Amit Yoran left DHS in September 2004, convinced the department had no clue on how to handle cybersecurity. Now he is feeling more hopeful.
He was the Department of Homeland Security's first director of the National Cyber Security Division of the Information Analysis and Infrastructure Protection office, but by September 2004 he was frustrated by what he saw as a lack of concern and commitment to Internet security. Four years later, he's feeling better about the state of affairs.
"I think we've gone through a very important shift from an industry and government perspective," he says. "On the government side, in the last two years we've seen a concerted effort from the White House to make this a priority. A lot of action in support of the Cybersecurity Initiative is taking place within the departments and agencies. So I'm very encouraged by this start."
Still, he continues to see room for improvement. The initiative has not gone through the open dialogue and debate that should be happening, he says. There's also the question of what the next president's Internet security policies will look like when he takes office Jan. 20, 2009.
"The economy is obviously a key issue right now, so I'm not surprised that it has overshadowed cybersecurity, and rightfully so," Yoran says. "During the campaign, both sides had good people in the field advising them."
Yoran is hopeful that the government's cybersecurity focus will continue to sharpen.
"This is an issue with pretty broad bipartisan support," he says. "I think we have some momentum from the Bush Administration, and both [Republican and Democratic Presidential] campaigns appear to have taken an interest in the topic."
The economic crisis will almost certainly lead to more regulation, but it's far too early to say how IT security will be affected, he says.
However, he continues to see companies taking the misguided approach of viewing security through the prism of compliance. Compliance and security are not the same thing, and it's a misunderstanding people should be aware of as more regulations come down the pike.
"Too many companies are training to the test, so to speak, developing security programs specifically to pass the compliance test. You still see that a lot and it's scary" he says.
As the former chief security officer for the Department of Homeland Security, Dwight Williams directed and managed security matters related to the department and its 200,000 employees and contractors for close to three years. Williams, a 30-year security veteran whose resume also includes over a decade with the Washington D.C. Metropolitan Police Department, now serves as a vice president overseeing security at DynCorp International, a private defense contractor, which he joined in June 2007. CSO caught up with Williams for his thoughts on the future of homeland security and its increasing partnership with private contract firms.
Dyncorp has had a presence with contract security forces on the border, as well as with contingency efforts in the Gulf after Hurricane Katrina. Drawing upon your expertise both with DynCorp, and previously with the Department of Homeland Security, do you anticipate an increasing private presence in homeland security efforts?
From its formation, DHS relied heavily on contractor support to stand up the organization and roll out new initiatives. From my experience, it was a public-private partnership that worked very well. I am certain the private sector will continue to play a prominent role with DHS, particularly in the development of new technologies to protect the homeland and by providing surge support in response to natural or man-made disasters.
Other key roles for the private sector include the protection of our critical infrastructure and government facilities, thus freeing valuable government resources to concentrate on detection and elimination of threats to our way of life.
If you could name one or two major challenges with regard to homeland security that still need to be tackled, what would those be? And what is the challenge for security contractors in working with DHS on these challenges? We still face a number of major challenges, but high on my list is securing our very porous borders and the inspection of the vast amount of goods that enter our country each day by ground, air and sea.
I think it is important that security contractors have the opportunity to discuss solutions with the federal customer prior to the issuance of a RFP. A combination of rapidly emerging security technologies and the constantly shifting threat landscape can make the best solution a moving target. Creating a strong partnership between industry and the government will always produce a better security solution.
Of course a well documented challenge is the timeliness of obtaining security clearances and personnel suitability reviews. Our problem is trying to keep the best candidates interested in a position while waiting for the process to run its course. This is by no means limited to DHS; this involves most of the federal sector. Ive now experienced this from both sides of the fence. Vetting procedures are very important and there have been great strides to improve the timeliness of the process, but there is room for more improvement. A greater reliance on automated personnel checks and continuous monitoring can reduce the need for many of the staffing intensive investigative techniques.
While with the DHS, you oversaw efforts on the part of the ISC Interagency Security Committee to devise standards to protect federal buildings with three criteria in mind: threat, vulnerability and consequences. Do you see the results of these standards come into play now for DynCorp in its work with DHS?
To date, the nature of our work and contact with DHS has not brought the ISC standards directly into play. However, I am very proud of what the ISC was able to accomplish and continue to take the same risk based approach to physical security with many of our mission-critical projects around the world. As DynCorps potential business opportunities expand domestically, my past involvement with the ISC should benefit our organization in developing ISC compliant solutions to federal projects.
This story, "Security Predictions: Two Views of DHS" was originally published by CSO.