Total Pageviews

Monday, May 13, 2013

Tough Times at Homeland Security

A new wave of cyberattacks is hitting American companies at a particularly vulnerable time for the Department of Homeland Security, the federal agency charged with fending them off.

That is because the department has been grappling with the departures of its top cybersecurity officials. In the last four months, Jane Holl Lute, the agency’s deputy secretary; Mark Weatherford, the top cybersecurity official; Michael Locatis, the assistant secretary for cybersecurity; and Richard Spires, the chief information officer, have all resigned.

Candidates currently being considered to fill their posts include Beltway officials and executives from the antivirus software makers Symantec and McAfee, according to people briefed on their professional backgrounds who were not authorized to speak publicly about the department’s hiring process. But these people said the leading candidates lacked critical ties to Silicon Valley and to the hacking community from which Homeland Security has said it so urgently needs to recruit.

For the last four years, the department has said it needs to expand its cybersecurity force by as many as 600 skilled hackers if it is to keep pace with the influx of increasingly sophisticated threats.

“We need students,” Janet Napolitano, the secretary of homeland security, told students at San Jose State University last year. “We need young people who really understand this technology who are creative and innovative.”

But in the last 10 years, most students who graduated from the CyberCorps Scholarship for Service program, a National Science Foundation program that awards scholarships to students with cyberskills in exchange for a federal service commitment, went to the National Security Agency, where they work on offensive missions. At Homeland Security, the emphasis is on keeping hackers out, or playing defense.

Ms. Napolitano convened a 15-person task force last year to figure out how to attract more students. The task force included security experts from Facebook, the N.S.A. and the Idaho National Laboratory, the Energy Department’s lead nuclear research center. Its co-chairman was Alan Paller, director of research at the SANS Institute, a security training organization, and Jeff Moss, founder of the well-known Black Hat and Def Con annual hacking conventions in Las Vegas.

Among their recommendations: Make Homeland Security cool again by partnering with the organizers of hacking competitions, whose participants would much prefer to “move fast and break things” at Facebook or Twitter or Google, than cut through red tape at the Department of Homeland Security.

To make the department more than a bureaucratic afterthought, people inside the agency say they hope it will fill one of its top vacancies with a hacker “rock star” not unlike Mr. Moss, whose Las Vegas conferences annually draw the best minds in computer security, or Peiter Zatko, the hacker better known as Mudge, who recently left his position at the Pentagon’s Defense Advanced Research Projects Agency, or Darpa, for Google.

“Where is cyber at D.H.S. right now?” one person at the agency remarked. “Who is minding the shop? And what have we been talking about for the past four years?”