PACKET RAT: Top post in cybersecurity has the look of a gilded cage
Michael J. Bechetti
When the Rat recently read the Government Accountability Office's scathing review of the Homeland Security Department's cybersecurity efforts, the rodent of many words could utter only one: 'Ouch.'
While the whiskered one has long looked with alarm at the DHS cybersecurity soap opera, the drubbing that GAO and Congress have been giving the department shows why the cyberczar's office at DHS has featured a revolving door since the agency was minted: Apparently, nobody can get anything done.
'While DHS has initiated multiple efforts to fulfill its responsibilities,' the GAO report reads, 'it has not fully addressed any of [its] 13 responsibilities, and much work remains ahead.'
Sure, there's the U.S. Computer Emergency Readiness Team that DHS set up. Sure, they're talking more with other agencies about cybersecurity matters. But they haven't made much progress in putting together a national vulnerability assessment, or any contingency plans for dealing with cyberattacks and other threats to the Internet infrastructure. The plan, it seems, has been not to have a plan.
'What are they doing over there?' one of the Rat's minions muttered. 'They must play more Halo than we do!'
'They're into a different kind of virtual warfare over there,' the cyberodent replied. 'It's called 'fighting organizational inertia.' '
On the other hand, it's entirely possible that not having a plan has its advantages. After all, even government agencies with a real cybersecurity budget'like the Defense Department'still get embarrassed on a regular basis by some Scandinavian 16-year-old or comparable threat vector. And DHS doesn't actually own the infrastructure it's supposed to plan to secure'more than 80 percent of it belongs to commercial service providers and big corporations.
'The last thing any politically savvy appointee in this administration wants to do is mess with the private sector, right?' the Rat suggested to his apprentice. 'You know, to do anything that might be viewed as creating more of a regulatory burden?
'Besides,' he grinned, 'nothing really bad has happened yet cyberterror-wise. If it's not broke, don't fix it. Maybe not having a plan is the best plan.'
Still, Congress doesn't seem happy with just the absence of any harm'they want to see something done. So the new Homeland Security spending bill that came out of the House included a mandate for somebody with actual authority to make things happen: an assistant secretary of DHS for cybersecurity.
Of course, that assumes they can get someone to take the job. Amit Yoran quit the top DHS cybersecurity post last November after struggling with upper management to get anything done. He was the fourth top cybersecurity expert to bolt for the door, following Richard Clark, Howard Schmidt and Rand Beers.
Maybe the higher profile within DHS will help whoever replaces interim director Andy Purdy. But that assumes a lot of things, such as that the White House will even try to fill the job.
'Don't look at me,' the whiskered one commanded as his underlings eyed him thoughtfully. 'There's no way I'm interested in that job. If I want to work long hours to achieve nothing, there's plenty of that right here.'The Packet Rat once managed networks but now spends his time ferreting out bad packets in cyberspace. E-mail him at firstname.lastname@example.org.