Mr. Schmidt goes to Washington

The pending appointment by President Bush of Microsoft Corp.’s chief security officer Howard Schmidt to the number two position at the U.S. government’s Critical Infrastructure Protection Board raises an important question about the homeland security effort: Should private-sector experts be heading for the White House or frontline security agencies?

News of Schmidt’s expected appointment, first reported by Computerworld two weeks ago, comes as the federal government’s cybersecurity and critical infrastructure protection (CIP) community struggles to define itself amid a growing bureaucracy focused on homeland security.

While many experts praised the addition of Schmidt to the government’s CIP team, others said tangible steps need to be taken to improve the government’s focus and the private sector’s cooperation with frontline cybersecurity agencies such as the FBI’s National Infrastructure Protection Center. The NIPC, based at FBI headquarters in Washington, was formed in 1998 to handle threat assessment, investigations and responses to any attacks on critical U.S. infrastructures.

Despite lessons learned from the Sept. 11 terrorist attacks on the United States, which demonstrated the nation’s vulnerability to physical disruptions and the interdependency of its critical infrastructures, the government and private-sector stakeholders in the CIP effort remain uncertain about the definition of critical infrastructure protection and, in some cases, uninvolved – a problem that a political appointment like Schmidt’s can’t fix, experts said.

“A large majority of the focus up until Sept. 11 has been on the information security side of the equation, and there has been a limited focus on infrastructures, particularly physical disruptions and the interdependencies that proved so important during the Sept. 11 attacks,” said Paula Scalingi, former director of the U.S. Department of Energy’s Office of Critical Infrastructure Protection and now president of The Scalingi Group, a Tysons Corner, Va.-based infrastructure security consulting firm.

The security industry still hasn’t come to grips with defining the scope of critical infrastructure protection, she said.

The more pressing need, said government and private sector officials, is for industry experts like Schmidt to provide sector expertise to the NIPC so that interdependencies between the telecommunications grid, power grid, energy pipelines, emergency service networks and other critical services can be better understood.

In fact, NIPC director Ronald Dick acknowledged last August a critical need for private-sector expertise. “I need people who know gas and water, people who know electric power and the transportation system,” he said.

Dick has praised the relationship between his agency and the North American Electric Reliability Council in Princeton, N.J., citing it as one of the first arrangements where classified cybersecurity information is being shared with industry.

However, the electric power industry is a prime example where cooperation and focus remains a moving target. Joe Weiss, technical manager of the enterprise infrastructure security program at the Electric Power Research Institute in Palo, Alto, Calif., said the fact that some of the leading suppliers of IT systems that control electric power throughout the country aren’t members of the Partnership for Critical Infrastructure Security (PCIS) is a major threat to critical infrastructure. The PCIS is a key government/private-sector security organization now working to enhance IT security,

“The Web sites will be safe, but the lights will be out, and water and oil won’t flow,” said Weiss, stressing the fact that existing IT technology won’t work in industrial control systems and, in some cases, can actually shut them down. “There have been vulnerability assessments done and these important control systems have been shown to be vulnerable,” he said. “This is not in any way, shape or form hypothetical.”

GTE Corp., one of the suppliers mentioned by Weiss, couldn’t be reached for comment. However, Bud Greebey, a spokesman for Siemens AG, another major supplier of critical industrial systems, said the company is “not aware of any overtures to us from the PCIS.” Even so, the premise behind the PCIS is something Siemens fully supports, he said.

Ron Ross, director of the National Information Assurance Partnership, a Washington-based government-industry consortium led by the National Institute of Standards and Technology and the National Security Agency, agreed that there is an education and awareness gap regarding potential vulnerabilities in some important systems and networks that comprise the critical infrastructure.

“We now have to begin to delve into a variety of areas that need significant attention with regard to computer security,” said Ross.

Alan Paller, director of the SANS Institute in Bethesda, Md., said every technical, hands-on expert that the NIPC can add to its ranks from the private sector would immediately help the cause of homeland security. And while Schmidt offers policy expertise to the government, his addition to the President’s Critical Infrastructure Protection Board “directly supports” the NIPC, said Paller.

A former senior government official, speaking on condition of anonymity, said appointments that are heavy on prestige but light on hands-on analysis capabilities aren’t what’s needed right now. “They [the NIPC] need sector expertise and particularly analytic capabilities to address infrastructure interdependencies,” the official said.