Hiring decision for cybersecurity chief near, official says

A Homeland Security Department official assured members of Congress on Wednesday that the agency is close to hiring a cybersecurity czar.

Undersecretary for Preparedness George Foresman said at a House Energy and Commerce Telecommunications and the Internet Subcommittee hearing that Homeland Security is doing a background check on a candidate now and expects to make the announcement soon.

Subcommittee Chairman Fred Upton, R-Mich., called an upcoming cyber czar announcement "the best news we've had this morning."

Foresman said the new assistant secretary would not need to be confirmed by the Senate. The position was announced more than a year ago, and lawmakers expressed frustration that it has remained unfilled. "That the position and others remain vacant conveys a clear lack of appreciation for the nation's real and mounting cyber threats," said full committee ranking Democrat John Dingell of Michigan.

"To have gone this long without any attention to this is dangerous to this country," said Rep. Anna Eshoo, D-Calif. "We've placed ourselves in a real ditch here by the administration not naming someone."

Foresman said hiring someone for the position has been his top priority since becoming undersecretary in January, but several candidates recruited from industry dropped out of contention.

Eshoo pressed Foresman, saying that his other responsibilities for preparedness and a lack of a cybersecurity czar have resulted in no real plan to pull business, industry and the private sector together in the event of a major disaster impacting Internet service.

The hearing examined a Government Accountability Office report that said Homeland Security has initiated programs to recover Internet services, but those plans are incomplete and not comprehensive.

"It is unclear what government entity is in charge, what the government role should be and when the government should get involved," said David Powner, GAO's director of information technology management issues.

"Progress is being made every day and there is more to be done," Foresman said.

Foresman said the Homeland Security delay toward a comprehensive cyber plan is partly from numerous meetings to get private industry input rather than mandating a solution. Foresman said the department has built trust with industry and worked closely with Microsoft recently as it fixed a security problem.

Vincent Weafer, Symantec's senior security response director, warned that the nature of cyber attacks has changed dramatically in the past few years. He said from 2002 to 2004, there were 100 medium- to high-risk attacks. "Last year there were six, and so far in 2006 there were none."

Weafer credited headway in containing and repelling attacks but said the reason and types of attacks have grown more sophisticated. Attackers once wanted to destroy data or gain notoriety, but attacks now are "designed to silently steal data for profit or advantage without leaving behind the system damage that would be noticeable to the user."

Larry Clinton, chief operating officer of the Internet Security Alliance, said Congress needs to offer incentives like tax breaks for research and development for companies to adopt best security practices.