Cyber-security gains visibility

Former federal prosecutor Michael Chertoff is expected to be confirmed this week as homeland security secretary, and one of the first items in his in-tray will be how to deal with the question of cyber-security.

Mr. Chertoff was questioned about the issue at his confirmation hearing last week, and undertook to appoint a special adviser on the issue as a member of his personal staff.

Sen. Robert F. Bennett, Utah Republican, reminded the nominee that the nation’s critical infrastructure — including power and utility plants — was “dependent on computers for their security and their safe operation,” and that an attack on the chemical or power sectors using the Internet “could produce tremendous devastation.”

“One thing I would like to do actually, in terms of my own staffing of the front office, is make sure I bring somebody on board who really understands computers and these issues,” Mr. Chertoff told Mr. Bennett.

Amit Yoran, who was in charge of cyber-security at the Department of Homeland Security until he quit last year, called that undertaking “a very promising step.”

“To have someone bringing the issue to the table at that most senior level, the secretary’s own office … it’s an optimistic sign,” he said.

But the move might not be enough to placate those who have criticized the department for not giving the issue sufficient priority.

The department currently deals with cyber-security as a subset of infrastructure protection — guarding the nation’s vital organs and arteries against attack from terrorists and others. Mr. Yoran headed the department’s National Cyber Security Division, reporting to Robert Liscouski, assistant secretary for infrastructure protection.

But lawmakers and industry lobbyists have long thought that the issue needs more visibility and a more senior official to drive government policy, and Mr. Chertoff will face efforts to force him to appoint a separate assistant secretary for cyber-security.

A bipartisan bill creating such a post, sponsored by members of the House Homeland Security Committee, was put forward last month.

Supporters of the House bill are looking for a Senate sponsor, and Mr. Bennett has been mentioned as a candidate. His spokeswoman, Mary Jane Collipriest, would say only that he was “looking at all the options … to ensure that the [cyber-security] issue gets the attention it needs.”

Opponents of the bill argue that Congress is micromanaging the department, and that separating the cyber-security function would be a mistake.

With any piece of critical infrastructure, Mr. Liscouski — who left the department last week — said last year, “you’ve got the possibility of a physical or kinetic attack, but equally you could be vulnerable to a cyber-attack on the control system. … You also have to consider the possibility of an insider attack.” Weaknesses in any one of those fields could be leveraged to mount an attack in another, he explained.

Not everyone agrees that creating a separate post for cyber-security would endanger that holistic approach.

“You can still integrate [with a separate post]; that is what is called executive management,” said Ed Badolato, an infrastructure protection professional who confirmed that he was being considered by the White House to replace Mr. Liscouski.

Story Continues →