Amit Yoran on Why He Left DHS

He was the Department of Homeland Security’s first director of the National Cyber Security Division of the Information Analysis and Infrastructure Protection office, but his tenure was brief. After a year on the job, Amit Yoran left DHS in September 2004, one of a string of recent, high-level losses for the agency. His departure caused much speculation about the importance placed on cybersecurity within the department. Since leaving, Yoran has been advising emerging technology companies in the security space and is helping large companies with their security strategies. CSO recently spoke with Yoran about his tenure with DHS.

CSO: First, the $64,000 question: Why did you leave DHS?

Amit Yoran: The startup work was complete, so to speak. I helped craft a series of programs and initiatives, and recruited talented engineering expertise, so I decided it was time to move on. While at DHS, what were your main accomplishments?

We took a number of significant steps to build bridges to the private sector. We took action in all the critical infrastructure components and markets (banking, finance, energy, chemical), all those infrastructures the government deemed critical to our national security. That’s the most important accomplishment, though that work is still ongoing.

What are some examples of those bridges to the private sector?

We put together a US-CERT effort; we [helped establish] the interaction points of information-sharing, such as the information sharing and analysis centers. We were working with some 36 associations and trade groups, with constituents representing literally all the critical infrastructure [industries] of the nation.

But a true partnership seems elusive. For example, there is still a disconnect between the government and private sector, particularly in terms of regulation. There’s no single private and public sector that can do a mind meld. There are many factors at play. Some industries—financial services, for instances—feel highly regulated, even when it comes to cybersecurity issues. Other industries feel less regulated. I think there’s much to be gained through adoption of best practices and showing conformance to prudent business, security and risk management practices. That seems to be a longer-term formula for success in an evolving industry like technology, and it has the benefit of not stifling innovation. That means not being specific and prescriptive in regulatory requirements around cybersecurity implementation. What are your thoughts on the security of process control networks? [Editor’s note: These control manufacturing tasks, such as opening valves or measuring tank levels.]

I think process control networks are an area where the public and private sector may be underinvesting. They are arguably one of the most critical areas of technology security. There’s an alarming rate of interconnectivity between process control systems and digital control systems and the Internet. The state of vulnerability within those control systems is very high. Those networks have traditionally relied on the fact that they’re physically separate systems; they were disconnected from the Internet and public switch networks. We’ve found an alarming rate of interconnectivity, and there aren’t stringent security practices around that.

What were your biggest frustrations during your tenure at DHS?

Perhaps a lack of effectiveness in much of the government’s security practices, a lack of practicality. There’s a phenomenal amount of paperwork around certification and accreditation. There’s a significantly sized industry around Washington, D.C., running paperwork exercises on cybersecurity, as opposed to investing in improved operations and implementing security technologies.

Take, for example, NIAP [National Information Assurance Partnership]. The Department of Defense says it won’t procure any products that haven’t been through this certification process. It takes several quarters, if not years, and costs millions of dollars. And what comes out at the end is an approved product for that specific platform, for that version of technology. So you can’t apply patches and fixes because it violates your certification. It’s a paradigm, an academic exercise. The practical implementation of it—the practical improvement on cybersecurity—is zero. In fact, most people don’t even understand what the NIAP certification gets you; it doesn’t say your product is secure or doesn’t have flaws.