Cyber Defense Agency Faces Challenges From Within

Last year, the nation's computer systems reported more than 100,000 cyber threats, or one every five minutes. The job of analyzing and preventing them was assigned to a government agency that has faced repeated criticism for lacking enough resources and authority, as well as a consistent leader, to help it accomplish an increasingly daunting task.

That agency, the U.S. Computer Emergency Readiness Team, faced more turnover at the top last Friday when Randy Vickers abruptly resigned. His replacement, Lee Rock, is the agency's fifth director in the past six years.

The Department of Homeland Security, which oversees the agency, said Vickers resigned for personal reasons. But former directors and outside experts say the job of leading the agency has become overwhelming as the threats of cyber attacks continue to mount.

"Imagine being a firefighter in West Texas where there's no fire code and the entire state is filled with arsonists," said Tom Kellermann, chief technology officer of the security firm AirPatrol Corp. "Would you keep the job for long?"

The rapid turnover of leadership at the agency raises questions about the government's cyber strategy and its ability to retain cyber personnel as hackers expose embarrassing gaps in government security. In May, Philip Reitinger, another top DHS cyber official, also resigned.

This comes as hackers have increased their focus on breaking into federal government computer systems. Over the last five years, the number of reported cyber attacks against federal networks has spiked dramatically, from about 5,500 to nearly 42,000.

Most came from hackers spreading viruses by tricking employees into revealing usernames and passwords, according to a report this spring by the Office of Management and Budget.

On Thursday, a report by the Government Accountability Office highlighted another potential weakness: less than one third of federal agencies using social media have failed to create security policies for their accounts, leaving them potentially vulnerable to hackers.

In June alone, the hacker group Lulz Security, or LulzSec, took credit for bringing down the home page of the Central Intelligence Agency and hacking the network of an Atlanta-based FBI affiliate.

Defending against the sheer volume of attacks would be a challenge for any agency, but US-CERT appears unequipped to battle today's rapidly evolving array of cyber threats, Kellermann said.

"Every single one of them has felt overwhelmed and unappreciated," Kellermann said of former agency directors. "The agency is fundamentally under-resourced. It's stretched too thin. They don’t have the capacity to do what's really necessary here."

Created in 2003, US-CERT serves as the cyber security arm of the Department of Homeland Security. Under proposed legislation from the Obama administration, the department would have an expanded role in protecting federal networks from cyber threats.

DHS officials insist the agency is on the right track. Despite Vickers' departure, "we have a continued direction and focus in prevention, preparedness and restoral responsibilities across the board," Roberta Stempfley, DHS's acting assistant secretary for cyber security and communications, told lawmakers this week.

The agency receives reports on cyber threats, issues computer security software, sends alerts about computer viruses and helps coordinate response to cyber attacks in both the public and private sector.

Last year, for example, an employee of a company accidentally inserted a virus-infected flash drive into a company laptop. The company called on US-CERT, whose employees played the role of cyber doctor, diagnosing the virus and helping to remove the infection, which spread to nearly 100 computer systems, according to congressional testimony from a DHS cyber official.

But other agencies are not required to take cybersecurity prescriptions from US-CERT, which has no enforcement authority, according to a report issued last year by DHS Inspector General Richard Skinner.

"Without the enforcement authority to implement recommendations, US-CERT continues to be hindered in coordinating the protection of federal cyberspace," the report found.

The agency has also been criticized for not having enough staff. In January 2010, the agency only had 45 employees, relying on contractors to fill staff shortages. The agency now has 72 federal employees, a DHS spokesman said.

At a conference in March, Vickers acknowledged being overextended as the agency's role expanded to coordinate cyber defense with other countries.

"We're getting a big footprint and unfortunately the footprint is growing faster than the resources," Vickers said at the Government Security Conference & Expo in Washington D.C.

Vickers also expressed confusion about the agency's role in a "cyber event of national significance," asking members of the audience whether a cyber attack against a water treatment facility in Iowa called for help from his agency.

"If anybody in this room can tell me where that threshold is, you'll probably win the new Nobel Peace Prize for cybersecurity because that is the toughest thing to define," he said.

Jerry Dixon, a former agency director, blamed staff shortages on the overly long hiring process used to fill critical positions, causing skilled personnel to take jobs in the private sector instead. Due to a rigorous clearance process, it takes the agency nine to 12 months for new applicants to begin working at the agency, according to the inspector general's report.

"You miss out on a lot of great talent that way," Dixon said in an interview.

Mischel Kwon, who resigned as agency director in 2009 after little more than a year, told a House committee in March the agency suffered from "a lack of governance and lack of authorities to carry out the poorly defined mission."

Kwon also said the agency collects "little to no real data" on the actual attacks occurring against federal computer systems and the agency was "buried too deep" within the DHS bureaucracy.

"As it stands today, US-CERT is constantly caught up in political priorities and much time is spent thrashing around, attempting to service too many projects and stakeholders," she said.

A 2008 report by the Government Accountability Office criticized the agency for not being able to predict attacks or quickly communicate them to the proper agencies. The report also said the agency was operating "without organizational stability and leadership" within DHS.

Until the agency addresses those issues, "it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission," the report concluded.

Richard Stiennon, chief research analyst at IT Harvest, said the agency's role of tracking and reporting cyber threats is outdated because most companies and government agencies already receive that information from anti-virus companies.

What the agency needs to be doing, he said, is not just report current threats, but also predict those looming in the future, when hackers will devise thousands of new ways to break into the nation's cyber fortress.

"The problem is the bad guys need just one little chink in the armor," Stiennon said. "The government has to protect everything."