Cybersecurity chief calls it quits after a year

The government's cybersecurity chief resigned this week after serving a year with the Homeland Security Department.

Amit Yoran, the first director of the National Cyber Security Division, said he had made "meaningful progress" protecting the government's information networks from electronic attack, and that he was leaving to spend time with his family and pursue charitable interests.

Yoran's immediate resignation came suddenly but was not surprising to a number of security industry experts, with whom Yoran had spent much of the past year forging formal alliances. They noted that his position was placed so low in the Homeland Security bureaucracy that it could not capture the full attention of the department responsible for a vast array of missions, including inspecting shipping containers and patrolling borders.

Yoran said he always had planned to keep his tenure in government short, and that he would leave after achieving certain "core objectives" to get the security division up on its feet. In the past year, the division has established a cybersecurity alert system, which sends e-mail warnings about viruses, worms and other threats to more than 250,000 subscribers, and it formed response plans that call upon multiple departments and agencies to work together during an attack, Yoran said.

Security industry officials and experts have praised those accomplishments. But recent events suggest that policymakers believe the division has failed to compel industry and the government's own agencies to improve their information security. Last week, lawmakers floated a proposal that would create a new cybersecurity position in the Office of Management and Budget, which many took as a signal that Congress felt Yoran's division didn't have sufficient clout or leverage. Before the creation of the Homeland Security unit, cybersecurity was handled by a White House official.

News of Yoran's departure disappointed many in the security industry, who generally praised him as a charismatic leader who was able to get some traction on the security front despite bureaucratic obstacles.

"We're obviously very disappointed about it," said Greg Garcia, a vice president with the Information Technology Association of America, a trade group. "We've spent more than a year working with Amit…. It's going to set us back a ways."

"The job [Yoran] was given was impossible," said Alan Paller, director of research at the SANS Institute, a security group. It "demanded agency cooperation, procurement leadership and getting senior executives at major vendors to act in the national interest before acting in their own commercial interests. It wasn't lack of skill and it wasn't bad management. It simply couldn't be done from deep inside [Homeland Security]."

Legislation pending in the House would elevate the cybersecurity director to the level of assistant secretary. The language that would have created a new security post at OMB was quashed last week.

It was unclear who would replace Yoran. "Cybersecurity will continue to be a priority for the [department] and we will move quickly to fill his position," said Homeland Security spokeswoman Katy Mynster. She added, "Mr. Yoran has been a valuable contributor on cybersecurity issues over the past year."

When Yoran came to the department a year ago, hopes were high that he could raise awareness of the danger that computer hackers posed to national security. He was a successful security industry executive and had served in government as the head of vulnerability assessment for the Defense Department's Computer Emergency Response Team. He also managed network security for the Pentagon.

In September 2003, Harris Miller, head of the Information Technology Association of America, said, "I've criticized the lack of attention that the government has paid to cybersecurity . . . but naming Amit can get them back on track."

Shortly after taking the job, Yoran said in an interview, "I have been very encouraged during my first 30 days here…. [H]ave we achieved the desired level of security? The answer is no. But are we making progress down that road? My belief is that we are."

Asked to assess the state of security a year later, Yoran said Friday, "I think we're better off a year ago and certainly better off than a few years ago." But he declined to say whether his former position should be restructured so that the government could improve cybersecurity.

"I think we were successful in achieving our objectives of achieving startup and operational capability," he said. "I'm not going to tell the department how it should be structured."

When the position was set up at the department, effectively diminishing its profile, security officials raised hackles. But Yoran said he was pleased to be moving to the trenches of cybersecurity. "Strategy and policy take place in the White House," he said in an interview with Government Executive earlier this year. "Operations and execution take place in the agencies."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.