a California Democrat, and Rep. Mac Thornberry, a Texas Republican, reintroduced legislation from the previous congressional session that would create an assistant secretary for cybersecurity.

The much talked-about position would report directly to the Homeland Security secretary, on equal footing with posts that oversee the nation's physical infrastructure. Under current department structure, the top cybersecurity official is buried in a few levels of bureaucracy beneath the Homeland Security chief.

"Creating an assistant secretary is far more than just an organizational change," Thornberry said when introducing the bill. "It is an essential move to assure that cybersecurity is not buried among the many homeland security challenges we face."

The proposal was ultimately wrapped up in the broader Homeland Security Authorization Act for 2006 and has been approved by the House. But since May, it has been sitting in front of the Senate Homeland Security committee, which has not indicated when further action will occur.

Outside observers are holding out hope for Chertoff's departmental reorganization announced in July. As part of the reshuffling, he hired Stewart Baker, former general counsel to the National Security Agency and a well-respected technology lawyer, to be assistant secretary for policy. Baker is waiting for Senate confirmation.

"It's been a mess for over four years, and hopefully the new folks will fix this," said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.

"In the previous incarnation, DHS and the Homeland Security Council didn't really know what to do with cyber--it's been a deer-in-the-headlights experience for them," Lewis said. "It's not clear who's even in charge. When you look at all the different committees who

CONTINUED:
Page 1 | 2

See more CNET content tagged:
cybersecurity, homeland security, Richard Clarke, department, Hurricane Katrina

38 comments

Join the conversation!
Add your comment
Don't care for the slant of this article!
EMA handles emergencies locally first, makes reports and estimates of required logistics and then calls for FEMA help if/when required including the logistics required (over and above that which they have locally).

Gathering all pertinent information related to the collateral damage and making estimates of the amount and type(s) of logistics required alone took more than a day due to the wide destruction in that area.

And getting together the sheer amount of logistics required takes at least another day or two at best.

Nagin on the other hand had over 250 school busses and all of the city busses to his avail but didn't use them.

Thus let's not drag FEMA in when FEMA isn't to be blamed. EMA is first response... FEMA is called in later. But both usually respond AFTER the damage has been caused.

The city and state are responsible for planning evacuations of that scale and if they are unable to handle it... they can request for FEMA support, but that request must be received prior to FEMA being able to step on the states toes. That's how state regulations were created and how they still work.

So as for why FEMA didn't respond earlier... who made the call to request assistance. Nagin didn't, Blanco didn't...

As for CyberSecurity heading for a FEMA like catastrophe... Now that the first part of this article has been de-bunked... what similar catastrophe is that?

There are numerous threats which continue to cause worries about our internet. But here too... it's not the CyberSecurity team which DHS heads that will thwart the problem as much as it is each individual ISP's acceptance and implementation of the effective methods to thwart off such attacks.

But with so many concious objectors and lack of support from ISP's... they're gonna be the future Nagin and Blanco runner-ups if they don't get their cyber-threat-ears out there and start taking more responsibility where the first line of responsibility should be taken.

SPAM is one very good example. SPAM continues to be sent out with spoofed addresses even though that was declared illegal over 1.5 years ago. ISP's are the first line of defense. But many today still don't do anything to stop it. Blocking outgoing port 25 would go a long way to reduce a good amount of SPAM, but they do nothing about it.

Just like Nagin and Blanco... so don't go trying to pin the tail on the elephant in the white house when it belongs on the local donkey!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Are you serious?
1) While it's obvious that both state and local governments were ill-prepared, FEMA has made woeful blunders. Even if you get your news from Fox News Channel, it should still be obvious.

2) What type of attacks? Well, how about taking down DNS servers? That'd take down the whole Internet. Not to mention attacks on supposedly closed-off infrastructure networks (something like the most recent season of "24").
Posted by Rusdude (170 comments )
Link Flag
$100 million For Ice, No Bid Contracts
Sure 'Noggin and Blink-o were unprepared to handle Katrina, but FEMA was a mess too. FEMA spent $100 on ice alone for Katrina, most of which never got to its destination. Truckers were hired to drive it all over the country, any place BUT New Orleans and Mississippi. After playing who's on first with the ice, because FEMA lacked a useable computerized inventory tracking system, it was finally put into cold storage at various warehouses across the country.

There's also the issue of numerous FEMA no-bid contracts. Yes, that again! So don't try to put all the blame on the local party hacks, FEMA created its own disaster. The point of this story is that DHS Cybersecurity is another FEMA waiting to happen. Will we all be surprised when it happens, when Congress calls for yet another blue- ribbon committee after the fact? When the Schummer-Feinstein-Boxer-Sharpton-Jackson hacks swoop down and again try to make it a purely Republican issue? Well at least CNET readers won't be surprised.
Posted by Stating (869 comments )
Link Flag
Don't care for the slant of this article!
EMA handles emergencies locally first, makes reports and estimates of required logistics and then calls for FEMA help if/when required including the logistics required (over and above that which they have locally).

Gathering all pertinent information related to the collateral damage and making estimates of the amount and type(s) of logistics required alone took more than a day due to the wide destruction in that area.

And getting together the sheer amount of logistics required takes at least another day or two at best.

Nagin on the other hand had over 250 school busses and all of the city busses to his avail but didn't use them.

Thus let's not drag FEMA in when FEMA isn't to be blamed. EMA is first response... FEMA is called in later. But both usually respond AFTER the damage has been caused.

The city and state are responsible for planning evacuations of that scale and if they are unable to handle it... they can request for FEMA support, but that request must be received prior to FEMA being able to step on the states toes. That's how state regulations were created and how they still work.

So as for why FEMA didn't respond earlier... who made the call to request assistance. Nagin didn't, Blanco didn't...

As for CyberSecurity heading for a FEMA like catastrophe... Now that the first part of this article has been de-bunked... what similar catastrophe is that?

There are numerous threats which continue to cause worries about our internet. But here too... it's not the CyberSecurity team which DHS heads that will thwart the problem as much as it is each individual ISP's acceptance and implementation of the effective methods to thwart off such attacks.

But with so many concious objectors and lack of support from ISP's... they're gonna be the future Nagin and Blanco runner-ups if they don't get their cyber-threat-ears out there and start taking more responsibility where the first line of responsibility should be taken.

SPAM is one very good example. SPAM continues to be sent out with spoofed addresses even though that was declared illegal over 1.5 years ago. ISP's are the first line of defense. But many today still don't do anything to stop it. Blocking outgoing port 25 would go a long way to reduce a good amount of SPAM, but they do nothing about it.

Just like Nagin and Blanco... so don't go trying to pin the tail on the elephant in the white house when it belongs on the local donkey!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Are you serious?
1) While it's obvious that both state and local governments were ill-prepared, FEMA has made woeful blunders. Even if you get your news from Fox News Channel, it should still be obvious.

2) What type of attacks? Well, how about taking down DNS servers? That'd take down the whole Internet. Not to mention attacks on supposedly closed-off infrastructure networks (something like the most recent season of "24").
Posted by Rusdude (170 comments )
Link Flag
$100 million For Ice, No Bid Contracts
Sure 'Noggin and Blink-o were unprepared to handle Katrina, but FEMA was a mess too. FEMA spent $100 on ice alone for Katrina, most of which never got to its destination. Truckers were hired to drive it all over the country, any place BUT New Orleans and Mississippi. After playing who's on first with the ice, because FEMA lacked a useable computerized inventory tracking system, it was finally put into cold storage at various warehouses across the country.

There's also the issue of numerous FEMA no-bid contracts. Yes, that again! So don't try to put all the blame on the local party hacks, FEMA created its own disaster. The point of this story is that DHS Cybersecurity is another FEMA waiting to happen. Will we all be surprised when it happens, when Congress calls for yet another blue- ribbon committee after the fact? When the Schummer-Feinstein-Boxer-Sharpton-Jackson hacks swoop down and again try to make it a purely Republican issue? Well at least CNET readers won't be surprised.
Posted by Stating (869 comments )
Link Flag
This is a joke
Losing access to google, email, and the ATM for several hours is not the same as losing your home to wind and flooding. Cybersecurity have been warning about a digital pearl harbor for years, mostly as a tactic for the government to throw more R&D dollars their way.
Posted by (45 comments )
Reply Link Flag
Ignorant
There's an unlimited number of scenarios that would have devastating effect. Losing Internet communications might not be a big deal to you, but it would be for businesses like finance industry. Today's markets are dependent on principle of continuity (in a sense that after market closes today, it'll be open tomorrow). Losing connectivity even for a day wouldn't cause $200 billion in damages (although it'd still be billions in lost revenue/profits) but it'd be much more of a shock in terms of market confidence.
Posted by Rusdude (170 comments )
Link Flag
This is a joke
Losing access to google, email, and the ATM for several hours is not the same as losing your home to wind and flooding. Cybersecurity have been warning about a digital pearl harbor for years, mostly as a tactic for the government to throw more R&D dollars their way.
Posted by (45 comments )
Reply Link Flag
Ignorant
There's an unlimited number of scenarios that would have devastating effect. Losing Internet communications might not be a big deal to you, but it would be for businesses like finance industry. Today's markets are dependent on principle of continuity (in a sense that after market closes today, it'll be open tomorrow). Losing connectivity even for a day wouldn't cause $200 billion in damages (although it'd still be billions in lost revenue/profits) but it'd be much more of a shock in terms of market confidence.
Posted by Rusdude (170 comments )
Link Flag
I agree, who cares right now?
more diversion from rove/delay
Posted by menace2 (5 comments )
Reply Link Flag
I agree, who cares right now?
more diversion from rove/delay
Posted by menace2 (5 comments )
Reply Link Flag
gosh, this is really swell ...
:)
Posted by Lolo Gecko (131 comments )
Reply Link Flag
gosh, this is really swell ...
:)
Posted by Lolo Gecko (131 comments )
Reply Link Flag
Maybe if Cnet could make its made-up news funny...
...I wouldn't feel like it was three minutes of my life I'll never get back.
Posted by M C (598 comments )
Reply Link Flag
Maybe if Cnet could make its made-up news funny...
...I wouldn't feel like it was three minutes of my life I'll never get back.
Posted by M C (598 comments )
Reply Link Flag
... and were it not for the ozone layer ...
the sky would also be falling :)
Posted by Lolo Gecko (131 comments )
Reply Link Flag
... and were it not for the ozone layer ...
the sky would also be falling :)
Posted by Lolo Gecko (131 comments )
Reply Link Flag
Dreaming the Impossible DHS Dream
Tom Ridge, James Loy, Asa Hutchinson, Frank Libutti, Robert Liscouski, C. Suzanne Mencer, Patrick Hughes, Stewart Verdery, Sue Mencer&and more, leaving like so many rats scurrying from a sinking Department of Homeland Security ship. Will the last one leaving please turn-off the DHS computer?

Getting a mega-bureaucracy like DHS and its Cybersecurity organization to meet their national cybersecurity responsibilities by throwing more and new bureaucrats at the multiple holes left in the Org. Chart, works counter to circumventing a future FEMA-like Cyber-Calamity.

The departure in January 2005 of Liscouski, a non-techie career Intel cop, was no great loss. He was bureaucratic Nero who both fiddled and oversaw the musical chairs in the Office of the Cybersecurity Czar as knowledgeable Cybersecurity Czar techies like Clarke, Schmidt, Yoran came, got frustrated and left.

Top bureaucrat Liscouski pretended he was facilitating and aiding these Cybersecurity Czars in performing and conducting important cybersecurity and physical-infrastructure protection technical work while he apparently was only overseeing, implementing and pursuing a policy of benign Cyber-neglect. Then, in January 2005, when faced with having to work for the new, incoming DHS Chief, lawyer Michael Chertoff, he cut and ran out with the exiting crowd.

These sweeping leadership and staff changes in DHSs structure in 2005 only served to further delay creation and delivery of an implementable National Plan for Critical Cybersecurity Infrastructure and the smart Cybersecurity solutions to go with it.

Jim Lewis of CSIS said, "It's been a mess for over four years, and hopefully the new folks will fix this." Sad to say that Jim Lewis is dreaming the impossible dream if he thinks throwing a new crop of bureaucrats at the National Cybersecurity problem will fix it. JP B-)
Posted by Catgic (106 comments )
Reply Link Flag
Dreaming the Impossible DHS Dream
Tom Ridge, James Loy, Asa Hutchinson, Frank Libutti, Robert Liscouski, C. Suzanne Mencer, Patrick Hughes, Stewart Verdery, Sue Mencer&and more, leaving like so many rats scurrying from a sinking Department of Homeland Security ship. Will the last one leaving please turn-off the DHS computer?

Getting a mega-bureaucracy like DHS and its Cybersecurity organization to meet their national cybersecurity responsibilities by throwing more and new bureaucrats at the multiple holes left in the Org. Chart, works counter to circumventing a future FEMA-like Cyber-Calamity.

The departure in January 2005 of Liscouski, a non-techie career Intel cop, was no great loss. He was bureaucratic Nero who both fiddled and oversaw the musical chairs in the Office of the Cybersecurity Czar as knowledgeable Cybersecurity Czar techies like Clarke, Schmidt, Yoran came, got frustrated and left.

Top bureaucrat Liscouski pretended he was facilitating and aiding these Cybersecurity Czars in performing and conducting important cybersecurity and physical-infrastructure protection technical work while he apparently was only overseeing, implementing and pursuing a policy of benign Cyber-neglect. Then, in January 2005, when faced with having to work for the new, incoming DHS Chief, lawyer Michael Chertoff, he cut and ran out with the exiting crowd.

These sweeping leadership and staff changes in DHSs structure in 2005 only served to further delay creation and delivery of an implementable National Plan for Critical Cybersecurity Infrastructure and the smart Cybersecurity solutions to go with it.

Jim Lewis of CSIS said, "It's been a mess for over four years, and hopefully the new folks will fix this." Sad to say that Jim Lewis is dreaming the impossible dream if he thinks throwing a new crop of bureaucrats at the National Cybersecurity problem will fix it. JP B-)
Posted by Catgic (106 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.