Industry fears security setbacks
- By Florence Olsen
- Oct 11, 2004
With Amit Yoran's sudden departure from the nation's top cybersecurity job, industry officials said they fear another setback in efforts to make government and corporate networks secure from attacks that hurt business and national security.
Yoran, who resigned Sept. 30 as director of the Homeland Security Department's National Cyber Security Division, is the third federal cybersecurity chief to leave government service in less than two years, conjuring worries that the job is too tough for even the most talented recruits.
"Whether Amit intended it or not, his departure is a pretty strong wake-up call," said Harris Miller, president of the Information Technology Association of America. "First Dick Clarke, then Howard Schmidt, now Amit — that's not good," Miller said.
DHS officials reacted quickly to Yoran's departure two weeks ago by naming Andy Purdy, Yoran's deputy, to serve as acting director until they find a permanent replacement. Purdy has worked in the cybersecurity division since it was created as part of DHS.
Some industry observers said confusing lines of authority in the federal government make the job of cybersecurity chief tougher than it needs to be. But one of Yoran's accomplishments, they said, was to help establish a chain of command during a cybersecurity attack.
Under Yoran, the division formed
three new operational groups to work on cybersecurity.
"They had pretty much demarcated what authority various groups had to respond to something," said Chris Risley, president and chief executive officer of Nominum Inc., which makes Internet software. "They needed to have all that laid out so they knew who to call."
Many industry observers are hoping that new legislation will resolve questions about authority, including the question of whether Yoran's former position should be elevated to the rank of an assistant secretary in DHS. Legislation to raise the authority and visibility bounced around Capitol Hill last week, leaving some industry observers hopeful but uncertain whether the change would become law.
"It's a little hard to figure out what is or is not going to survive — or even whether there's going to be an intelligence bill before Congress goes home," Miller said.
The House's intelligence bill has a provision for raising the cybersecurity chief's position from director to assistant secretary. The Senate bill does not, Miller said, but added that Sen. Charles Schumer (D-N.Y.) favors upgrading the position so that cybersecurity can garner more attention.
Although Yoran's bosses at DHS have been reticent about his departure, industry officials generally have praised his job performance and expressed regret about his departure. A former security industry executive, Yoran, 33, was widely trusted in industry circles. "He was very suited for the job in terms of technical understanding and technical curiosity," Risley said.
Other industry officials said Yoran was trying to foster — with some success — a level of cooperation among companies in the fiercely competitive IT security industry.
Perhaps the most visible accomplishment of Yoran's short tenure was the National Cyber Alert System, which uses e-mail messages to alert citizens and technical users of viruses, worms and other Internet-borne attacks. But other cybersecurity projects, not so visible or well publicized, could have an equal or greater impact on cybersecurity, some industry officials said.
One such program was an initiative to gather vendors' virus signature files, through the department's U.S. Computer Emergency Readiness Team (US-CERT) Web site, for federal civilian agencies as soon as the vendors released them. Yoran was leading efforts to standardize virus nomenclature and coordinate virus responses, said Tom Simmons, director of federal markets for Trend Micro Inc., an antivirus software company.
Industry officials would like to see Yoran's replacement be a person with industry experience. But others are less certain about who should fill the position. DHS officials probably should re-examine what skills and experience the leader of cybersecurity needs rather than fill the position immediately, said Howard Schmidt, a former cybersecurity adviser in the Bush administration who will return as a consultant to DHS' US-CERT.
Diane Frank contributed to this article.