As the years go by, I'm beginning to look and sound more and more like 60 Minutes' Andy Rooney. At the beginning of every year, I feel compelled to conduct an assessment of the past year and then gaze forward with optimism. I wish I could report on the progress of U.S. homeland security with optimism, but I cannot.
Much of the leadership of the Department of Homeland Security, its Cyber Division in particular, has resigned, including Tom Ridge, Bob Liscouski, and Amit Yoran. These resignations reinforce ever-increasing concerns that things are not well at DHS.
This is a critical time for one of the largest agencies in the federal government. The time of the innovator is over, and the time of the administrator has begun. This means the window for innovation has now closed until the next national catastrophe, because large-scale changes in security continue to occur only in the aftermath of tragedy. This collective, reactive mindset is at the core of many of our security failures.
A related problem is the "on and off" manner in which security expenditures are authorized. Security is usually one of the first departments to receive budget cuts. This cycle of neglect is counterproductive to effective planning and budgeting. It also causes morale problems in security organizations.
In the aftermath of September 11, I expected more from our leaders. When the history of the Department of Homeland Security is written, the early years will be about organizational changes but also about opportunities missed and roads not taken.
The administration and DHS leadership chose to lead with emphasis on not making mistakes. This strategy is commonplace in government, and it's reminiscent of the mini-max model. Mini-max strategy suggests that the best decision is one that first minimizes potential losses and then maximizes potential gain. In practice, this strategy quickly loses the initiative and limits opportunities for significant gain. Loss of initiative has been most problematic for DHS. The American public expected action following the release of the September 11 Report. When it became clear that decisive steps were not being taken, a public outcry forced the issue onto the Congressional agenda. DHS should have been the primary advocate of the September 11 Report. For reasons that are unclear, DHS leadership did not carry the flag valiantly. They did not carry the flag at all. Once it was clear that public opinion favored the report, DHS jumped on board with a rousing, "ME TOO!" The American people expect and deserve better from the agency dedicated to protecting their lives and infrastructure. I want to be perfectly clear that the fault here lies with leadership. Many thousands of DHS employees are working hard and effectively to secure lives and property. They too deserve leadership that will fight for change in a world where old strategies and old alliances produce unacceptable results.
Approximately 80 percent of the United States' critical infrastructure is owned by the private sector, and a great deal of energy has been spent deciding how best to protect these essential assets. Recently, Amit Yoran, former director of the DHS National Cyber Security Division, spoke on this topic at an information assurance conference in Washington, DC. He said the Cyber Division had made progress in negotiations with executives of power plants, oil pipelines, nuclear facilities, and other technology intensive industries that are essential to national security. But he also asked, "Do we (DHS) have the authority to kick in the door and put our fingers on the keyboards?"
Yoran worked on a number of short-term and long-term research projectsduring his year in office. One of the most valuable of these was the creation of a map of the federal government's Internet addresses and their owners. I congratulate Mr. Yoran on this accomplishment. At the same time, I am dismayed that in his first and only year in office he was forced to begin with such an elementary objective. Perhaps this is another indicator of why many federal agencies continue to receive cyber security grades of "D" and "F" from oversight organizations.
Making the Grade
The Federal Computer Security Report Card released in 2003 gave the federal government a grade of "D" for cyber-security, up from a grade of "F" in 2002. The report indicated that most agencies and departments showed improvements in computer security over the previous year, but more than half still received a grade of "D" or "F." "Who in the world would want to carry that report card home to their parents?" asked Rep. Adam Putnam, R-Florida., chairman of the House Government Reform subcommittee that compiled the report card.
The grades are based on self-reports and the reports of federal inspectors to Congress and the Office of Management and Budget. A 29-question survey was sent to 54 federal departments and agencies. The questions covered six broad areas, including security planning, the protection of software and systems from unauthorized access and the ability to continue operations in the event of disruptions. The GAO audited the results and released a report stating that federal agencies have "serious and widespread" security weaknesses.
In 2003, eight agencies received a grade of "F." Nineteen agencies failed to complete reliable inventories of their critical information technology assets. Additionally, the departments of Veterans Affairs, Treasury and Defense failed to submit security reports as required by the 2002 Federal Information Security Management Act. "For too long we have allowed information security to take a back seat to overall preparedness in this nation," Putnam said. He added, "Under the 2002 E-Government Act, funding can be withheld from federal agencies that do not comply with security guidelines."
The Nuclear Regulatory Commission and the National Science Foundation made the greatest strides in protecting their computer systems during the last year, receiving grades of "A" and "A-." The Social Security Administration and the Labor Department also performed well, receiving grades of "B+" and "B" respectively. The Defense Department received a "D," and the departments of Energy and Homeland Security each received grades of "F."
"We expect significant improvement from Homeland Security next year," Putnam said. "They should be leaders in improving their computer networks." Sen. Susan Collins, R-Maine, who chairs the Senate Governmental Affairs Committee, called the failing grades "unacceptable" and urged agencies to take immediate action to improve cyber security. "The administration has reason to believe that cyber attacks could be part of terrorists' game plans," she said. "We cannot afford to be caught off guard."
Agencies with good grades had common characteristics. They completed inventories of their critical information technology assets; identified critical infrastructure and systems; implemented strong incident reporting procedures; had tight controls over contractors; and developed strong plans and milestones for finding and eliminating security weaknesses.
The 2004 cyber security grades for the federal government will be released in the first quarter of 2005. I am eager to see what improvements have been made, because to remain at our current level of readiness is unacceptable.
In my opinion, federal, state and local governments continue to receive failing grades because they are continually in reaction mode. They may plan, but they fail to work their plans. In some cases, the agency head goes from boondoggle to boondoggle and comes back with new agendas from the consultant du jour for immediate implementation. Perhaps the political climate changes, and pressure comes down from above to change direction solely for appearance's sake.
Over time, a certain pattern of behavior develops. Phrases like, "Let's pick the low-hanging fruit" are heard in planning sessions. This statement is a license to act without proper planning. The underlying philosophy behind it is to get results quickly to appear to be accomplishing something important. We, in security, should be concerned about actual accomplishments. Plan first, and then act based upon your plans. How about, "He, who fails to plan, plans to fail." Yes, I like this one much better.
Bob Wynn is the former director and state chief information security officer for the State of Georgia. His 20 years in the security field include experience in senior security management, infrastructure protection, computer crime investigations, policy writing, and achieving compliance with federal regulations, such as HIPAA, and GLBA.