The United States' battle to secure cyberspace
When it comes to building cybersafeguards, outgoing Assistant Secretary Robert Liscouski says the Department of Homeland Security has received an unjustified bad rap.
Liscouski thus becomes the latest high-ranking cybersecurity official to leave the DHS, where protecting the U.S. information infrastructure made up only part of his duties.
But Liscouski, formerly the chief information officer for the Coca-Cola Company, says this is not another sign of the disarray alleged by DHS detractors. What's more, he believes the department has received a bad rap from critics who claim the DHS has done little to protect cyberspace. CNET News.com spoke with Liscouski about the DHS's commitment to cybersecurity, the criticisms of the agency and why the DHS resembles nothing so much as a high-pressure start-up--albeit without stock options.
Q: There's been criticism from the technology industry that the Bush administration hasn't moved fast enough in implementing the national strategy. How do you respond?
Put the criticism aside and take a look at what we've done.
There was no organization responsible for cybersecurity prior to the DHS, and within less than two years we not only created an organization which is specifically responsible for information technology and cybersecurity, but we went from an aggregated budget of about $10 million to $80 million. We've got the National Cyber Alert System, which was launched this last year, which is delivering information to American secured computer systems, and we've got 270,000 direct subscribers there. We've increased situational awareness in the cybercommunity through the US-CERT Web site. We've established a cybersecurity readiness and response system, which is a 24-7 system, which is effectively responsible for tracking incident and trend data....We disseminate US-CERT data through classified briefings.
I can go through the entire list of accomplishments, but I would say we've done a very good job and it's all user-focused.
The industry allied with the government to create the National Cyber Security Partnership and then came up with five different working groups, which issued reports. But we have seen little else from them since. Has private industry participation stalled?
No. Actually, I would argue that the private sector is working well with the department. I've looked at what the task force working groups have done so far. Software assurance and governance working groups in particular have done a tremendous job.
People are more worried about the physical threats than cyberthreats. Do you think that's going to change in the future and that cybersecurity will be a bigger part of the equation? Or do you think the mix we have right now is about right?
Well, I think you are making an assumption that your perception is correct. I would challenge you on that. I would suggest that you're seeing the most visual things, such as the police out in force with all sorts of SWAT gear standing in front of buildings. Because of the visual aspect, you see our reaction to a threat--checkpoints and a lot of things that would make a much better media visual then talking about cybersecurity.
I don't necessarily agree that we've only been focusing on the physical side. But I would tell you that the dominant threat that we face today is a physical threat versus a cyberthreat in terms of where al-Qaida is focusing, and al-Qaida is still the predominant threat that we look at. But that's not at the exclusion of the other cyberthreats.
Such as?
There are plenty of examples where cyberattacks have manifested themselves and they have not been a threat. We've taken coordinated action, working with our partners in the federal sector to mitigate the attack, investigate the attack and get awareness about what's going on. It just doesn't create the visual that the physical side does.
So you know, when we talk about one dominating the other, much of that has to do with the fact that we are somewhat driven at a tactical level by the threats that we face, and we're not going to let another 9-11 happen. But we're surely not going to turn a blind eye to cyberspace so we can have a 9-11 version of a cyberwar. We've got a very active and very aggressive approach there. I think it's just not fair to represent one as dominating the other.
I actually employed software (while) working for a Fortune 50 company, and I would tell you that my biggest push was getting the vendors to make sure that they are going to give us solid, workable software that I could rely upon.
While the industry is criticizing the government, they are not vocal about their own issues. To suggest that this monkey is only on the government's back takes some pressure off the private sector. But it doesn't do the user community any service because nobody is looking out for them. I see that as our job.
I'm going to continue to push that agenda outside the government as well as inside the government. I think you're going to see more about the user community being the emphasis and more focus on getting educated and becoming more aware.
There has been a lot of turnover within the cybersecurity side of the DHS. Lawrence Hale is leaving. Amit Yoran has left. And it goes back to Richard Clarke, who left a comparable post just before the DHS was formed. Is that indicative of some sort of difficulty on the cybersecurity side?
It's regular government turnover. I would say some of those in the industry who are getting more vocal would argue that the turnover indicates a problem. But many of these people have put their time in. Part of it is, I need more senior positions to which I can promote people to reward their hard work. I cannot compete with the private sector in keeping good people.
Lawrence Hale is a very bright guy, a very talented guy, and he's put in 24 years. Amit told us he would give us a solid year. He's a good guy, and he gave it a shot, and we got a year.
In my case, I committed to (being assistant) secretary, when I came on board back in February 2003, for two solid years. You know these jobs are hard. When you've done a start-up environment--and you know what the hours are and how hard the pace is--(you know) that particularly in a constantly changing environment in which you have to keep your pressure on for execution, you have transitions. I pretty much fulfilled my commitment to the secretary and had always desired to move back to the private sector.
This is basically a start-up organization in which the pressure here is as intense as it is anywhere else in the private sector. Let somebody else have as much fun as I have.
