DHS Finally Names Cyber Czar

Department of Homeland Security has finally nominated a new Cyber Czar to run the Telecommunications and Cyber Security Divisions. It only took them about two years.

The next person to stick his neck out in this position will be Greg Garcia, the Vice President of a Policy Think Tank called ITAA (Information Technology Association of America).

As the Assistant Secretary of Homeland Security for Cyber and Telecom, Greg will be in charge of US-CERT which has received tons of criticism for poor execution of its mission to secure the nation’s cyber infrastructure. In truth, US-CERT does in fact work to alert technology chiefs about new cyber threats, but these alerts are almost always aged by 8 to 24 hours because of internal red tape and processes. An RSS alert feed from many reputable private organizations, like SANS, CNET and even the Register keeps me up to speed on threats in a more timely manner.

US-CERT has also introduced the CME program, or the Common Malware Enumeration system to clearly identify malware by a common identifier. Often the big Antivirus Companies would rush to press with the latest catchy or not-so-catchy name of a new threat, worm or virus, and it would sometimes get confusing when talking to other techs about the virus when everyone was calling it something different. No more confusion between different names of a worm or virus should exist now that CME is in place.

Once Greg gets settled in, his best bet will be to organize US-CERT based on the model of similar Response teams in the Military. This would put US-CERT at the top of an heirarchical pyramid in charge of all of the Federal CSIRTS. Right now the Federal CSIRTS are required to merely report about incidents and problems within the respective federal agencies. And while it is the law that they report under FISMA, many agencies are still confused about what to report, how often, or are outright neglectful in their reporting. By requiring all federal agencies to stream security logs to US-CERT, the US Government can reduce the burden of reporting and they will be able to correlate attacks against the government across agencies.

The biggest roadblock to making this happen is the Carnegie Mellon half of US-CERT which lobbies Congressmen and Senators on Capital Hill against allowing the government (and US-CERT!) to look at its own data- on grounds that doing so is an invasion of privacy. And with Cargegie Mellon University gobbling up well over a fifth of all funding for the National Cyber Security Division, including the mega-salary of Andy Purdy, the current stand-in Cyber Chief and employee of Carnegie Mellon, these roadblocks will remain in place.

If there is a coordinated cyber attack against the Federal Government today, US-CERT will have to rely on the kindness of other agencies to inform them that such an attack is taking place. Because after squandering hundreds of millions of dollars, US-CERT has effectively tied a blindfold around its own eyes so it cannot see the attack happening. Greg Garcia must overcome the crippling effect of US-CERT’s own blindness and somehow make the agency effective in stopping cyber attacks. Otherwise, we will be looking for a new head of NCSD again very soon.