Cybersecurity chief calls it quits after a year
Amit Yoran, the first director of the National Cyber Security Division, said he had made "meaningful progress" protecting the government's information networks from electronic attack, and that he was leaving to spend time with his family and pursue charitable interests.
Yoran's immediate resignation came suddenly but was not surprising to a number of security industry experts, with whom Yoran had spent much of the past year forging formal alliances. They noted that his position was placed so low in the Homeland Security bureaucracy that it could not capture the full attention of the department responsible for a vast array of missions, including inspecting shipping containers and patrolling borders.
Yoran said he always had planned to keep his tenure in government short, and that he would leave after achieving certain "core objectives" to get the security division up on its feet. In the past year, the division has established a cybersecurity alert system, which sends e-mail warnings about viruses, worms and other threats to more than 250,000 subscribers, and it formed response plans that call upon multiple departments and agencies to work together during an attack, Yoran said.
Security industry officials and experts have praised those accomplishments. But recent events suggest that policymakers believe the division has failed to compel industry and the government's own agencies to improve their information security. Last week, lawmakers floated a proposal that would create a new cybersecurity position in the Office of Management and Budget, which many took as a signal that Congress felt Yoran's division didn't have sufficient clout or leverage. Before the creation of the Homeland Security unit, cybersecurity was handled by a White House official.
News of Yoran's departure disappointed many in the security industry, who generally praised him as a charismatic leader who was able to get some traction on the security front despite bureaucratic obstacles.
"We're obviously very disappointed about it," said Greg Garcia, a vice president with the Information Technology Association of America, a trade group. "We've spent more than a year working with Amit…. It's going to set us back a ways."
"The job [Yoran] was given was impossible," said Alan Paller, director of research at the SANS Institute, a security group. It "demanded agency cooperation, procurement leadership and getting senior executives at major vendors to act in the national interest before acting in their own commercial interests. It wasn't lack of skill and it wasn't bad management. It simply couldn't be done from deep inside [Homeland Security]."
Legislation pending in the House would elevate the cybersecurity director to the level of assistant secretary. The language that would have created a new security post at OMB was quashed last week.
It was unclear who would replace Yoran. "Cybersecurity will continue to be a priority for the [department] and we will move quickly to fill his position," said Homeland Security spokeswoman Katy Mynster. She added, "Mr. Yoran has been a valuable contributor on cybersecurity issues over the past year."
When Yoran came to the department a year ago, hopes were high that he could raise awareness of the danger that computer hackers posed to national security. He was a successful security industry executive and had served in government as the head of vulnerability assessment for the Defense Department's Computer Emergency Response Team. He also managed network security for the Pentagon.
In September 2003, Harris Miller, head of the Information Technology Association of America, said, "I've criticized the lack of attention that the government has paid to cybersecurity . . . but naming Amit can get them back on track."
Shortly after taking the job, Yoran said in an interview, "I have been very encouraged during my first 30 days here…. [H]ave we achieved the desired level of security? The answer is no. But are we making progress down that road? My belief is that we are."
Asked to assess the state of security a year later, Yoran said Friday, "I think we're better off a year ago and certainly better off than a few years ago." But he declined to say whether his former position should be restructured so that the government could improve cybersecurity.
"I think we were successful in achieving our objectives of achieving startup and operational capability," he said. "I'm not going to tell the department how it should be structured."
When the position was set up at the department, effectively diminishing its profile, security officials raised hackles. But Yoran said he was pleased to be moving to the trenches of cybersecurity. "Strategy and policy take place in the White House," he said in an interview with Government Executive earlier this year. "Operations and execution take place in the agencies."