Challenges In and Out

In the two years since the inception of the Department of Homeland Security, twice as many men have held the lead cybersecurity position, though their titles have changed. First, there was Richard Clarke, who resigned in 2003 and went on to write a scathing review of the Bush administration’s handling of 9/11. Next was Howard Schmidt, who said he “finished his job” by completing the National Strategy to Secure Cyberspace. Then came Amit Yoran, who resigned after only a year, giving one day’s notice. Most recently, Donald A. “Andy” Purdy, Yoran’s former deputy, was named acting director.

With such a rapid succession of people leading DHS’s outward-facing cybersecurity initiatives, is it any wonder that DHS’s internal cybersecurity initiatives are struggling as well? A recent report issued by the DHS inspector general suggests just that.

Released in October, the “Evaluation of DHS’s Information Security Program for Fiscal Year 2004” recommends that “DHS continue to consider its information systems security program a significant deficiency.” While the report notes that DHS made significant progress during 2004 in developing and implementing its information security program, CIO Steven Cooper and CISO Robert West still have a long way to go.

For example, Cooper is not on the department’s senior management team. There is no formal relationship between Cooper and component CIOs, nor between West and component information systems security managers. DHS lacks an accurate and complete system inventory, which presumably would allow the organization to better monitor the support systems needed in a time of crisis. Also, many fundamental information security policies and procedures are in draft form, meaning they have never been officially approved by (or even communicated to, in some instances) the appropriate parties.

In his written response to the report, Cooper indicated that he “generally concurred” with the findings. He noted that DHS is working toward a comprehensive inventory of the Department’s general support systems and major applications. There are also plans in place to improve communication between West, whom he has charged with the information security plan, and DHS’s components. Cooper also included a digital dashboard that DHS has implemented for tracking its progress in areas such as security training, NIST compliance and critical infrastructure protection performance. Although many of those areas are currently set at the “marginal” (or lowest) setting, DHS has a baseline for improvements.

Cooper and his staff declined to elaborate, but Schmidt points out their colossal challenges. “A lot of government organizations haven’t reached the level of security we’d like to see,” says Schmidt, now CISO of eBay. “DHS is at even more of a disadvantage than most, because while these other organizations are trying to get their one agency up to par, DHS is working with 22 of them.”