Government Creates New Cybersecurity Office
New Homeland Security Unit Will Work With Private Sector
Brian Krebs and Robert MacMillan
The Department of Homeland Security today said it will establish an office to focus on U.S. cybersecurity, a move that may blunt criticism that the agency has not devoted enough resources and attention to Internet security.
The National Cyber Security Division will "conduct cyberspace analysis" and issue warnings and alerts about online attacks, the department said. The division also will respond to major Internet attacks and assist in "national-level recovery efforts."
Homeland Security Secretary Tom Ridge said that the division, which will have 60 employees, will focus on the "vitally important task of protecting the nation's cyber assets."
Part of the new division's mission will be to coordinate the efforts of several cybersecurity offices that were folded into the Homeland Security Department this year. Among the former offices that will be put into the division are the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center and the National Communications System.
The office will be part of the department's Information Analysis and Infrastructure Protection division, which is run by former Coca-Cola Corp. security executive Robert Liscouski.
The division will have three sections. One will identify cybersecurity risks to the government, and coordinate with the private sector on how to minimize them. Another will oversee the Cyber Security Tracking, Analysis & Response Center. CSTARC, as the department labeled it, will respond to Internet "events," track vulnerabilities and coordinate with federal, state and local governments, as well as the private sector and international security groups. The third section will create cybersecurity education programs for consumers, businesses, governments, academia and the international community.
The new division will gather intelligence on cyber threats from the nation's intelligence community, including the FBI, CIA and the National Security Agency, Liscouski said. He said that the administration does not intend to turn the division into an investigative agency.
"We're looking to establish a single point of contact that private companies and federal [agencies] can go to get good information about how to protect themselves. This is not about DHS doing all this work itself," Liscouski said. "This is about DHS taking advantage of all federal, industry and private sector resources out there."
The creation of the new office could mollify critics who have said that the administration is ill-equipped to handle a major attack on the Internet and that it is not too concerned about one happening.
Former White House cybersecurity adviser Richard Clarke also has questioned whether the department will put anyone in charge of cybersecurity who ranks high enough in the homeland security chain of command to steer policy.
"No matter how good you are, many people are going to treat you based on your rank and how often you can see and talk to the president and other important people," Clarke said in an interview last month. Clarke, who left the administration in January, has criticized the administration for failing to appoint a high-level official to focus exclusively on Internet security. His deputy, Howard Schmidt, resigned in April after an unsuccessful bid to get Ridge to create a high-ranking cybersecurity czar position.
The department has not picked anyone to run the cybersecurity division, because it has not found a qualified candidate.
"In a perfect world the person named to lead the department would be higher up in the food chain, but we'll see what happens," said Harris Miller, president of the Information Technology Association of America. "If they get the right person in there who has strong backing from Ridge, that person can make a real difference."
Private-sector critics have said that the administration has not devised concrete requirements to force software and hardware vendors to improve the security of their products.
Liscouski said the government should consider options besides regulation to get companies to improve their security practices. One such tactic would be to require public companies to certify with securities regulators that they have taken steps to ensure the security of their products.
Mark Rasch, former head of the Justice Department's Computer Crime Division, said he supports this idea.
"As long as companies can put out software and disclaim any liabilities for it with impunity, there is very little incentive for software manufacturers to ensure their products are hardened against attacks," said Rasch, now a senior vice president for security vendor Solutionary.