[ISN] The United States' battle to secure cyberspace

InfoSec News isn at c4i.org
Thu Jan 27 02:27:36 EST 2005 

http://news.com.com/The+United+States+battle+to+secure+cyberspace/2008-1082_3-5550064.html

By Robert Lemos 
Staff Writer, CNET News.com
January 26, 2005

Robert Liscouski doesn't hesitate to explain why he's leaving the 
Department of Homeland Security: He pledged two years, and time's up. 

Liscouski thus becomes the latest high-ranking cybersecurity official 
to leave the DHS, where protecting the U.S. information infrastructure 
made up only part of his duties. 

But Liscouski, formerly the chief information officer for the 
Coca-Cola Company, says this is not another sign of the disarray 
alleged by DHS detractors. What's more, he believes the department has 
received a bad rap from critics who claim the DHS has done little to 
protect cyberspace. CNET News.com spoke with Liscouski about the DHS's 
commitment to cybersecurity, the criticisms of the agency and why the 
DHS resembles nothing so much as a high-pressure start-up--albeit 
without stock options. 


Q: There's been criticism from the technology industry that the Bush 
administration hasn't moved fast enough in implementing the national 
strategy. How do you respond?

Put the criticism aside and take a look at what we've done. 

There was no organization responsible for cybersecurity prior to the 
DHS, and within less than two years we not only created an 
organization which is specifically responsible for information 
technology and cybersecurity, but we went from an aggregated budget of 
about $10 million to $80 million. We've got the National Cyber Alert 
System, which was launched this last year, which is delivering 
information to American secured computer systems, and we've got 
270,000 direct subscribers there. We've increased situational 
awareness in the cybercommunity through the US-CERT Web site. We've 
established a cybersecurity readiness and response system, which is a 
24-7 system, which is effectively responsible for tracking incident 
and trend data....We disseminate US-CERT data through classified 
briefings. 

I can go through the entire list of accomplishments, but I would say 
we've done a very good job and it's all user-focused. 


The industry allied with the government to create the National Cyber 
Security Partnership and then came up with five different working 
groups, which issued reports. But we have seen little else from them 
since. Has private industry participation stalled?

No. Actually, I would argue that the private sector is working well 
with the department. I've looked at what the task force working groups 
have done so far. Software assurance and governance working groups in 
particular have done a tremendous job. 

We've got more to do, no question about it. But you know, we've got 
engagement; we've got good leadership there....It's a classic case of 
you can't just rush that process quicker by adding more people and 
more resources. Some things do take time to implement. 


People are more worried about the physical threats than cyberthreats. 
Do you think that's going to change in the future and that 
cybersecurity will be a bigger part of the equation? Or do you think 
the mix we have right now is about right?

Well, I think you are making an assumption that your perception is 
correct. I would challenge you on that. I would suggest that you're 
seeing the most visual things, such as the police out in force with 
all sorts of SWAT gear standing in front of buildings. Because of the 
visual aspect, you see our reaction to a threat--checkpoints and a lot 
of things that would make a much better media visual then talking 
about cybersecurity. 

I don't necessarily agree that we've only been focusing on the 
physical side. But I would tell you that the dominant threat that we 
face today is a physical threat versus a cyberthreat in terms of where 
al-Qaida is focusing, and al-Qaida is still the predominant threat 
that we look at. But that's not at the exclusion of the other 
cyberthreats. 


Such as? 

There are plenty of examples where cyberattacks have manifested 
themselves and they have not been a threat. We've taken coordinated 
action, working with our partners in the federal sector to mitigate 
the attack, investigate the attack and get awareness about what's 
going on. It just doesn't create the visual that the physical side 
does. 

So you know, when we talk about one dominating the other, much of that 
has to do with the fact that we are somewhat driven at a tactical 
level by the threats that we face, and we're not going to let another 
9-11 happen. But we're surely not going to turn a blind eye to 
cyberspace so we can have a 9-11 version of a cyberwar. We've got a 
very active and very aggressive approach there. I think it's just not 
fair to represent one as dominating the other. 


What remains to be done?

I actually employed software (while) working for a Fortune 50 company, 
and I would tell you that my biggest push was getting the vendors to 
make sure that they are going to give us solid, workable software that 
I could rely upon. 

While the industry is criticizing the government, they are not vocal 
about their own issues. To suggest that this monkey is only on the 
government's back takes some pressure off the private sector. But it 
doesn't do the user community any service because nobody is looking 
out for them. I see that as our job. 

I'm going to continue to push that agenda outside the government as 
well as inside the government. I think you're going to see more about 
the user community being the emphasis and more focus on getting 
educated and becoming more aware. 


There has been a lot of turnover within the cybersecurity side of the 
DHS. Lawrence Hale is leaving. Amit Yoran has left. And it goes back 
to Richard Clarke, who left a comparable post just before the DHS was 
formed. Is that indicative of some sort of difficulty on the 
cybersecurity side?

It's regular government turnover. I would say some of those in the 
industry who are getting more vocal would argue that the turnover 
indicates a problem. But many of these people have put their time in. 
Part of it is, I need more senior positions to which I can promote 
people to reward their hard work. I cannot compete with the private 
sector in keeping good people. 

Lawrence Hale is a very bright guy, a very talented guy, and he's put 
in 24 years. Amit told us he would give us a solid year. He's a good 
guy, and he gave it a shot, and we got a year. 

In my case, I committed to (being assistant) secretary, when I came on 
board back in February 2003, for two solid years. You know these jobs 
are hard. When you've done a start-up environment--and you know what 
the hours are and how hard the pace is--(you know) that particularly 
in a constantly changing environment in which you have to keep your 
pressure on for execution, you have transitions. I pretty much 
fulfilled my commitment to the secretary and had always desired to 
move back to the private sector. 

This is basically a start-up organization in which the pressure here 
is as intense as it is anywhere else in the private sector. Let 
somebody else have as much fun as I have.

More information about the ISN mailing list