Last week, a new report in the Washington Post questioned the security of the nation's automatic control systems
(free registration required), which control water, gas, and electrical systems. Meanwhile, the South Korean Ministry of Defense announced
that North Korea has trained up to 600 computer hackers to launch cyberattacks against the United States and South Korea. But over at the Department of Homeland Security's cybersecurity division, the lights are on, but nobody's home.
Last week, citing ongoing frustration, the director of the Department of Homeland Security's cybersecurity division, Amit Youran, abruptly resigned with a one-day notice. His deputy, Donald A. Purdy, will replace Yoran; however, many in the cybersecurity community feel that simply replacing Yoran isn't the answer. I think the position itself needs to be rethought.
Last week, citing ongoing frustration, the director of the Department of Homeland Security's cybersecurity division, Amit Youran, abruptly resigned with a one-day notice.
White House has flip-flopped on cybersecurity
Problems regarding our nation's cybersecurity policy began shortly after 9/11, even before the creation of the Department of Homeland Security in 2002. In the summer of 2002, Richard Clarke, then White House cybersecurity czar, began shopping around his National Strategy to Protect Cyberspace. This strategy would have provided goals toward securing computers nationwide. However, by the time President Bush signed the document in January 2003, many of the original principles had been watered down to mere recommendations, with much of the strategy left "to be determined" by the security industry itself. Clarke resigned and was replaced by former Microsoft security chief Howard Schmidt.
The White House then transferred cybersecurity to the newly created Department of Homeland Security (DHS). It did not, however, give the topic a very prominent position, burying it under three layers of bureaucracy. In its first real test, the Department of Homeland Security failed to warn of the Slammer worm. Schmidt resigned, and for much of 2003, there was no head of United States cybersecurity. In fact, the White House even discontinued the White House cybersecurity board, despite stating publicly that the White House was committed to cybersecurity policy. Throughout the summer of 2003, the White House was defensive against charges by the computer security community that it wasn't taking the issues very seriously. Then, in the fall of 2003, Amit Youran, former president of Riptide, a company bought by Symantec, stepped into the position of director for the DHS cybersecurity division.
In January 2004, only a few months after Yoran took over, a congressional report criticized the nation's cybersecurity preparedness, such as the lack of a centralized computer threat communications center (now scheduled for sometime in 2005). Again, during the summer, more concerns were raised, for example, over the failure of the government to identify the nearly 33,000 critical computer assets that need to be protected first. But as of this writing, none of these cybersecurity concerns have been addressed.
Old and new cyberthreats abound
While the nation fumbled in its preparedness against cyberattacks, criminal hackers and possibly terrorists have been busy. In a new report by the Critical Infrastructure Security Research at the British Columbia Institute of Technology (free registration required), Eric Byres, who presented the report at the Systems and Automation Society's annual conference, said that outside attacks are rising. From 1982 to 2000, problems associated with the automated control systems that handle how dams function, how electrical systems operate, and how gas flows through various pipelines were caused mostly by accidents or inappropriate employee behavior. However, in the last three years, 90 percent of the problems have been the result of criminal hackers or computer viruses. To give you an idea of how serious these claims are, a September 2004 Forbes article examines how members of Al Qaeda could attack the nation's automatic control systems.
This isn't politics; this is safety. Independent of who's running the White House, we should have someone strong guiding our national cyberstrategy.
In the meantime, the South Korean Ministry of Defense reported that North Korea has trained up to 600 computer hackers for nefarious purposes. According to the report, computer experts in North Korea are trained in a five-year university course, with the best of these selected to launch cyberattacks. The report concludes that North Korea's intelligence warfare is equivalent to that of advanced countries such as Japan, South Korea, and the United States.
9/11 report prompts Congress to revisit cybersecurity
As part of the intelligence overhaul suggested by the 9/11 Commission, the House of Representatives has once again considered elevating the status of cybersecurity, returning it to the White House. Two bills have been proposed. One, House bill H.R. 10, elevates the cybersecurity head from director to assistant secretary, giving the cybersecurity head authority over the National Communications System, which oversees communications during national emergencies, as well. Another bill would give the White House Office of Management and Budget oversight over cybersecurity. Now, however, neither bill seems likely to pass, mostly due to political pressure to pass the 9/11 reforms before the November elections.
Good news: the return of Howard Schmidt
In an announcement expected on Monday, October 11, 2004, one of the former heads of U.S. cybersecurity will signal that he's returning to the government--kind of. Howard Schmidt, who is now chief security officer for eBay, is expected to be named chairman of the U.S. Computer Emergency Response Team (US-CERT), a joint partnership between the DHS and Carnegie Mellon University. Schmidt is expected to remain with eBay and be paid through Carnegie Mellon as a government contractor.
The last time I wrote about the fumblings of the U.S. government with regard to cybersecurity, I got volumes of e-mail questioning my politics. This isn't politics, this is safety. Independent of who's running the White House, we should have someone strong guiding our national cyberstrategy, and preferably someone who knows what they're doing. I'm concerned that we've lost significant ground against criminal hackers in the last few years. If constant vigilance is the price of freedom, then we need to come back from vacation and start working again.
Is the United States taking cybersecurity seriously enough? Talk back to me.