DHS Cybersecurity: The Interactive Nightmare

The lead defender in protecting the critical infrastructure is the Department of Homeland Security, a collection of 23 agencies that began operations in January 2003

The lead defender in protecting the critical infrastructure is the Department of Homeland Security, a collection of 23 agencies that began operations in January 2003. Spearheading the effort is the National Cyber Security Division, led by Director Amit Yoran. Like the rest of DHS, Yoran and his staff face a steep uphill climb in accomplishing the department's mission. Eight-five percent to 90 percent of the critical infrastructure rests in private hands. Yet in the absence of regulation, which the private sector often views as a poison pill, DHS has no whip; rather, it must play the role of prodder and pleader, reaching out to a leery private sector that knows it needs to harden security but wonders where the money is coming from to pay for it. As a result, many of those private-sector companies may not feel compelled to move as quickly as DHS might like. Compounding the fledgling division's challenges is its organizational immaturity: At the same time it's trying to boost cybersecurity, it's also dealing with the headaches of hiring staff, integrating IT systems, figuring out how to analyze the boatloads of data coursing through its pipelines and how to share that information. All that will take months—some say years—to sort out.

This story looks at the challenges facing DHS and its cybersecurity team, and how they're working with the private sector to address them. While regulations remain a political third-rail within the business community, DHS and some in Congress are sending signals to CEOs that serious progress had better happen fast or else regulation may turn from threat to reality.Cybersecurity Makes a Name for ItselfGiven the relatively brief history of ubiquitous computing, cybersecurity wasn't addressed at the presidential level until Ronald Reagan signed the Computer Security Act of 1987, a measure aimed at protecting the security and privacy of sensitive information in the federal government's computer systems. Recognizing the growing dependence of the critical infrastructure on information technology, President Clinton formed the President's Commission on Critical Infrastructure Protection in 1996. Led by Robert Marsh (a signatory of the aforementioned letter), the commission, consisting of both public- and private-sector members, set out to develop a national policy and implementation strategy to protect the critical infrastructure from physical and cyberattacks. In 1997, the commission, which focused primarily on the cyberthreat, issued a report that recommended improving structures and processes to promote information-sharing between government and industry, educating citizens on cybersecurity issues, revising certain statutes to address infrastructure assurance concerns and greatly improving funding for R&D into infrastructure protection.