Amit Yoran on Why He Left DHS

The former US cybersecurity leader on his departure

April 01, 2005 — CSO — He was the Department of Homeland Security's first director of the National Cyber Security Division of the Information Analysis and Infrastructure Protection office, but his tenure was brief. After a year on the job, Amit Yoran left DHS in September 2004, one of a string of recent, high-level losses for the agency. His departure caused much speculation about the importance placed on cybersecurity within the department. Since leaving, Yoran has been advising emerging technology companies in the security space and is helping large companies with their security strategies. CSO recently spoke with Yoran about his tenure with DHS.CSO: First, the $64,000 question: Why did you leave DHS?
Amit Yoran: The startup work was complete, so to speak. I helped craft a series of programs and initiatives, and recruited talented engineering expertise, so I decided it was time to move on.

While at DHS, what were your main accomplishments?
We took a number of significant steps to build bridges to the private sector. We took action in all the critical infrastructure components and markets (banking, finance, energy, chemical), all those infrastructures the government deemed critical to our national security. That's the most important accomplishment, though that work is still ongoing.

What are some examples of those bridges to the private sector?
We put together a US-CERT effort; we [helped establish] the interaction points of information-sharing, such as the information sharing and analysis centers. We were working with some 36 associations and trade groups, with constituents representing literally all the critical infrastructure [industries] of the nation.

But a true partnership seems elusive. For example, there is still a disconnect between the government and private sector, particularly in terms of regulation.
There's no single private and public sector that can do a mind meld. There are many factors at play. Some industries—financial services, for instances—feel highly regulated, even when it comes to cybersecurity issues. Other industries feel less regulated. I think there's much to be gained through adoption of best practices and showing conformance to prudent business, security and risk management practices. That seems to be a longer-term formula for success in an evolving industry like technology, and it has the benefit of not stifling innovation. That means not being specific and prescriptive in regulatory requirements around cybersecurity implementation.

What are your thoughts on the security of process control networks? [Editor's note: These control manufacturing tasks, such as opening valves or measuring tank levels.]
I think process control networks are an area where the public and private sector may be underinvesting. They are arguably one of the most critical areas of technology security. There's an alarming rate of interconnectivity between process control systems and digital control systems and the Internet. The state of vulnerability within those control systems is very high. Those networks have traditionally relied on the fact that they're physically separate systems; they were disconnected from the Internet and public switch networks. We've found an alarming rate of interconnectivity, and there aren't stringent security practices around that.