Consider the following scenario. Members of a terrorist organization announce one morning that they will shut down the Pacific Northwest electric power grid for six hours starting at 4 p.m.; they then do so. The same group then announces that it will disable the primary telecommunications trunk circuits between the U.S. East and West Coasts for a half day; they then do so, despite our best efforts to defend against them. Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic; they then do so. Finally, they threaten to cripple e-commerce and credit card services for a week by using several hundred thousand stolen identities in millions of fraudulent transactions. Their list of actions is then posted in The New York Times, threatening further action if their demands are not met. Imagine the ensuing public panic and chaos.
Alarmist, perhaps? Far from it. The scenario is actually quoted from a letter sent by a group of concerned scientists to President Bush in February 2002. Signatories included O. Sami Saydjari, founder of the Cyber Defense Research Center; Matt Donlon, former director of the security and intelligence office at the Defense Advanced Research Projects Agency; and Robert T. Marsh, a retired Air Force general and former chairman of the President's Commission on Critical Infrastructure Protection. The scientists don't mince words about the cyberthreats facing the nation: "The critical infrastructure of the United States, including electric power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyberattack. Fast and resolute mitigating action is needed to avoid national disaster."
While the group's scenario was meant to grab attention, it also was grounded in reality. Each of the events depicted has happened (though not concurrently); some resulted from government-sponsored exercises, some from technical failures and some from actual cyberattacks. All could plausibly be triggered by a few knowledgeable people using some PCs and Internet access.
The cyberthreat to the nation's security and economy may not be as well understood to the general public as a dirty bomb or a vial of ricin in the wrong hands. But to experts in cybersecurity—those who know the vulnerabilities of the Internet and do daily combat with hackers, criminals and foreign governments trying to probe our critical infrastructure and military networks—the threat is vividly real. Indeed, the 54 scientists who signed the letter believe that a professionally coordinated cyberattack on the critical infrastructure could ravage not only the nation's economy (to the tune of hundreds of billions of dollars in damage) but also undermine public confidence in the government's ability to protect its citizens. In fact, although a cyberattack alone may lack the awful human destruction that can accompany a physical attack, because the systems controlling the critical infrastructure are often densely interconnected, such an attack could have more destructive and widespread consequences.
The lead defender in protecting the critical infrastructure is the Department of Homeland Security, a collection of 23 agencies that began operations in January 2003. Spearheading the effort is the National Cyber Security Division, led by Director Amit Yoran. Like the rest of DHS, Yoran and his staff face a steep uphill climb in accomplishing the department's mission. Eight-five percent to 90 percent of the critical infrastructure rests in private hands. Yet in the absence of regulation, which the private sector often views as a poison pill, DHS has no whip; rather, it must play the role of prodder and pleader, reaching out to a leery private sector that knows it needs to harden security but wonders where the money is coming from to pay for it. As a result, many of those private-sector companies may not feel compelled to move as quickly as DHS might like. Compounding the fledgling division's challenges is its organizational immaturity: At the same time it's trying to boost cybersecurity, it's also dealing with the headaches of hiring staff, integrating IT systems, figuring out how to analyze the boatloads of data coursing through its pipelines and how to share that information. All that will take months—some say years—to sort out.
This story looks at the challenges facing DHS and its cybersecurity team, and how they're working with the private sector to address them. While regulations remain a political third-rail within the business community, DHS and some in Congress are sending signals to CEOs that serious progress had better happen fast or else regulation may turn from threat to reality.Cybersecurity Makes a Name for ItselfGiven the relatively brief history of ubiquitous computing, cybersecurity wasn't addressed at the presidential level until Ronald Reagan signed the Computer Security Act of 1987, a measure aimed at protecting the security and privacy of sensitive information in the federal government's computer systems. Recognizing the growing dependence of the critical infrastructure on information technology, President Clinton formed the President's Commission on Critical Infrastructure Protection in 1996. Led by Robert Marsh (a signatory of the aforementioned letter), the commission, consisting of both public- and private-sector members, set out to develop a national policy and implementation strategy to protect the critical infrastructure from physical and cyberattacks. In 1997, the commission, which focused primarily on the cyberthreat, issued a report that recommended improving structures and processes to promote information-sharing between government and industry, educating citizens on cybersecurity issues, revising certain statutes to address infrastructure assurance concerns and greatly improving funding for R&D into infrastructure protection.
The White House took the report and the growing infrastructure threat to heart. In May 1998, President Clinton issued Presidential Decision Directive 63 (PDD 63), which set forth a framework to address the Marsh Commission's findings. It created the National Infrastructure Protection Center (NIPC) at the FBI; the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce; and the National Infrastructure Assurance Council (NIAC), consisting of representatives from both the public and private sectors. It also called for the establishment of Information Sharing and Analysis Centers (ISACs). As with the Marsh report, PDD 63 emphasized that infrastructure protection need not be dictated by government but by market forces. Also that month, the president appointed Richard Clarke as the first national coordinator for security, infrastructure protection and counterterrorism.
In January 2000, the White House issued its National Plan for Information Systems Protection, the first stab at creating a comprehensive cyberdefense strategy. The following year, a month after Sept. 11, President Bush established the President's Critical Infrastructure Protection Board to coordinate protection of critical infrastructure information systems and to recommend policies. Clarke, who was appointed special adviser for cyberspace security that same month, chaired the board. But as much as the Clinton and Bush administrations understood the need for better policy coordination, the federal government was, in fact, a hodgepodge of cybersecurity activities. A July 2002 report by the General Accounting Office identified at least 50 organizations involved in national or multinational critical infrastructure cyberprotection efforts.
As the fallout from 9/11 continued, some members of Congress began calling for a Department of Homeland Security to centralize the nation's counterterrorist efforts and protect the homeland. The Homeland Security Act of 2002, which created the department, established the Information Analysis and Infrastructure Protection Directorate (IAIP) within DHS as the place where cybersecurity efforts would now be coordinated.DHS as Chief CybercopAs DHS tried to hit the ground running, it needed to spend a good chunk of time just lacing up its shoes. Some observers expressed serious concerns last year when the department absorbed a number of existing organizations that had been making steady progress on cybersecurity in the critical infrastructure. In March 2003, NIPC (except for the Computer Investigations and Operations Section), CIAO and the Federal Computer Incident Response Center were transferred to DHS. Getting those groups under the same umbrella made sense. But Michael Vatis, the founder and former director of NIPC, testified before Congress last April that even though more than 300 positions were transferred from NIPC to DHS, most of the incumbent staffers found other positions in the FBI; only 10 to 20 actually made the move. Further complicating recruitment, DHS had not yet created its National Cyber Security Division.
Whether recruiting has improved is open for debate. James Lewis, senior fellow and director of technology policy at the Center for Strategic & International Studies, says getting talented people to join DHS is still a tough sell. "The problem they have is that DHS is relatively weak, as agencies go. It routinely gets beaten out by the FBI or CIA.... It's the new kid on the block," he says.
On the other hand, Alan Paller, director of research at the SANS Institute, believes Yoran has nabbed a bunch of good hires. "They're building a high-quality technical team—that's what Amit is doing. He knows how to hire really solid technical people and motivate them," Paller says, adding that employees like working with Yoran because, rather than being an inexperienced appointee, he comes from a cybersecurity background. (Yoran, a former military officer, worked at Symantec before joining DHS.)
As the agency struggled to begin operations, it also had to absorb the loss of Clarke, one of the country's foremost cyberterrorism experts. Clarke resigned just before the president removed the position of cybersecurity czar from the White House. Although many observers speculated that Clarke resigned in frustration at the loss of his White House post, he vehemently denies that. "I was not about to be absorbed—anybody that says that doesn't know what they're talking about." Clarke, now chairman of Good Harbor Consulting, says he left "because I'd completed 30 years of government service, because I'd just finished the project I had undertaken for the president, which was developing the National Strategy to Secure Cyberspace."
Howard Schmidt, the former CSO of Microsoft and vice chair of the infrastructure board at the time, succeeded Clarke as a White House adviser on cybersecurity. But within a few months, Schmidt resigned as well, becoming CISO of eBay.
After a long search, DHS Secretary Tom Ridge appointed Yoran to head the new National Cyber Security Division. Yoran, who reports to Assistant Secretary for Infrastructure Protection Bob Liscouski, took office in October.
Even though Yoran has been crowned the new cybersecurity czar, critics worry his kingdom has lost some power. The departures of Clarke and Schmidt and the removal of the cybersecurity position from the White House prompted questions about the administration's commitment to the issue. Clarke himself believes cybersecurity has fallen somewhat off the administration's radar. "Basically, what we've done is taken the former position we had until a year ago—where the senior person worrying about cybersecurity was a special adviser—and now that person is an office director," Clarke says. "That sent a message that was very widely interpreted by industry of the administration downgrading the importance of the issue."
Jeffrey Hunker, former senior director for critical infrastructure in the White House and now a professor of technology and public policy at Carnegie Mellon, agrees. "Now you're putting it essentially below a secretary, several layers down in a big department," he says. "My experience has been that what it really means is a lack of access, or that it limits access to the Cabinet and the presidential level."