"The fact that the president, in the first time in my memory, made a major speech about cybersecurity, talked about it as a national priority, spoke about it as being a major priority for his administration ... and that he created office which would have cross organizational responsibility is significant," said Dan Chenok, chairman of the government's Information Security and Privacy Advisory Board.
Karen Evans, who until January served for more than five years as administrator for e-government and IT in the White House Office of Management and Budget, the nation's de facto chief information office, praised Obama for raising the importance of cybersecurity in the federal government. "I am excited about the recognition of the issue and the release of the study," she said.
Evans, among others, expressed disappointment that Obama had delayed selecting the official who will coordinate cybersecurity policy from the White House. "A lot of people are looking for a name," said Scott Charbo, former CIO and deputy undersecretary for the National Protection and Programs Directorate at Department of Homeland Security.
Still, the fact that cybersecurity will be coordinated by a White House official - regardless of who the president names - is seen as crucial. "What gets my attention is that perhaps a single 'czar' may finally suppress the inter-agency responsibility struggles and may finally settle the lax accountability that some organizations have shown," said Ray Bjorklund, senior vice president and chief knowledge officer of FedSources, a firm that advises vendors doing IT business with the government. "In many ways, the agencies will welcome centralized leadership over this matter, instead of relying on DHS for one thing, NIST for another, NSA for something else, and so on."
But one former senior Homeland Security officials suggested the White House may have too many chefs stirring the pot trying to create the right recipe to secure government IT. Greg Garcia, an assistant secretary for cybersecurity and communications at the Department of Homeland Security in the Bush administration, noted that the Executive Office of the President will have a cybersecurity coordinator - who will report to the National Security Council and National Economic Council - as well as a chief information officer and chief technology officer. Such an environment, he said, "will add unnecessary confusion in the management structure and its engagement with the federal agencies."
Garcia, an independent consultant, characterized the Obama plan, not as something new, but as an evolution of the Bush administration's cybersecurity programs, including last year's multi-agency Comprehensive National Cybersecurity Initiative. "A czar will only be effective if they clearly define agency roles and responsibilities and hold them accountable without micromanaging the effort and slowing down the operational execution for which the agencies have responsibility," Garcia said. "We've already lost time with a 60-day review that turned into 110 days." The last comment referred to the so-called 60-day review headed by White House security advisor Melissa Hathaway of the government's cybersecurity policies and procedures that began in February.
Garcia's former Homeland Security colleague Charbo, an Accenture vice president for cybersecurity and telecommunications, wasn't critical of the plan, and felt the president hit the right points, but wanted to hear more about how the administration will measure whether the new policy works. "You need to determine some metrics and clear outcomes to determine whether we're getting safer in cyberspace," Charbo said.
Indeed, the president's plan mapped out a cybersecurity strategy at the 50,000-foot level, leaving many details to be developed in the coming months. That could make the federal IT workforce responsible for securing government IT - the CIOs, chief information security officers and others in the trenches - a bit antsy. "Their anxious to see these things happening," Charbo said. "A lot of them are probably fairly concerned about what does this mean to them; how is this going to change what they do."
As the nation awaits the new cybersecurity leader, the person to be chosen, will not be as highly placed in the White House as some had hoped. The president's plan does not establish a White House Office of Cyberspace, with its head reporting directly to the president, as proposed by some in Congress and the highly respected Commission on Cybersecurity for the 44th Presidency, sponsored by the Washington think tank, the Center for Strategic and International Studies. That doesn't bother commission member Chenok, the advisory board chairman who once served as the most senior, non-political executive in OMB. "Even if it didn't look exactly what the CSIS commission recommended," he said, "it's a major step forward."