Nor was it clear how DHS was supposed to be interacting with other agencies. If the goal was to shore up the entire federal government from potential cyber intrusions, DHS was failing miserably. During a 2004 congressional hearing, Sen. Dianne Feinstein (D-Calif.) grilled a DHS official over whether DHS had provided any directives to other federal agencies on cyber vulnerabilities—essentially, the entire point of EINSTEIN. The official responded only that DHS “works closely” with other government leaders. “I take it the answer is no,” Feinstein shot back.

Feinstein’s criticism seemed warranted: The position of NCSD director “was never strong enough and influential enough to get things done,” one DHS official told Computerworld that same year.

The first occupant of that role, Amit Yoran, lasted just a year. Despite a handful of early successes, such as the creation of the U.S. Computer Emergency Response Team (US CERT), —a 24/7 incident response team responsible for helping guard the country’s internet infrastructure, Yoran grew exasperated by the division’s budget constraints, lack of authority and inability to communicate directly with the White House.

In a scathing July 2004 report, the DHS inspector general faulted NCSD for failing to more adequately secure the networks of federal agencies—blaming poor communication, a lack of internal coordination and DHS’ failure to prioritize its own initiatives. In one particularly embarrassing finding, the report noted, DHS had not yet implemented within its own department many of the protections and protocols it implored others to adopt.

Yoran resigned in October 2004 after giving just a day’s notice, amid frustrating battles for authority on Capitol Hill, including one pending intelligence reform bill that sought to strip away all of DHS’ cybersecurity responsibilities and relocate them to the Office of Management and Budget. (The idea was later removed from the bill.)

Yoran’s deputy, Andy Purdy, would ultimately spent the next two years leading the department in an “acting” capacity before it installed a formal successor—instability that came even as the threat rose.

Amit Yoran (left), director of the cyber-security division of the Department of Homeland Security, testifies during a House subcommittee hearing in June 2004. | Getty Images

In Purdy’s first month in office, a group of Chinese hackers nicknamed “Titan Rain” successfully penetrated hundreds of unclassified networks across the U.S. government, including at the Departments of Defense, State and Homeland Security. Materials lifted included flight-planning software used by the Army and the Air Force, specs for an Army aviation mission-planning system, and internal NASA and World Bank documents. Weeks later, FBI agents were notified that some of its AT&T-operated servers were hacked by a different gang known as “X.25”—and which stole a trove of lucrative information that included a list of the FBI’s top 100 cybercrime targets as well as potential cooperators.

Yoran would later bemoan Washington’s cybersecurity culture, complaining that it was more focused on diplomas than problem solving. “There’s a phenomenal amount of paperwork around certification and accreditation,” Yoran, who today serves as CEO and chairman of Tenable, said in a 2005 interview. “There’s a significantly sized industry around Washington, D.C., running paperwork exercises on cybersecurity, as opposed to investing in improved operations and implementing security technologies.”

Such criticism was hardly unique; Richard Clarke publicly entreated the government to prop up its defenses ahead of what he feared could be a potentially crippling cyberattack. Speaking at the 2005 RSA conference, Clarke argued that Tom Ridge’s successor, Michael Chertoff, needed to figure out a basic question before he could get anything done—just who, exactly, was in charge of cybersecurity within the U.S. government? “The first thing Chertoff needs to get straight with the president is who is in charge of this issue, because if [Chertoff] is in charge, then he ought to know that,” Clarke said. “And if he is in charge of it, he ought to have some authority to direct the rest of the government.”

President George W. Bush speaks with Homeland Security Secretary Michael Chertoff at the Ronald Reagan Building in March 2005. | AP Photo/J. Scott Applewhite

After pressure by current and former department leaders, Congress agreed in the fiscal year 2005 to elevate NCSD’s position to the role of an assistant secretary, shoring up its additional authority and autonomy within the DHS hierarchy. After a paralyzing 14-month search, the division finally recruited Greg Garcia—a top industry official at the Information Technology Association of America and well-respected candidate with experience in the public and private sector—to fill the brand-new role.

The following year, DHS’ organization chart was reshuffled—yet again—to create the National Protection and Programs Directorate, or NPPD. The new directorate was designed to be America’s leading force in “detecting and eliminating threats to critical physical and cyber infrastructure,” the joint mission originally envisioned by Liscouski years before. Yet the new directorate’s sprawling subcomponents continued to lack clarity of mission, and it struggled to deliver on even its most fundamental responsibilities. A 2008 GAO report noted, for instance, that while DHS was the primary agency tasked with protecting the 17 areas of U.S. critical infrastructure from hackers, it had failed to develop plans that could adequately shield any of them. “As a result, we concluded that the nation lacked direction from the department on how to respond in such a contingency,” the report said. “We also noted that these incomplete efforts indicated DHS and the nation were not fully prepared to respond to a major internet disruption.”

There was an ongoing question of whether DHS actually brought “anything useful to bear,” recounted one former top legislative aide, particularly given how little high-level attention cyber received amid DHS’ myriad responsibilities. “Part of the challenge was that it took DHS a long time to really gain a technical skill set in this area,” the aide said. “People were questioning whether DHS was the right place to go to work if you were a cyber expert.”

The sluggish progress at DHS was hardly unique inside the government; writ large, the federal government remained slow to wake up to the cyber threat. Online attacks were not even listed on the 2007 “Worldwide Threat Assessment” list prepared by U.S. intelligence agencies, even as hackers—both rogue actors and those acting at the behest of America’s most powerful adversaries—were growing more prolific and creative by the day. In one of the most famous incidents, a malware-infected flash drive inserted into a laptop at a U.S. military base in the Middle East unleashed an aggressive computer “worm” and resulted in the “worst breach of U.S. military computers in history.” (The government’s classified effort to neutralize the malware was dubbed “Operation Buckshot Yankee,” and the damage it wrought eventually prompted the creation of U.S. Cyber Command inside the Department of Defense.)