Earlier this month, Sen. Joseph Lieberman, D-Conn., the ranking Democrat on the Senate Government Affairs Committee, said in a letter to Homeland Security Secretary Tom Ridge that efforts by the Bush administration to secure key IT systems that support the nation's critical infrastructure have been "vague and weak." In an exclusive E-mail interview, the director of the Homeland Security Department's National Cyber Security Division, Amit Yoran, rejects charges that progress has been slow and addresses the division's recent accomplishments.
InformationWeek: Is the fact that the post you currently hold was vacant for about six months last year one of the reasons for the delay in establishing cybersecurity baselines and contingency plans for specific critical infrastructure industries?
Yoran: The administration has pursued an aggressive cybersecurity agenda based on integrating cybersecurity into our national infrastructure protection program. In February 2003, the National Strategy to Secure Cyberspace was released by the president. In March, the Department of Homeland Security was established. Then, in June, the National Cyber Security Division [NCSD] was created with the specific purpose of leading the national efforts to secure the nation's critical cyberinfrastructure. Throughout this period, Robert Liscouski, the assistant secretary of homeland security for infrastructure protection, was fully engaged in these issues and developments. Security baselines and contingency planning across the government and the private sector is occurring and is a living process.
In the federal government, [Federal Information Security Management Act] requirements establish a baseline for information security, mandated by [the Office of Management and Budget]. In the private sector, security baselines, while not mandated by law, should be part of the business-continuity planning processes and disaster-recovery architectures that support these processes. NCSD supports both the federal government and the private sector by engaging in development and dissemination of best practices for information security baselines and general security practices.
InformationWeek: Does Homeland Security plan to respond to the March 19 letter sent by Sen. Lieberman?
Yoran: The department has received a number of congressional inquiries, and we plan to respond to all of them.
InformationWeek: What unexpected challenges arose that Homeland Security did not anticipate when attempting to move the national cyberstrategy forward?
Yoran: Implementation of a national cybersecurity strategy is a significant task whose scope and complexity cannot be underestimated. While there are challenges in the area of cybersecurity, we have great confidence, leadership, and enthusiasm in taking on this important and honorable endeavor.
In addition to the achievements listed above, in a little more than a year since the Department of Homeland Security was founded we created the United States Computer Emergency Response Team to coordinate broad participation from existing government and nongovernmental cybersecurity organizations. Today, US-CERT is actively analyzing and reducing cyberthreats and vulnerabilities, disseminating cyberthreat warning information, and coordinating incident-response activities.
We also established the National Cyber Alert System as America's first coordinated national cybersecurity system for identifying, analyzing, and prioritizing emerging vulnerabilities and threats. Today, the system provides cybersecurity information directly or indirectly to an estimated 1 million technical and nontechnical Americans.
We also formed three new operational groups that are contributing to the national cybersecurity effort. These include the Chief Information Security Officers Forum, which is an organization of senior government offices responsible for cybersecurity in their federal agencies; the Government Forum of Incident Response Teams, whose members are systems operators from Homeland Security and other civilian and federal agencies devoted to working out interoperability challenges; and the Cyber Interagency Incident Management Group, which empowers individuals from law enforcement, defense, and intelligence to apply whatever federal resources are necessary to respond most effectively to intragovernment cybercrises.
We also co-hosted, along with industry, the National Cyber Security Summit, in which the federal government and leading technology product and service companies came together to begin determining their security warning information needs and began developing a framework for corporate security governance. Five task forces focused on awareness, early-warning needs, best practices for governance, technical standards, and software development issues were established at the summit and are currently in the midst of releasing their initial recommendations.
We also participated in Livewire, the first nationwide simulation of a cyberattack on both public and private organizations, run by the Institute for Security Technology Studies, a federally funded organization located at Dartmouth College. And we fostered security awareness internationally through organizations such as the G-7, the Asia-Pacific Economic cooperation, the Organization of American States, and others.
InformationWeek: Sen. Lieberman inquired about deadlines, including those to secure digital control systems, and the development of various security metrics. What efforts are under way to establish and meet these deadlines?
Yoran: The threats that we face are dynamic. As such, the task of securing digital control systems and cybersystems is an ongoing process, not an end state. The Department of Homeland Security is hard at work on efforts to secure digital control systems. At the same time, we're developing relevant, credible metrics to measure the effectiveness of our efforts and to drive continuous improvement.
InformationWeek: The Cyber Division held "red team" exercises last year to test how well various organizations can respond and communicate during an attack. Have there been other exercises that the public is not aware of that are being used to establish more specific IT security goals?
Yoran: Yes. As mentioned above, Homeland Security participated in Livewire to test industry and government cybersecurity capabilities and evaluate the effectiveness of our response mechanisms. We continue to have ongoing interaction with the private sector to coordinate our interaction during a potential attack.
Livewire demonstrated the need to enhance processes for communicating cyberprotection information to the public and for two-way information sharing with the private sector. Livewire prompted us to enhance our vulnerability-identification and -reduction capabilities. The exercise encouraged us to create the Cyber Interagency Incident Management Group, mentioned above, to coordinate intergovernmental preparedness and response operations. It also spurred us to expand the reach of emergency communications capabilities using a technologically advanced, secure network.
InformationWeek: What colleges and universities have been contacted, or funded, to help further IT security research and development programs?
Yoran: The Department of Homeland Security is very involved in working with colleges and universities. The department's Science and Technology Directorate and the Homeland Security Advanced Research Project Agency work with higher-education programs and partnerships. Further, a number of other federal agencies--including the departments of Commerce and Justice, the National Institute of Standards and Technology, and others--are very involved in cybersecurity initiatives, and these organizations are involved in college and university programs.
NCSD works closely with and funds Carnegie Mellon University on a wide range of programs. Carnegie Mellon is a founding partner in US-CERT.
We are working with other departments and agencies to strengthen information-assurance higher-education programs to meet America's growing requirements for professional cybersecurity skill sets. We will make announcements on these programs in the near future.