X

Homeland defense focus shifts to tech

As Capitol Hill scrutinizes the president's proposal, politicians worry about tech-savvy terrorists and insist any new agency must protect against electronic attacks.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
WASHINGTON--Computer security is becoming an increasingly critical part of President Bush's proposal for a homeland defense department.

When Bush formally proposed the department last month, he predicted that the future agency would aid in investigating al-Qaida and thwarting disasters similar to those of Sept. 11. In the televised address, he never mentioned the Internet or so-called cybersecurity.

But as Capitol Hill scrutinizes the proposal, politicians are fretting about tech-savvy terrorists--and insisting any new agency must shield the United States from electronic attacks as well.

"If we don't make sure the Homeland Security Department is prepared in this area of cybersecurity, we have failed in our duty," House Energy and Commerce Chairman Billy Tauzin, R-La., said Tuesday.

At Bush's urging, House Republicans have asked committees for any suggested changes to the White House-backed bill by the end of the week, and at least four committee votes are scheduled for Wednesday. On Thursday, a special panel chaired by House Majority Leader Dick Armey, R-Texas, will hold its first meeting to work out a final version of the plan.

Until this week, Congress has focused on how the proposal would combine 22 agencies, including the Secret Service, the Coast Guard and the Federal Emergency Management Agency, into a massive Department of Homeland Security.

Also included in the bill, and discussed at length in a pair of hearings Tuesday, are equally radical changes for the U.S. government's Internet defenses. The plan would glue together nearly all computer protection functions, from the Commerce Department's Critical Infrastructure Assurance Office to the Computer Security Division of the National Institute of Standards and Technology to the Federal Computer Incident Response Center.

The complex reshuffling of bureaucracies, including twists such as the proposed department's half-acquisition of the FBI's National Infrastructure Protection Center, has prompted some politicians to ask for more time to examine the plan. Privacy groups also have raised concerns about database sharing and have suggested that the department be subject to traditional open-records laws.

The House Science committee, for instance, plans to propose an amendment that would add an "Undersecretary for Science and Technology" to the department. Currently there are five proposed undersecretaries, a deputy secretary and allowance for "not more than six assistant secretaries."

From Washington's perspective, the concept of cybersecurity remains somewhat murky and marked by exaggeration. Last year, the head of the Defense Intelligence Agency told Congress that Fidel Castro could be planning a "cyberattack" on the United States, and White House cybersecurity czar Richard Clarke has spent years predicting an "electronic Pearl Harbor."

Tech's double-edged sword
Nearly everyone agrees that any electronic-defense plan should anticipate attacks against both government agencies and important systems owned by private companies.

"In the information age, the same technological capabilities that have enabled us to succeed can now also be turned against us," John Tritak, the head of the Critical Infrastructure office, said Tuesday. "Powerful computing systems can be hijacked and used to launch attacks that can disrupt operations of critical services that support public safety and daily economic processes."

President Clinton created Tritak's group by executive order in 1998. Since then, it's spent much of the time working with American businesses to beef up security.

But Tuesday, some politicians questioned whether that approach is working--and whether new laws and regulations are needed to bring executives to heel. Such requirements could include everything from design standards for backup power supplies to security rules for Web servers.

"Do you believe that efforts to regulate security across the private sector are warranted and are even likely to be effective?" asked Rep. James Greenwood, R-Pa., who chairs the Judiciary subcommittee.

"I'd like to think we made some headway in reaching out to industry," Tritak replied.

James McDonnell, the director of the Energy Department's security program, answered by saying he did not think new security laws were necessary, at least not yet.

"If we go forward with our vulnerability assessments and find that industry (is) not using these or (is) not taking care of their assets, then maybe we need to revisit what regulations are required," McDonnell said.

Rep. Bart Stupak, D-Mich., said he was tired of hearing excuses for poor performance by federal IT officials and wondered whether the massive proposed reorganization could exacerbate the situation.

"None of the computers seem to be compatible in the federal government," Stupak said. "Every time we spend billions of dollars to upgrade a computer, it doesn't seem to work and we have to start all over again...Are we going to have another layer of computers that don't talk to each other while cybersecurity is endangered?

"It seems like there's more of a turf war; we won't trust this person with this information, or it's our information and won't go further. I don't think it's all just computer-related problems or security-related problems but leadership problems."

A report that congressional auditors published last year said that instead of becoming a highly sensitive nerve center that responds to computer intrusions, the FBI's National Infrastructure Protection Center (NIPC) had turned into a federal backwater that was surprisingly ineffective in pursing malicious hackers or devising a plan to protect electronic infrastructure. It highlighted the NIPC's turf wars and concluded: "This situation may be impeding the NIPC's ability to carry out its mission."

David Sobel, general counsel of the Electronic Privacy Information Center, said Tuesday that the proposed department should not be completely immune to requests made under the Freedom of Information Act. Private companies have said they need such an exemption to be sure that sensitive information they provide not be disclosed.

"Any claimed private sector reluctance to share important data with the government grows out of, at best, a misperception of current law," Sobel said. "Exemption proponents have not cited a single instance in which a federal agency has disclosed voluntarily submitted data against the express wishes of an industry submitter."