The U.S. Department of Homeland Security has found someone to take over the daily responsibility of running the National Cyber Security Division. But the department has yet to fill the vacant post of assistant secretary for cyber security and telecommunication.
Robert S. Zitz, the deputy undersecretary for preparedness at DHS, has been tapped to oversee the day-to-day operations of the NCSD. Andy Purdy, the acting director of the NCSD, whose contract with DHS ends in October, will remain in place but Zitz now will be spending a portion of his time working with him and the rest of the NCSD senior staff.
Zitz already has met with NCSD leaders and is being brought up to speed on the current state of affairs. Zitz will continue to report to George Foresman, the under secretary for preparedness, who oversees the branch of DHS that includes the NCSD.
Jarrod Agen, a spokesman for DHS, said Zitz will maintain his other duties and will not take over the assistant secretary job, which has remain unfilled since DHS Secretary Michael Chertoff created it last July. However, Agen said, the department is "close to the final stages of hiring someone" for the assistant secretary position.
"It takes a unique person to make the personal sacrifices it takes for this job. We're competing with the private sector, which has virtually unlimited resources in terms of money," Agen said. "We can't offer stock options."
DHS has been close to filling the post several other times, but the candidates have backed out for one reason or another, some of them citing financial considerations.
Zitz has spent more than 25 years in the intelligence community and has an extensive background in reconnaissance and satellite imagery. He also has some experience with information assurance. Most recently he was a special assistant to the directors of both the National Security Agency and the National Geospatial-Intelligence Agency, and was involved in helping to improve information assurance in the Department of Defense. Zitz also spent time in the CIA and was a civilian intelligence analyst with Army Intelligence.
Some in the security community say that regardless of credentials or experience, whoever ends up taking the assistant secretary job faces an uphill battle in making information security a priority inside DHS.
"I don't think it matters who has the job because the job can't really be done where it is," said Alan Paller, research director at the SANS Institute in Bethesda, Md. "If you're two or three levels down, you don't have the access you need. They should never have taken the job out of the White House."
Before the creation of DHS, the top cybersecurity officials were members of the White House staff and served on the President's Critical Infrastructure Protection Board. Many in the security community were sharply critical of the decision to dissolve the board and move the cybersecurity function to DHS, where it has less visibility among senior administration officials.
"The lack of permanent leadership in DHS has made it difficult for the private sector to cooperate with the government in developing an efficient, effective plan for cyber security," said Pete Allor, director of operations at the Information Technology Information Sharing and Analysis Center (IT-ISAC) industry group and director of intelligence at Internet Security Systems Inc., in Atlanta. He said the IT-ISAC and its sector-specific groups holdsa daily call with US-CERT. "However, what is missing in our information sharing is the leadership and focus of the federal government in ensuring that intelligence from the private sector is collected and utilized in a formalized, coordinated fashion."
The decision to put Zitz in charge of the NCSD comes at a time when the division and DHS in general are coming under congressional scrutiny. The Senate Committee on Homeland Security and Governmental Affairs Friday will hold a hearing on steps that DHS can take to work more closely and efficiently with security experts in the private sector and industry coalitions, in an effort to improve the NCSD's ability to respond to and recover from a major attack.
One of the main goals of the National Strategy to Secure Cyberspace, which was completed more than three years ago, was for DHS to form lasting, effective partnerships with key private-sector organizations. Some progress was made on that front during the tenure of Amit Yoran, the former director of the NCSD who resigned in 2004. A former software executive himself, Yoran worked closely with groups such as the ISAC groups to open lines of communication among top government and industry leaders.
But since Yoran's departure, the level of communication between the two sides has dropped off sharply, hampering efforts to implement a planned early-warning system for widespread attacks and make needed improvements to the nation's security infrastructure.
"We've been running in place really since the national strategy came out," said Paul Kurtz, executive director of the Cyber Security Industry Alliance, and a former White House advisor on security issues who helped develop the National Strategy to Secure Cyberspace. "The level of liaison with DHS right now is very low. DHS relies a lot on the private sector but no one knows who to work with [at DHS]. What's the government's role right now? This is not unbelievably complex. While we're standing still, the threats and vulnerabilities are not. They're getting exponentially worse. We're putting ourselves in a very dangerous position."
Friday's hearing, titled "Cyber Security: Recovery and Reconstitution of Critical Networks," will feature testimony from several government officials, including Karen Evans, administrator for electronic government and information technology at the Office of Management and Budget, and Richard Schaeffer, director of information assurance at the National Security Agency. Also slated to appear are a number of private sector experts, including Tom Noonan, president and CEO of ISS, Roberta Bienfait, senior vice president of global network operations at AT&T and Michael Aisenberg, director of government relations at VeriSign Inc.