The case of the missing assistant secretary

A year after creation of assistant secretary for cybersecurity, the job is still unfilled. Observers say Bush administration is just not interested.

A year ago Thursday, Homeland Security Secretary Michael Chertoff announced the creation of an assistant secretary for cybersecurity. A year later, the agency has not even identified a candidate for the job, the Washington Post reports.

"What this tells me is that ... [Chertoff] still hasn't made this a priority ... to push forward and find whoever would be the best fit," said Paul Kurtz, a former cyber security advisor in the early Bush administration and now a chief lobbyist for software and hardware security companies.

"Having a senior person at DHS... is not going to stop a major cyber attack on our critical infrastructures," Kurtz said, "but [it] will definitely help us develop an infrastructure that can withstand serious attacks and recover quickly."

Rep. Zoe Lofgren (D-Calif.), a co-author of the bill that would have forced the department to create the position last year, did not mince words: "I think DHS is pathetic and incompetent. It's a complete mystery what's happening over there."

But DHS says the job is almost filled. "We are hopeful we'll be able to announce in the not-too-distant future an individual we think would be able to continue the work we've been doing," said George W. Foresman, undersecretary for preparedness.

Some observers think the slowness reflects a policy choice to ignore cybersecurity in favor of physical hardening.

James Lewis, director of technology and public policy at the Center for Strategic and International Studies in Washington, said the administration had already adopted the position that cyber initiatives would siphon funds away from physical security for high-value potential terrorist targets.

The high-level post "was forced on them by Capitol Hill," Lewis said. "Left to their own devices, the White House wouldn't have created the position."

The government is increasingly using Windows on servers connected to the Internet. That's cost-effective but that exposure also makes power, water, sewage and other such systems dangerously vulnerable to online attack, said Alan Paller, director of research for the SANS Institute, a computer security training group based in Bethesda.

"Hackers have discovered that owners of SCADA systems are very sensitive and that they can make money by threatening to do damage," Paller said, adding that he is aware of at least two incidents just this year in which attackers broke into and threatened to disrupt utility operations unless the owners paid a ransom demand.