While the Homeland Security Department has been charged with coordinating cyberspace security and recovery, GAO found that the initiatives so far lack authority, and the relationship between the initiatives is unclear.David Powner, GAO’s director of information technology management issues, told a Senate subcommittee during a hearing timed to coincide with the release of the report that it is unclear what government entity is in charge, what the government’s role should be and when it should jump in. “Despite federal policy requiring DHS to develop this public-private plan, today no such plan exists,” Powner said.
Report: U.S. unprepared for major Web disruption, By Heather Greenfield, National Journal’s Technology Daily 28 July 2006
The chair of the Senate subcommittee on Federal Financial Management, Government Information and International Security, Republican Tom Coburn, was no pleased:
Coburn reprimanded Homeland Security for spending “millions of dollars over the past year,” making little progress, releasing its national infrastructure protection plan three years late, and failing to hire an assistant secretary in charge of cyber security and Internet recovery.Seems like the last several occupants of that position, or whatever they were previously calling it, quit, often with no notice, and with brief stays.
AT&T, ISS and Verisign were among the companies that testified. They said the government needs an early warning system for widespread Internet attacks, a clear line of command for a disaster and more investment in cyber security.Coburn seems to be missing the point. Why should anybody for any amount of pay take a position with all the responsibility and none of the authority or the technical means to do the job?They also asked the government to hire a cyber-security czar, but Coburn said it is the patriotic duty for someone in industry to step forward and take the pay cut to do the government job.
“Any one of you want to volunteer for that position?” Coburn asked.
I also think the idea of a clear line of command is flawed, since that means a clear line of potential failure that can be attacked. That way also lies the old telco idea of cutting off the Internet at continental US (CONUS) borders in the case of an attack. Distributed disaster resilience and recovery seems more appropriate to the distributed Internet.
Maybe the telcos and security companies should be collaborating on early warning systems and distributed disaster coordination without waiting for the government, considering the U.S. government seems about as clueless about Internet security as it is about net neutrality.
-jsq
PS: Seen on Bruce Sterling’s Beyond the Beyond.