excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
email@example.com. If you're dying to order the book, send
mail to the same address.
omehow, this problem too ended up on DHS’s plate. We were supposed to figure out what could be done to improve the country's network security.
It was a snakebitten assignment. Two Presidential cybersecurity strategies – one devised by the Clinton Administration and one by the Bush Administration -- had already run into the ground before DHS was created.
Perhaps those who created DHS hoped that it could succeed where two Presidents had failed. In any event, they gave the new department responsibility for civilian cybersecurity. The National Communications System, which ensures the availability of telecommunications in the event of an emergency, was transferred from Defense. The FBI gave up its National Infrastructure Protection Center, which focused on cybersecurity (and promptly recreated the capability under another name so that it could keep fighting for the turf). The Federal Computer Incident Response Center, which handled computer incident response for civilian agencies, came over from the General Services Agency.
These offices fit well with other DHS missions. Two of its big components -- the Secret Service and Immigration and Customs Enforcement -- have cybercrime units. And DHS was supposed to protect from physical attack the critical infrastructure on which the economy depends.
In carrying out these duties, DHS could get technical help from the National Security Agency, which was in charge of protecting military and classified networks. But the responsibility for civilian cybersecurity obligations left DHS on the hot seat. If we couldn’t find a way to head off disaster, no one else in government would.
For the first few years of the department’s existence, to be candid, we didn’t accomplish much. There were lots of reasons for that. Fixing travel and border security was more urgent. Staff turnover was high and expertise thin in our cybersecurity offices. But the real reason we didn’t get far was that the same forces arrayed against change in the travel arena were lined up against change in information technology.
Businesses had staked their futures on continued exponential growth in information technology. They didn’t want policy changes that might change the slope of that curve even a little. Privacy groups instinctively opposed anything that would give the government more information about, well, about anything. And even when it was supportive, the international community was so slow to change direction that it posed an obstacle to any policy that was less than twenty years old.