DHS Gets Relegated to the Corporate Security Margin

One year after the National Strategy to Secure Cyberspace was released, IT professionals suggest that it may be a waste of taxpayer dollars.

When the White House released the National Strategy to Secure Cyberspace in February last year, the guiding principle was to make it a "living document" capable of changing with the times and meeting the needs of a diverse Internet community.

But in the year since its release, the strategy has had little or no impact on the security plans and investments of many of the companies that were supposed to be integral to its implementation, corporate IT executives say. And although some critical-infrastructure sectors have heeded the government's call to action, many corporate users still view the plan as irrelevant to the challenges they face.

"Although we all do our best in thinking strategically about issues like [the national strategy], they are at the bottom of any list I have," said John Spencer Jr., vice president of operations and CIO at the American Society of Health-System Pharmacists in Bethesda, Md. "What's the payoff?

"I have existing budgets that change by the day, I'm trying to patch the holes in my Microsoft-based infrastructure daily and weekly, [and] new and different variants of viruses are running rampant," Spencer said. "I could give you a list of 100 things like this that I'm addressing by the minute, day and week. I can see cause and effect related to these issues, but not so with this strategy."

Begging vs. Regulating

For IT managers like Spencer, "cause and effect" translates into detailed justification for increasing resources to do what the U.S. Department of Homeland Security's National Cyber Security Division (NCSD) is asking of companies across the country: to belly up and take the lead in securing cyberspace. The threatened alternative: unwanted regulation.

The irony is that in the private sector, the onset of new regulations -- regulations that have nothing to do with the DHS -- has in fact forced improvements in cybersecurity, users and analysts say.

Richard Clarke, former chairman of the President's Critical Infrastructure Protection Board
Richard Clarke, former chairman of the President's Critical Infrastructure Protection Board
For example, Davidson Healthcare in Lexington, N.C., along with every other company in the health care industry, faces on April 15 the non-negotiable activation of the Health Insurance Portability and Accountability Act, which requires enhanced security to protect private patient data.

Unlike HIPAA, however, the release of the national strategy "hasn't necessarily provided any [justification] for additional funding," said Kevin Buchanan, director of IT at Davidson Healthcare. "HIPAA is not a recommendation; it's federal law. And when I say something is a federal requirement, senior managers can't argue with that."

In addition to HIPAA and laws that cover financial reporting, such as the Sarbanes-Oxley Act, pressing business requirements often force security improvements upon senior executives, said Fred Held, a partner at Tatum CIO Partners LLP in Los Angeles.

Held, who recently completed an assignment as CIO at a national distribution company, said it was a recent merger agreement, not the National Strategy to Secure Cyberspace, that drove his temporary employer to evaluate its security.

And therein lies the disconnect, said Craig Janus, vice president of the Center for Information and Telecommunications Technologies at Falls Church, Va.-based Mitretek Systems Inc.

"There is no cohesiveness built into the strategy," said Janus. "There are no incentives [such as] tax credits or cost sharing to encourage, if not force, the private sector to do more."

The DHS declined to respond directly to the comments. Amit Yoran, head of the NCSD, had agreed several weeks ago to meet with Computerworld on March 2, but he canceled the interview only hours before it was to take place. Instead, a spokesman for Yoran provided a written statement that offered no new details about the national strategy or efforts to collaborate with the private sector.

Money Well Spent?

If the national strategy is ineffectual, it's not because there's no money to bolster it. The Bush administration has requested $31 million for IT security efforts as part of the fiscal 2005 budget proposal for the Information Analysis and Infrastructure Protection Directorate at the DHS. It has also requested $1.9 million for expanded cybersecurity exercises to uncover vulnerabilities.

The question being asked by many corporate users is whether the money should be spent on the national strategy. While there are signs that the public/private partnership called for in the plan is beginning to slowly pick up steam, many users credit private-sector programs and initiatives that were under way well before the strategy was released.

"In my opinion, a large part of the cybersecurity strategy is aimed at vendors and service providers of IT solutions," said Rick Perry, director of enterprise operations and security at The Burlington Northern and Santa Fe Railway Co.

Perry said rail companies have voluntarily and without goading by the DHS formed the Rail Industry Security Committee to share best practices and rail security alert plans that cover both physical and cybersecurity.

Moreover, Fort Worth, Texas-based Burlington Northern recently began working on a pilot program sponsored by the U.S. Department of Defense's Intelligence Systems Support Office called Operation Picket Fence.

The purpose of the program, which will begin this spring, is to provide improved network security, install and maintain intrusion-monitoring and cyberdefense equipment, and establish a centralized monitoring and management facility for the coordination of responses to cyberterrorism, said Perry.

Likewise, in the natural gas industry, "all of the initiatives are industry-driven" and aren't a result of the national strategy, said Gary Gardner, CIO of the American Gas Association.

For example, the association and the Gas Technology Institute this year plan to release an encryption protocol that's capable of supporting SCADA systems that are used to manage natural gas systems, the electric grid, water systems and other industrial control infrastructures.

Decades Away?

Although Yoran's appointment in September to lead the NCSD has added some momentum to the government's strategy, "for most people in the industry, I'm sure it's a plan that's sitting in a file somewhere," said Gardner. "Is it driving the train? I'm not sure."

At the first National Cyber Security Summit, held in Palo Alto, Calif., in December, and again during an event last month marking the one-year anniversary of the strategy's release, Yoran said the NCSD had moved "from national strategy development and articulation to implementation."

As evidence of that shift, Yoran pointed to a number of programs designed to prevent cyberattacks and enable an effective response to attacks that do occur. But he cautioned that the benefits from many of the "strategic level" programs, such as those in the area of software assurance, may not be realized for years or even decades.

"Even if R&D were not required and the tools were readily available for us to develop more secure code, this technology would still have to work its way into the compilers of several development tools commonly used by the software development community," said Yoran. "And once that occurs, there are annual or longer development cycles before more secure products hit the marketplace. And then we start the long and multiyear cycle of technology refresh and upgrades."

But Richard Clarke, who published the National Strategy to Secure Cyberspace as his last official act as chairman of the President's Critical Infrastructure Protection Board before leaving for the private sector last March, said all of the programs called for in the document could be started immediately.

"They could all be done today if the government wanted to," Clarke said. "There's no technological reason [for the delay]. It's just a matter of will and resources."

The government "is not sitting down with the electric power, transportation, banking and finance, and other industries and saying, 'Show us how you're implementing the national strategy,' " said Clarke. "They're not implementing the strategy in a serious way. I think largely we've dropped the ball."

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon