CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Snoozing about security

As the bureaucracies battle in Washington, CNET News.com's Charles Cooper explains why things are going from bad to worse.

No doubt these are tough times for the folks charged with securing the nation's cyber front lines.

Everyone, from government watchdogs to bloviating columnists, has a bright idea about how they should do their job better.

But there also is a statute of limitations on the public's patience. Two years ago this month, the Department of Homeland Security established a cybersecurity division to shore up the nation's defenses. The results to date include three cyberczars, millions of dollars in taxpayer expense, and thousands of worm and virus attacks.

Hardly a sterling record of accomplishment.

Even regular Americans--not just the digital denizens of Silicon Valley--are frustrated with the lack of tangible progress. Most respondents surveyed in a recent poll of likely voters believe the government has failed to do enough to make the Internet safe. Only 28 percent said they thought Uncle Sam was doing a good job.

So, what needs fixing at DHS? The better question is: What doesn't need fixing?

Will any of this light a fire in Washington? As a political issue, cybersecurity rarely leads the evening network newscasts. New legislation to establish the weighty-sounding position of Assistant Secretary for Cybersecurity may help. So might the passage of the DHS Cybersecurity Enhancement Act of 2005. (Money and authority never hurt.)

But a drumbeat of criticism nonetheless is growing in response to current events.

Maybe the new blood at DHS will take the criticism to heart and order a recalibration, because there's no time to waste. More than 1,000 new worms and viruses were discovered in the last six months alone. What's more, networks will run into more complex worms and viruses--some of which will be deployed by politically motivated hackers--in 2005 and beyond.

You don't need be an alarmist to imagine some pretty hairy stuff. A couple of years ago, the Slammer worm disabled a nuclear power plant's safety monitoring system for nearly five hours. This fast-propagating worm also affected five other utilities. No lasting damage was recorded, but that was through sheer luck.

So, what needs fixing at DHS? The better question is: What doesn't need fixing? You can read about the extent of the mess in an exhaustive report published by the Government Accountability Office, the investigative arm of Congress. The GAO report found problems that ranged from the structural to the cultural, such as the reluctance of the department's managers to play nice when it comes to cooperating with other branches of the federal bureaucracy and the private sector.

In fairness, you can reach back a decade to find examples of turf wars over how best to protect the nation's infrastructure. But after the Sept. 11 attacks, you wouldn't expect to find the DHS still failing to fully make the grade in 13 areas of responsibility (as per the GAO report). That's quite a record of ineptitude, even for the federal bureaucracy. But don't think any of this has led to great introspection.

The mindset that led to this dismal state of affairs still flourishes.

The mindset that led to this dismal state of affairs still flourishes. One idea put forward by the GAO team was to establish clear milestones and performance metrics. But the DHS rejected recommendations and sought "clarifications" (bureaucracy-speak for telling another agency to stuff it). At this point, I would point you to the memorable line uttered by Strother Martin in the movie "Cool Hand Luke": "What we've got here is failure to communicate."

David Powner, who was responsible for the GAO report, put things more diplomatically. "They thought their current strategic plan addressed those challenges," he told me. "We didn't see that in their plan."

In the meantime, Powner and others live in dread of the nightmare scenario: a combined terrorist attack against a physical asset like a power grid, paired with a devastating attack against the nation's cybernetworks and communications systems.

"If you look at the recovery plans (DHS has in place), more work needs to be done," he says. "If you look at reconstituting the Internet if there were an event that took down the network, there's still not a plan in place."