Senators grill Homeland official on threat assessments

The chairman of a Senate Judiciary subcommittee on Tuesday questioned the Homeland Security Department official responsible for cybersecurity about whether the department was conducting threat assessments about cyber intrusions, and expressed disappointment about failure to get an answer.

Arizona Republican John Kyl, chairman of the subcommittee on Terrorism, Technology and Homeland Security, asked Amit Yoran, director of the department's National Cyber Security Division, whether his division had conducted such an assessment.

Kyl said the federal government is "awash in a sea of vulnerability studies," or analyses of weaknesses in federal computer networks, and questioned Yoran and top officials at the Justice Department and the FBI. What it lacks, however, is "an accurate threat assessment" about who has been engaging in cyber attack, whether nations, terrorists or individual hackers.

In his testimony, Yoran emphasized the need to integrate investigations of cyber attacks with investigations into physical terrorist attacks. "Rather than only focusing on specific attack profiles," he said, "we are developing programs and initiatives that apply to the gamut of attack approaches."

"Our mission extends to protecting cyber systems across the entire threat spectrum, regardless of an actor's intent," Yoran said.

"Have you focused on a threat assessment?" Kyl questioned.

"Our protection strategy is threat-independent," Yoran replied. He also said that a classified National Intelligence Estimate by Defense officials, expected this week, would provide an estimate of threat capabilities.

Noting that FBI and Justice witnesses said assessment responsibility passed to Homeland Security, Kyl persisted. "I still haven't heard you say you have done a threat assessment," he asked.

"It sees to me that the Department of Homeland Security must be carrying out a cyber-threat analysis/assessment," Kyl said. "If the FBI isn't doing it, we still need someone else to do it."

Yoran replied that his division "looks at cyber as one component of infrastructure protection. I would also add that through conducting exercises, such as Livewire, we are looking at ways to appreciate cyber as a vector" of threat. Yoran said previously that the Livewire exercise revealed gaps in coordination between government agencies and the private sector.

Subcommittee ranking member Dianne Feinstein, D-Calif., also aggressively questioned Yoran. "My concern is that we don't really take cyber terrorism as serious as we should," Feinstein said in her opening statement. "The strategy at this point is to leave this to the private sector, and I am not really sure that this is going to work."

She noted that Yoran reports to an assistant secretary at Homeland Security and not to Secretary Tom Ridge, and questioned, "given your lack of seniority, how are you able to direct assistant secretaries in other directorates" at Homeland Security about the need, for example, to toughen up cybersecurity at U.S. borders?

Yoran replied, "There are advisers within the White House who maintain a very close awareness of cyber activity and cyber protection." In response to another Feinstein question, he did not cite any instances in which Homeland Security had issued cybersecurity directives to other departments.