CIOs, CISOs Await the Cybersecurity CzarInterview with Jim Flyzk, former Treasury CIO
"There is also some anxiety around what this might mean in terms of who is in charge and what will be the additional work and responsibilities mandated," says Jim Flyzk, the former Treasury CIO and White House IT advisor on homeland security, says in an interview with the Information Security Media Group. "CIOs are always concerned about mandates coming from the OMB or the White House or whatever. If there is a mandate, I am sure they will be concerned about whether or not there is funding behind it." (Read the transcript of the interview below.)
Despite some unease, Flyzk says, CIOs and especially CISOs are heartened by Obama's commitment to IT security. "The fact that cybersecurity is now getting so much priority attention ... is something that they have been trying to attain for a long, long time," he says. "They have kind of been seen as the sky-is-falling people in the past, talking about all these issues. People would listen but no one would take action, so I think now they are excited that maybe we will see some action being taken."
Flyzk, if anything, is as well connected as anyone in Washington's government IT community. He spent 27 years in government, most notably as chief information officer of the Treasury Department and White House IT advisor on homeland security. Today, he heads his own consultancy, The Jim Flyzk Group, and hosts a monthly radio program, The Federal Executive Forum, on a local Washington radio station.
Flyzk spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.
ERIC CHABROW: President Obama made the big splash a few weeks ago announcing a cybersecurity policy, but there's been a lot of silence since then from the White House. What's going on?
JIM FLYZIK: The agencies are all in the planning process, they are all looking at what they are going to need to do and activity going on. I know the industry, the integrators and the companies that are involved in the security space; they are all putting together their value propositions and their business cases and so forth.
There is a lot of anticipation of other business opportunities coming in this cybersecurity space. I There are still folks waiting for the announcement of who will be the so called cybersecurity czar; who is going to fill that job.
People are waiting to see how it will be finally organized and structured and where will the relative responsibilities exist between the intelligence community, National Security Agency, the White House, and the Department of Homeland Security. There are still a lot of questions that are buzzing around town, and until those questions are answered, people are more in the planning mode as opposed to the actual doing mode.
CHABROW: What would be some of those questions?
FLYZIK: The questions I think are who is the cyber czar and what will be the relative responsibilities of the various entities that are involved in this, being the Director of National Intelligence, the NSA, the Department of Homeland Security, the White House itself, other agencies around town, what about NIST and Standards, what about GSA and government-wide programs such as the trusted internet connections?
There is a governance issue that still is not clear. People are anticipating that once this individual (is named) ... it will sort of be the spark that fuels the fire to get the process moving a lot faster.
CHABROW: Is one of the delays perhaps the debates going on in the White House about how senior of official this cybersecurity coordinator should be?
FLYZIK: There is a lot of talk about how close will this person be to the president and the chains of command. You know they are talking about the National Security Council as well as the National Economic Council in the White House will both play roles.
Yes, I think there is some question about the authority of this person and whether the person will actually have the ear of the president. I think the President in his speech said that yes, this person will have my backing and I will be there, but people are waiting to see exactly how that plays out.
CHABROW: Could there be some kind of negotiation with a potential candidate in accepting a job based on senior ranking that person is?
FLYZIK: If somebody is currently a marquee name in the cybersecurity industry I think that individual would have some expectation of very high visibility position and access to the president. If you want to go for like a big marquee name and a well known player, they are clearly not going to be as excited the job is seen as being very well down in the bureaucracy.
It is like any other job out there, when somebody who has a strong reputation in the IT community is approached about a position in the administration, one of the things that they are naturally concerned about is the reporting level, the authority and the responsibility because you want to be effective and get things done, and that is going to take a certain level of authority, whether it be statutory authority that comes from the Congress or authority that is given to you because of the nature of where you are and the fact that you do have say the President's ear. That in and of itself will give you an immediate level of credibility and authority.
CHABROW: As you know there are several bills in the Senate addressing cybersecurity introduced by Senators Tom Carper and Jay Rockefeller. How much will these measures be influences by happens in the White House? Will the White House be basically dictating to Congress?
FLYZIK: I don't think the White House ever dictates to Congress. The White House clearly will let its position be known to the Congress. As always, there is going to be some give and take and back and forth and negotiations required to actually get legislation done. There are certain things that the president or the executive branch can do on its own and there are other things that require the approval of the Congress.
The question on cybersecurity will be, what kinds of things can the president or the executive branch move out and put in place versus what items will need statutory authority through Congress? Obviously, if it requires legislative action, it will add time.
CHABROW: Can there be certain conflicts that will be hard to resolve? The one I think about is the White House Office of Cyberspace, which was recommended by the Commission on Cybersecurity for the 44th Presidency and backed by several lawmakers. but President Obama doesn't seem to be going in that direction.
FLYZIK: Whenever someone comes out publicly with a position, you are going to read right away about some opposition from those who believe they have a better solution. This is normal and I don't think there is anything unusual going on in terms of the question of having a cyber command and how that might exist. Like anything else, it is going to play its way out.
One thing I feel very, very certain about is that the cybersecurity issue is now a major priority and will be work. This isn't something where we did a speech and so forth and it disappears and we don't hear about it again. We are going to continually hear about cybersecurity programs, there will be spending and there will be money behind it, and it is going to generate a lot of new business opportunities for a lot of companies.
CHABROW: How are departmental and agency chief information officers and chief information security officers - those in the trenches - reacting to what's going on?
FLYZIK: CISOs for a long time have been struggling to make cybersecurity a priority and to get funding. Cybersecurity has traditionally been something that everybody nods their head in violent agreement that we have got to do something, but we really haven't seen the money and resources to address it.
The CISOs, the information security officers, are probably excited about the fact that cybersecurity is now getting so much priority attention, which is something that they have been trying to attain for a long, long time. They have kind of been seen as the sky-is-falling people in the past, talking about all these issues. People would listen but no one would take action, so I think now they are excited that maybe we will see some action being taken.
I think CIOs feel the same way. There is also some anxiety around what this might mean in terms of who is in charge and what will be the additional work and responsibilities mandated. CIOs are always concerned about mandates coming from the OMB or the White House or whatever. If there is a mandate, I am sure they will be concerned about whether or not there is funding behind it.