NIPC: Leadership, protocol are question marks in move

With the transfer of the National Infrastructure Protection Center (NIPC) from the U.S. Federal Bureau of Investigation (FBI) to the new U.S. Department of Homeland Security days away, top positions remain vacant at the fledgling agency and questions linger about its ability to work with other agencies and respond to cyber attacks.

The cutover will take place on March 1, when the four year-old NIPC becomes a part of the new Directorate for Information Analysis and Infrastructure Protection (IAIP) within the Department of Homeland Security (DHS), according to Commander David Wray, a spokesman for the NIPC.

Joining the NIPC in the IAIP will be groups from a number of other agencies, including the U.S. Department of Commerce's Critical Infrastructure Assurance Office and the General Services Administration's Federal Computer Incident Response Center (FedCIRC).

Chief among the challenges facing the NIPC and the new IAIP is the loss of critical computer investigative talent that resulted from the move.

Well before the legislation creating the DHS was signed, beginning in December 2001, the FBI undertook a major reorganization. Among other changes, a new Cyber Division was created to investigate computer crimes. The FBI is retaining approximately one third of the NIPC staff who specialized in criminal intrusion and forensics to work in the Cyber Division.

The remaining two thirds of the NIPC staff, scheduled to transfer to the DHS, will focus on "broad Internet issues" and technologies related to hard infrastructure such as dams and electrical power grids, according to Wray.

However, many of the NIPC agents serving functions that are being transferred have found other jobs within the FBI to avoid the move to the DHS.

"Of the FBI folks who could have come over (to the IAIP), only about a third to a half are coming over. The rest have transferred to positions within the FBI," said Wray. Including NIPC jobs as well as other functions, the IAIP will have more than 200 open positions to fill, according to Wray.

That level of attrition is not surprising, according to those familiar with the workings of the NIPC.

"I'd bet that 85 percent of those defections are people who built a career at the FBI and see themselves as FBI," said Allan Paller, director of research, Systems Administration, Networking and Security (SANS) Institute, a research and education organization for system administrators and security professionals.

Similar levels of defection are not the norm in the other agencies that will be joining the NIPC in the IAIP, according to Wray.

"It's predominantly a phenomenon that's particular to the culture of the FBI. It would be like, if tomorrow, I was told to show up in an army uniform because I had been traded. It would be difficult to get my arms around," said Wray, whose career was in the Navy.

In addition to staff shortages, protocols governing the interaction between the IAIP and computer security counterparts in the FBI, CIA, and NSA in the event of an attack are still fuzzy.

In general, the IAIP will correlate information that comes through intelligence channels, as well as information that turns up as part of criminal investigations by the FBI, according to Wray.

"The whole idea of information sharing is that while the FBI pursues a criminal investigation, they share information with (DHS). We're using that information as well as information from the intelligence community and the private sector to determine the seriousness of the threat, see who is exposed, and mitigate the threat," Wray said.

But specifics about how that information will be shared -- especially after the former NIPC staff relocate to DHS headquarters -- are lacking, and will likely rely on established custom and professional relationships more than protocol.

"Admittedly, it's easier (to share information) when people are down the hall as opposed to across town, but the methods and relationships are still in place, and that will continue after March 1," Wray said.

Asked to explain how the IAIP would work with resources in the FBI or other agencies to respond to an outbreak such as this year's SQL Slammer or the Code Red worm, however, Wray was unable to provide details.

"We're still ironing that out. It's a fairly aggressive reorganization. I really couldn't speculate," Wray said.

Some of those policies may develop over time, as each new incident raises new problems or areas for improvement, Wray said.

The IAIP must also tackle the problem of getting its key leaders in place.

As of Thursday, most senior positions within the IAIP are vacant, including the top job of Under Secretary of Homeland Security for Information Analysis and Infrastructure Protection. Positions for an Assistant Secretary for Information Analysis and an Assistant Secretary for Infrastructure Protection are also open, according to Wray.

While understandable, given the newness of the agency, vacancies in key leadership roles may be hampering the IAIP's ability to attract top talent, according to Paller.

"If they don't have bosses, people are going to be wondering who's going to run (the IAIP) and how they're going to run it," Paller said.

Despite that fact, there has been little progress in the effort to fill those positions and it may be months before they are filled, according to a source familiar with the process.

"I have heard no names, no whispers, no hints, rumor or innuendo," the source said.

Just as pressing is the need to choose a leader for the IAIP's cyber watch unit -- the group that tracks emerging computer threats, according to Paller.

That person will be the main liaison between the IAIP and the intelligence and private sector security community, and must engender trust and respect within those communities or risk being cut out of the loop.

"The character of cyber (security) is that nobody shares data with organizations. They share it with people, and sharing is done at the technical level. So, with the staffing of the cyber watch you need someone that everyone trusts," Paller said.

If the security community feels that the IAIP lacks technical understanding or credibility, they may not pass on key information that could help prevent attacks. Conversely, security professionals will be more open if they are passing the information off to a trusted peer and feel that the information will be vital in the government's response to a threat, according to Paller.

"Washington is a place where people hoard information. But when the collector of information has high fidelity and you know that the information you share with that person is going to be shared with other people, then you have an amplification of (its) value," Paller said.

"There's a recognition that there's an awful lot to do and that we hope to have our leadership identified as soon as possible," said Wray.

"Organizations tend to flow from their leaders and having them would certainly shorten some of the debate/decision cycles we have now, but we continue to move forward to fulfill our mission regardless," he said.

Despite the challenges facing the IAIP, there is reason to be hopeful that the new agency will work through its problems and succeed.

Technical staff from other agencies that also will be rolled into the NIPC in the IAIP may well compensate for those lost in the move from the FBI and create a synergy that was impossible across agencies, allowing the IAIP to get out in front of major new vulnerabilities and attacks, according to both Paller and Wray.

"I think they have a building opportunity," said Paller. "With the right leadership, it's a cool job."

And the high stakes involved may prod those in the new agency to rise to the occasion and make the new department work.

"Everybody knows how important this is. There's a broad recognition that we need to make this work and the only way to do that is together," Wray said.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon