I am not sure what to make of the news that a former employee of the Information Technology Association of America (ITAA) has been appointed to Assistant Secretary for Cyber Security.

First of all, sourcewatch has some extremely disturbing background information on the lobbying done by the ITAA on behalf of electronic voting companies:

ITAA has also tried to help its electronic voting machine manufacturer members combat an onslaught of negative publicity from technical problems, faulty security measures, concerns raised by computer scientists and security experts, and perceived conflicts of interest of company executives (especially Diebold Election Systems). It drafted a proposed PR plan for e-voting companies to “generate positive public perception.”[12], Draft of PR plan (PDF)

ITAA has opposed one of the more modest demands of e-voting critics — a paper receipt verifying each vote. ITAA president Harris Miller was quoted in the May 2004 issue of Congressional Quarterly’s Governing Magazine: “I think that the paper verification system is kind of giving people a false sense of security… I can give you a receipt, but if I started out the day by stuffing the ballot box with 50 ballots for Bush, I haven’t actually done anything to make the system secure.” In the same article, the Election Technology Council is identified as a new trade group within ITAA for voting machine manufacturers.

This stands in contradiction to Harris’ earlier remarks at the December 2003 press conference announcing the launch of the Election Technology Council, the e-voting machine manufacturers’ trade group: “The customer is always right. If the state and local election officials want paper ballots, the industry will provide those,” he remarked.[13]

If you work in information security I highly recommend you check out the “Draft of PR Plan” for Diebel. Oh, and you probably should make sure nothing breakable is near you when you read it.

Second, who is Greg Garcia? Here is Chertoff’s perspective, perhaps released by the ITAA, published on the Government Technology site:

“Greg joins the department from the Information Technology Association of America, where he was vice president for Information Security Policy and Programs. In that capacity, Greg led the public debate on cyber security policy and national cyber readiness.”

Led the public debate? I am having a hard time finding evidence of his existence prior to this announcement, let alone an outspoken role on US cyber security. Chertoff continued:

“He has worked closely with the department over the past few years in his role on the IT Sector Coordinating Council and working with industry to found the National Cyber Security Partnership. Greg helped to draft and enact the Cyber Security Research and Development Act of 2002 during his tenure with the U.S. House of Representatives Committee on Science.

I confess I had to lookup the NCSP. Even though I have been actively involved in information security in the private and public sectors for more than twelve years, I can not say the NCSP rings any bells. News.com provides an executive summary of their work:

Some security experts criticized the proposals as a way for companies to dodge any responsibility for the morass of security issues that plague firms and people on the Internet, a charge similar to that leveled against the National Strategy to Secure Cyberspace, which recommends that each Internet participant learn to secure his or her portion of the online domain.

That seems rather harsh, but what results have we seen since 2004? And on that note, the CSRDA was an allocation of $880 million over five years for research in cyber security. Wired described it this way:

Claiming that the Internet may be terrorists’ next target, the U.S. House of Representatives voted on Thursday to create a new generation of “cyber warriors” to protect America’s critical infrastructures.

Interesting. With only one year of funding left, I wonder how the new generation of information security students will emerge. Will the “cyber warriors” be realized, or are they ready? Can’t say I have heard much about them or the programs since the money was allocated, and yet there have been a number of high profile breaches during that same time. I searched through all the documentation provided by the House of Representatives on HR3394 and I also did not find mention of Greg’s name. I guess lobbyists who help draft the resolutions aren’t supposed to get the recognition, so no surprise there. Chertoff continued:

Greg has also worked to strengthen encryption control regulations while with the Americans for Computer Privacy and he was active on international trade and IT policy at the Americans Electronics Association.

As in the multi-million dollar lobbyist campaign to get Congress to relax export controls? Hm, that’s interesting. Wonder if he was working for Ed Gillespie. You may draw your own conclusions but this all reminds me of some other “surprise” appointments by the Bush administration. They are hard to pin down on the issues because they really do not want you to discuss facts and find out something you might not agree with. PR for hackable voting machines and working papers that transfer liability from corporations to consumers? Where does he stand on the issues? Let us hope Greg is able to turn the tide on the Bush administration and reign in corporate governance issues that precipitate security risks. But what are the odds, really.