Yoran Grilled at Senate Hearing

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,90865,00.html

By Dan Verton 
MARCH 08, 2004 
COMPUTERWORLD

WASHINGTON -- It was an inauspicious moment for Amit Yoran, the
federal cybersecurity czar.

"Have you focused on a threat assessment?" asked Sen. John Kyl
(R-Ariz.), chairman of the Senate Subcommittee on Terrorism,
Technology and Homeland Security, during a Feb. 24 hearing on
cyberterrorism. The nation is "awash in a sea of vulnerability
studies," said Kyl. But what is missing, he said, is "an accurate
threat assessment" about what the country should worry about most:  
individual hackers, nations or terrorist organizations.

For several tense moments, Yoran sat in silence and then shielded his
microphone as he whispered to a colleague from the FBI.

"Our protection strategy is threat-independent," Yoran finally
replied. Rather than focusing on specific attack profiles, "we are
developing programs and initiatives that apply to the gamut of attack
approaches," he added.

"I still haven't heard you say you have done a threat assessment,"  
responded Kyl.

Frustrated by the line of questioning, Yoran turned around and faced
an underling from the DHS and pointed angrily to a sheet of paper on
which was written "NIE."

"We'll have to wait and see what the NIE says," Yoran said, referring
to a classified National Intelligence Estimate that was scheduled to
be released within days of the hearing.

Sen. Dianne Feinstein (D-Calif.), the ranking member of the
subcommittee, also posed tough questions to Yoran, particularly about
his position within the DHS bureaucracy.

"My concern is that we don't really take cyberterrorism as seriously
as we should," said Feinstein, adding that she was troubled by the
decision to move the position once held by former cybersecurity czar
Richard Clarke from the White House to where it now sits, several
layers down in the DHS bureaucracy. "Given your lack of seniority, how
are you able to direct assistant secretaries in other directorates?"

"There are advisers within the White House who maintain a very close
awareness of cyberactivity and cyberprotection," said Yoran.

However, Clarke and his immediate successor, Howard Schmidt, both
acknowledged that the Office of Management and Budget, which has
statutory authority for cybersecurity programs, has only three people
working on the issue full time. "If they were serious about it, they
would have 20 to 30 people working it," said Clarke.

When the hearing ended, Kyl was visibly frustrated with the inability
to get direct answers from Yoran and said he didn't want to have "to
grill anybody."

But it didn't appear to be Kyl's fault. A prominent IT industry
executive who attended the hearing but did not want to be identified
by name characterized Yoran's performance as "terrible."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.