U.S. cybersecurity due for FEMA-like calamity?

Security experts say Homeland Security's cybersecurity division ill-prepared to handle major cyberattack.

In the wake of Hurricane Katrina, the Federal Emergency Management Agency has been fending off charges of responding sluggishly to a disaster.

Is the cybersecurity division next?

Like FEMA, the U.S. government's cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago.

Auditors had months before Hurricane Katrina that FEMA's internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies.

"When you look at the events of Katrina, you kind of have to ask yourself the question, 'Are we ready?'" said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. "Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no."

The department, not surprisingly, begs to differ. "Cybersecurity has been and continues to be one of the department's top priorities," said Homeland Security spokesman Kirk Whitworth.

But more so than FEMA, the department's cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups. The department is charged with developing a "comprehensive" plan for securing key Internet functions and "providing crisis management in response to attacks"--but it's been more visible through press releases such as one proclaiming October to be "National Cyber Security Awareness Month."

Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials. First there was Richard Clarke, a veteran of the Clinton and first Bush administrations who left his post with a lucrative book deal. Clarke was followed in quick succession by Howard Schmidt, known for testifying in favor of the Communications Decency Act, then Amit Yoran and Robert Liscouski.

The top position has been vacant since Liscouski quit in January. In July, Homeland Security Secretary Michael Chertoff pledged to fill the post but has not named a successor.

"I sure wouldn't take that job," said Avi Rubin, a professor specializing in cybersecurity at Johns Hopkins University. "It only has a downside."

If an Internet meltdown happened--perhaps a present-day rendition of the 1988 worm created by Robert Morris, which forced administrators to disconnect their computers from the network to try to stop the worm from spreading--Homeland Security's cybersecurity official would wield little power yet shoulder all the blame, Rubin said. "The person who was cybersecurity czar would be out of a job and would be blamed, even though it might have been someone else not following a policy."

Other top-level staff have been departing: The deputy director of Homeland Security's National Cyber Security Division, a top official at the Computer Emergency Response Team, the undersecretary for infrastructure protection and the assistant secretary responsible for information protection have all left in the past year.

A promotion in the works
Raising the profile of cybersecurity efforts inside Homeland Security has garnered some support in the U.S. House of Representatives.

Earlier this year, Rep. Zoe Lofgren, a California Democrat, and Rep. Mac Thornberry, a Texas Republican, reintroduced legislation from the previous congressional session that would create an assistant secretary for cybersecurity.

The much talked-about position would report directly to the Homeland Security secretary, on equal footing with posts that oversee the nation's physical infrastructure. Under current department structure, the top cybersecurity official is buried in a few levels of bureaucracy beneath the Homeland Security chief.

"Creating an assistant secretary is far more than just an organizational change," Thornberry said when introducing the bill. "It is an essential move to assure that cybersecurity is not buried among the many homeland security challenges we face."

The proposal was ultimately wrapped up in the broader Homeland Security Authorization Act for 2006 and has been approved by the House. But since May, it has been sitting in front of the Senate Homeland Security committee, which has not indicated when further action will occur.

Outside observers are holding out hope for Chertoff's departmental reorganization announced in July. As part of the reshuffling, he hired Stewart Baker, former general counsel to the National Security Agency and a well-respected technology lawyer, to be assistant secretary for policy. Baker is waiting for Senate confirmation.

"It's been a mess for over four years, and hopefully the new folks will fix this," said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.

"In the previous incarnation, DHS and the Homeland Security Council didn't really know what to do with cyber--it's been a deer-in-the-headlights experience for them," Lewis said. "It's not clear who's even in charge. When you look at all the different committees who

Featured Video