As the years go by, I'm beginning to look and sound more and more like 60 Minutes' Andy Rooney. At the beginning of every year, I feel compelled to conduct an assessment of the past year and then gaze forward with optimism. I wish I could report on the progress of U.S. homeland security with optimism, but I cannot.
Much of the leadership of the Department of Homeland Security, its Cyber Division in particular, has resigned, including Tom Ridge, Bob Liscouski, and Amit Yoran. These resignations reinforce ever-increasing concerns that things are not well at DHS.
This is a critical time for one of the largest agencies in the federal government. The time of the innovator is over, and the time of the administrator has begun. This means the window for innovation has now closed until the next national catastrophe, because large-scale changes in security continue to occur only in the aftermath of tragedy. This collective, reactive mindset is at the core of many of our security failures.
A related problem is the "on and off" manner in which security expenditures are authorized. Security is usually one of the first departments to receive budget cuts. This cycle of neglect is counterproductive to effective planning and budgeting. It also causes morale problems in security organizations.
In the aftermath of September 11, I expected more from our leaders. When the history of the Department of Homeland Security is written, the early years will be about organizational changes but also about opportunities missed and roads not taken.
The administration and DHS leadership chose to lead with emphasis on not making mistakes. This strategy is commonplace in government, and it's reminiscent of the mini-max model. Mini-max strategy suggests that the best decision is one that first minimizes potential losses and then maximizes potential gain. In practice, this strategy quickly loses the initiative and limits opportunities for significant gain. Loss of initiative has been most problematic for DHS. The American public expected action following the release of the September 11 Report. When it became clear that decisive steps were not being taken, a public outcry forced the issue onto the Congressional agenda. DHS should have been the primary advocate of the September 11 Report. For reasons that are unclear, DHS leadership did not carry the flag valiantly. They did not carry the flag at all. Once it was clear that public opinion favored the report, DHS jumped on board with a rousing, "ME TOO!" The American people expect and deserve better from the agency dedicated to protecting their lives and infrastructure. I want to be perfectly clear that the fault here lies with leadership. Many thousands of DHS employees are working hard and effectively to secure lives and property. They too deserve leadership that will fight for change in a world where old strategies and old alliances produce unacceptable results.
Approximately 80 percent of the United States' critical infrastructure is owned by the private sector, and a great deal of energy has been spent deciding how best to protect these essential assets. Recently, Amit Yoran, former director of the DHS National Cyber Security Division, spoke on this topic at an information assurance conference in Washington, DC. He said the Cyber Division had made progress in negotiations with executives of power plants, oil pipelines, nuclear facilities, and other technology intensive industries that are essential to national security. But he also asked, "Do we (DHS) have the authority to kick in the door and put our fingers on the keyboards?"
Yoran worked on a number of short-term and long-term research projectsduring his year in office. One of the most valuable of these was the creation of a map of the federal government's Internet addresses and their owners. I congratulate Mr. Yoran on this accomplishment. At the same time, I am dismayed that in his first and only year in office he was forced to begin with such an elementary objective. Perhaps this is another indicator of why many federal agencies continue to receive cyber security grades of "D" and "F" from oversight organizations.