Cyber Threats Await Next Homeland Security Chief

 Arizona Gov. Janet Napolitano, Obama's Department of Homeland Security appointee
Arizona Gov. Janet Napolitano, Obama’s recently named appointee to head the Department of Homeland Security.
Source: Arizona governor’s office

Though it is charged with keeping America safe, the Department of Homeland Security (DHS) has also run up a record of high-profile failures during its short history.

Its role in the response to Hurricane Katrina, followed by a series of cyber security breaches, led to Congressional criticism of DHS Secretary Michael Chertoff and its CIO, Scott Charbo. And several of its proposed programs have stalled.

It’s a legacy that Arizona Gov. Janet Napolitano is poised to inherit, having been named on Monday as President-elect Barack Obama’s pick for DHS secretary.

And as a result of the DHS’s troubles, information security experts have a laundry list of suggestions for Napolitano once she’s confirmed.

First off, she should speed up the hiring process to better protect against future cyber security threats, according to Shannon Kellogg, director of information security policy at EMC (NYSE: EMC).

Kellogg pointed out that the DHS has lost several employees involved in information security, including Greg Garcia, assistant secretary for cyber security and communications, who announced his departure this week.

Getting new people in quickly and retaining them will be important because US-CERT, the operational arm of the department’s National Cyber Security Division and a key player in national and private sector Internet security, is building out broader capabilities and expanding quickly, Kellogg told

“That requires you hire people very quickly, but this is counter to how government hiring processes work,” he added.

US-CERT coordinates defenses against and responses to cyber attacks nationwide and issues security threat warnings. It developed software for the Einstein Program, an intrusion detection system in the federal government that is the result of the 2002 Homeland Security Act, the 2003 Federal Information Security Management Act (FISMA) and the Homeland Security Presidential Directive/Hspd-12, issued in August 2004. The first two versions of Einstein have been implemented in the Federal government.

EMC’s Kellogg said that Einstein III is in the works. The project — in which Kellogg called on Napolitano to continue investing — will add real-time reporting capabilities to the system.

Clean up your own house

Napolitano should also make sure DHS deals with its own security vulnerabilities. The department suffered 844 security breaches during its fiscal 2005 and 2006, leading a House subcommittee on tech and cyber security to DHS CIO Scott Charbo of not doing his job, during a June 2007 hearing.

The breaches also led to charges from a congressman that the IT vendor DHS contracted to build its networks, Unisys, bore partial responsibility for the breaches. The company quickly denied the accusations’ validity, but the incident later led to an FBI probe of Unisys (NYSE: UIS).

[cob:Pull_Quote]”I hope the new secretary will continue to emphasize the importance of information security in this environment,” EMC’s Kellogg said. “DHS should be an example for information security within the federal government.”

As a result, the DHS should take a proactive approach to security, Scott Crawford, research director at Enterprise Management Associates, told

“There is no national agenda for taking cyber security all that seriously at this point,” he said. “The DHS is left to reacting to events as they occur and leaving events to the private sector.”

Also at issue is how the next director of homeland security will work with the tech czar that Obama has promised to appoint — a position commonly thought of as a national CTO. While details are scant on Obama’s plans for the position, analyst Charles King of Pund-IT said he believes Napolitano should fight the idea of creating a single CTO position.

Instead, he thinks she should suggest a national council of CTOs, he told in an e-mail.

A long list of rumored candidates Obama’s tech czar post has included names like that of Google CEO Eric Schmidt — who later signaled his interest in remaining at the search giant — as well as former FCC chair Reed Hundt, Apple CEO Steve Jobs, Amazon CEO Jeff Bezos and Julius Genachowski, an economic adviser to Obama and cofounder of venture capital firm Rock Creek Ventures.

[cob:Special_Report]But King thinks that’s a bad idea. Napolitano should appoint working CTOs who have actually been involved in developing successful commercial projects, he said.

He added that Napolitano ought to keep the national CTO on a tight leash, giving them three months to develop one-, two- and three-year plans for modernizing the nation’s IT resources — and refusing to extend the deadline.

All these suggestions will take time to flesh out. But one of the things Napolitano can do to score points quickly with the new administration is to have DHS establish a methodology to rate how well companies and agencies are communicating securely, one observer noted.

“The DHS should enable agencies and the U.S. government to use a unified architecture to communicate securely, and a rating system will motivate people to use best practices for secure communication,” said Kelly Mackin, president and COO of DataMotion, told

According to Mackin, whose firm handles secure e-mail for a U.K. government department, there are 4.7 terabytes of e-mail data for every 1,000 employees in a company — data that could pose a danger if not properly locked down.

“Although 93 percent of employees think e-mail is a critical piece of how they do business, most of that e-mail is not secured, and DHS must address this problem,” she said.

News Around the Web