DHS’ Top Cybersecurity Officer Resigns

As Marc Ambinder reports, the top cybersecurity guy at DHS, Phil Reitinger, announced his resignation today. Which is pretty odd, given that Obama just rolled out his cybersecurity strategy a few days ago. Though that’s the excuse that Reitinger offered for the timing of his departure.

With significant progress having been made in activities across NPPD [National Protection and Programs Directorate], with growing recognition of DHS’s roles and authorities, and the cybersecurity legislative proposal now delivered to the Hill, it’s a logical point for me to leave the Department of Homeland Security and allow the team that we have developed together to carry our initiatives forward. [bracketed comment Ambinder’s]

Okaaayyyy then. You finally win the pissing contest between NSA and DHS over who will lead cybersecurity and then you … leave? Leaving no one to lead the program you’ve fought so hard to lead, not to mention leaving no one to lobby for the legislative proposal just sent to Congress?

Though Reitinger isn’t technically the CyberCzar, he makes at least the 10th top cybersecurity official to have left since 9/11.

Update: Here’s how his job was described when he was hired.

In addition to overseeing the department’s mandate to protect government networks, Reitinger also will be responsible for coordinating Uncle Sam’s outreach to private companies that own and operate the nation’s most vital information assets. These digital assets power everything from water and electricity distribution systems to telecommunications and transportation networks.

As I described here, one of the most sensitive aspects of the cybersecurity legislation the Administration proposed (and, I think, one of its weakest parts), is the means by which critical infrastructure entities prove to the government that they have adequate cybersecurity. It would seem really important to have continuity in this position to shepherd this part of the legislation through Congress.

Unless, of course, he’s planning on representing the industry as the bill wends its way through Congress. Or, set up one of the auditing companies that will get rich off the way the legislation was written.

image_print
  1. PeasantParty says:

    “Unless, of course, he’s planning on representing the industry as the bill wends its way through Congress. Or, set up one of the auditing companies that will get rich off the way the legislation was written.”

    You are most likely right about that. Given what the past has shown us, the people that hold offices in Washington make policy work for them outside of the Hill. Where else can you go to get guaranteed wealth and job security? It’s like the ultimate Insider Trading Scam, only they play with bulk of tax payers money instead of just a few investor classes.

    • emptywheel says:

      I actually think he’d be prevented from lobbying on the bill, at the least by O’s ethics rules. And I think even the law prevents him from immediately lobbying.

      • bobschacht says:

        He can’t lobby, maybe, but I’ll bet he could do a whole lot of “consulting,” couldn’t he?

        Bob in AZ
        PS I’m glad recess is over and the commenters are back.

  2. Watt4Bob says:

    As I described here, one of the most sensitive aspects of the cybersecurity legislation the Administration proposed (and, I think, one of its weakest parts), is the means by which critical infrastructure entities prove to the government that they have adequate cybersecurity.

    If there is one thing I have no faith in our government’s ability to access, it’s whether those in charge of critical infrastructure are providing adequate cybersecurity.

    I’m sure they’ll spend a lot of money, waste the time of busy security personel, and accidently expose the vulnerabilities of the systems that they think they are protecting, but in the end, they will fail to access whether an adequate job is being done.

    Our government cannot manage to secure it’s own information systems, and the primary reason for that is that the only qualifications necessary to win the contract are having rich and powerful connections.

    • onitgoes says:

      Our government cannot manage to secure it’s own information systems, and the primary reason for that is that the only qualifications necessary to win the contract are having rich and powerful connections.

      Bingo!

      Anymore watching the USG “in action” is like watching a Keystone Kops movie, except it ain’t funny & it’s MY money that’s being pissed into the pockets of the obscenely wealthy, who own the govt contracts, etc.

      Besides the braindead idiocy of many in Congress – TeaBaggerz, I’m esp looking at YOU (and that goes double for you, Eric Cantor, John Boehner & Michelle Bachmann) – they simply don’t have the wherewithal to freakin’ understand most of what’s going on, they’re led around by the nose by the most egregious of partisan politics rendered onto us all by the rich & powerful who are in it solely & only to make money. None of the shysters has a clue, and none of them is ever held accountable, and frankly, I don’t think any of them give a crap… as long as they get elected again or get a cushy lobbying or consulting position, it’s all: I got mine, EFF you.

      Situations like this one have become more and more common, like Heckuva Job, Brownie…

      I have no confidence in any of these clowns. There’s not one whit of difference between O’s appointments to these important posts – when O finally gets around to making a decision – and W’s.

  3. Twain says:

    Very odd timing but lots of people seem to be leaving the administration. I certainly would.

  4. Watt4Bob says:

    Situations like this one have become more and more common, like Heckuva Job, Brownie…

    Exactly, vitally important jobs being given to unqualified schmucks based solely on political considerations.

  5. Larue says:

    Unless, of course, he’s planning on representing the industry as the bill wends its way through Congress. Or, set up one of the auditing companies that will get rich off the way the legislation was written.

    Heh, I’m No. 2 quoting this one it seems.

    So, thank you EW and all FDL/MyFDL staff n diary makers for making it clear how the scam works on ANY issue.

    What we have is those who run for erection, get erected, enable, create, pass legislation to benefit those who helped them run for erection and get erected.

    Upon ejection from erection, they go back and lobby.

    Soap, wash, lather, rinse n repeat.

    N that’s how it’s.

    It’s ugly, deep and almost impossible to change without a full on collapse and rebellion. It’s impossible to reform from within, its too deeply entrenched and ingrained.

    LeSigh.

    • Watt4Bob says:

      It’s ugly, deep and almost impossible to change without a full on collapse and rebellion. It’s impossible to reform from within, its too deeply entrenched and ingrained.

      They’re working feverishly on the ‘full on collapse’, so at least we have that going for us, but as far as rebellion goes, so far it looks like a FEMA trailer with cable-TV would be enough to delay that for another ten years.

  6. Schneib says:

    The teabaggers can’t figure out why it’s not a good idea to burn the checkbook the day before the rent is due (why the debt ceiling must be increased and what will happen if it’s not). How are they ever going to figure out cyber-anythingwhatsoever?

    Why are these people being elected? Even Boner is getting frustrated dealing with these idiots- which is stupid because his pie hole remaining open and spewing is a great deal of the reason they’re there.

    Poll tests are unpopular- and regressive. However, how about a test for the elected official, and if they don’t pass they don’t get on the ballot? Do we really want someone dumb enough not to be able to pass a civics test to be in the government?

    • onitgoes says:

      Do we really want someone dumb enough not to be able to pass a civics test to be in the government?

      Not to put words in your mouth, but I would guess that you and I do NOT want that dumb person in govt. Sadly the TeaBaggerz prove that they joyously *celebrate* ignorance that knows no bounds. Guess it makes the ‘Bagger voters feel empowered or something to witness some low-IQ dunce “representing” them in Wash DC.

      The dumbing down of America has been deliberate and has worked. Ignorance is celebrated & venerated in sorts of ways, eps on the corp-owned rightwing media. Who needs to know about cybersomethingorother, ya gotta be a GEEK to get that, yuck yuck, and who wantsta be a geek??? pass the beer, maybeline…

  7. rickg says:

    As one who toils in what might be called cybersecurity for one of those large pieces of corporate infrastructure, I believe, I may have seen some of the mega-drafts of the whole master plan. Naturally it pretty much missed the point.

    It is pretty damned difficult to defend against malicious attacks especially when so much of the internet is based upon mobile code (eg java) the provides an ideal vector for transmission. The mega proposals really didn’t address any of such fundamentals, instead larding layer upon layer of ultimately ineffective requirements for technology that can’t get the job done.

    If this gent got the domestic cyber stuff out of NSA (would we really know?) that is a net positive. Also, the military is highly unsuited to this task, as they want to play offense and go on the attack. We might need to also consider some fancy medal for him, simply for being able to survive that many ass-numbingly stupid meetings!

    Who knows though, perhaps the upside of this nonsense might be a ridiculous set of auditing standards that might provide me a means to make a living for awhile longer, in case the road runs out in the critical infrastructure.

  8. emptywheel says:

    If this gent got the domestic cyber stuff out of NSA (would we really know?) that is a net positive. Also, the military is highly unsuited to this task, as they want to play offense and go on the attack. We might need to also consider some fancy medal for him, simply for being able to survive that many ass-numbingly stupid meetings!

    Agree on this front. Plus, DOD seems to be incompetent at protecting themselves. From what I’ve read (though I’m not a techie and admittedly it’s just stuff folks have said under oath so it could be made up) I’d rather have State run this stuff than DOD.

    Who knows though, perhaps the upside of this nonsense might be a ridiculous set of auditing standards that might provide me a means to make a living for awhile longer, in case the road runs out in the critical infrastructure.

    See, now you’re thinking!

    When you say you’ve seen drafts, were they the fluff that came out of the WH w/absolutely no details, or the stuff that talked about how the audit process will work?

    If it’s the latter, was it very detailed about what immunity provided?

    • rickg says:

      Well the stuff I saw was on the technical side. There was a whole joint government-industry group putting together something more akin to the whole set of standards for what should be in place. I wasn’t a principal in the meetings, but myself and a bunch of others were asked to review it and comment.

      In reality, the Govt, is really a facilitator of something like the standards, the real drivers are going to come from the companies that sell the security stuff and those who have to implement it. And there’s a whole other part that doesn’t get a lot of recognition, and that is, that despite the outfit for whom I toil having Mega fiber in the overall Internet mesh, there’s a real big difference between what we do on the inside with our own space,and with that which is used by others. People think networks need to be secure, but they are transport mechanisms. Most of the real bad stuff occurs on the things hanging off the network (servers, disks etc).

      The whole “massive attack” kind of scenario is certainly a threat, but most of the folks who are playing in the attack space are either interested in monetizing it directly or in forms of espionage. Stealth is the weapon. Ironically, the defenses needed against stealth type attacks, aren’t so much those of prevention (since that is nigh impossible) but harken back in a lot of cases to the old big iron world, and having the basic controls in place to know when you have had visitors. Often times, the stealth folks are in place for months or longer before detected! Truthfully, if the powers that be want to ensure infrastructure access and presence, there’s a lot of work to be done in building out alternate routes and physical plant, at least some of which isn’t lit or available generally. The private infrastructure companies aren’t going to build this without subsidy.

      I am always amused by the fact that the DOD folks would do things like develop “Tempest” to shield wires and computers to restrict emissions, but use the public internet for the super secret business. I guess they felt since DARPA funded the internet they should benefit from it.

  9. regulararmyfool says:

    I find it tremendously amusing that while the government moves to less and less protection for the consumer and the internet, they can piss away billions on failed technology and programs.

    There is not a single entity of the government or the contractors that has a single dime of incentive to change anything in regard to cyber security.

    You want cyber security, you go back to paper, typewriters and the USPS. It is truly that freaking simple.

    Cost? One week of the government and private industry waste on cyber security will pay for the paper, the postage and all of the extra time spent on writing by security people for a year and the filing of the actual paper. That is secure. It is not as sexy as thumb drives and cyber security, but it works.

    Remember, the secret development of the atomic bomb before computers was one hundred percent effective and secure. 250,000 people were involved and an enormous amount of taxpayer dollars, but there were no leaks.