DHS Cybersecurity: The Interactive Nightmare

The lead defender in protecting the critical infrastructure is the Department of Homeland Security, a collection of 23 agencies that began operations in January 2003

Jeffrey Hunker, former senior director for critical infrastructure in the White House and now a professor of technology and public policy at Carnegie Mellon, agrees. "Now you're putting it essentially below a secretary, several layers down in a big department," he says. "My experience has been that what it really means is a lack of access, or that it limits access to the Cabinet and the presidential level."

Yoran disagrees about the access issue. "I'm there [at the White House] at least once a week, more frequently twice a week. I can assure you cybersecurity has visibility at the most senior levels of the White House and has their attention. Folks who've spent time in Washington know it's very clear the White House doesn't have an operational role. Actual operations take place in the agencies. Placing cybersecurity in DHS very clearly demonstrates we're in the implementation phase of the national strategy," he says. Lewis concurs. "Cybersecurity only makes sense if it's integrated into the larger critical infrastructure strategy. They did the right thing by putting it in Liscouski's group," he says.Is the National Strategy Sensible or Toothless?The National Cyber Security Division has a smorgasbord of responsibilities as it continues ramping up. It's tasked with responding to major incidents, conducting cyberspace analysis, improving information-sharing, issuing alerts and warnings, and aiding in national recovery efforts. The division is also charged with implementing the Homeland Security Act of 2002 and the National Strategy to Secure Cyberspace. In announcing creation of the division last June, Ridge said that its work would focus on "the vitally important task of protecting the nation's cyberassets so that we may best protect the nation's critical infrastructure."

The strategy document, like many of the things associated with DHS, has its share of passionate supporters and critics. It lays out five critical priorities:

Developing a national cyberspace security response system
Developing a national cyberspace security threat and vulnerability reduction program
Developing a national cyberspace security awareness and training program
Securing the cyberspace of all levels of government
Assuring national security and international cyberspace security cooperation

In fall 2002, Clarke was set to release the document at a Stanford University ceremony. But before the release, the strategy was put on the back burner. Lobbyists for businesses likely to be affected by the report (including those in the software, security and telecom industries) had successfully squelched certain provisions in earlier drafts. One, for example, called for ISPs to provide users with personal firewalls; another mandated improved wireless security. When the strategy was finally released in February 2003, some complained it had been left with little bark and even less bite. Its main cornerstone was that cybersecurity should, for the most part, be left to the private sector. While business generally applauded the strategy, many security experts derided the reliance on voluntary action as a capitulation to powerful lobbying interests.