White House Must Lead: Melissa Hathaway, White House Cybersecurity Policy Review Leader - Part 2
"There are just not that many people who have that kind of resume and have the experience within government and within the private sector that is going to be necessary to help really lead both the government and the private sector forward as what is needed for the president," said Melissa Hathaway, who led Obama's 60-day cybersecurity policy review earlier this year and whose report helped shape the job description of the cybersecurity coordinator, who would report to the heads of the National Security Council and the National Economic Council.
In an interview with GovInfoSecurity.com (transcript below), Hathaway addresses the potential hard not having a cybersecurity coordinator presents.
"Certainly, if there was a champion and an advocate within the government right now that could be out more aggressively working with the private sector, that that would be helpful to galvanize things," she said. "Certainly, we don't have the momentum that we could currently."
Among the topics Hathaway addresses in the second of a two-part interview with GovInfoSecurity.com's Eric Chabrow:
- Cybersecurity Coordinator: Why she thinks Sen. Susan Collins, R.-Maine, is wrong is proposing the senior cybersecurity adviser be placed in the Department of Homeland Security and not the White House.
- International Cybersecurity Collaboration: The international nature of the Internet and a global economy means the United States cannot act alone to secure information assets.
- E-commerce and Online Banking: "It's important to have better credentialing and authentication of customers online in order to assure the security with banking and e-commerce broadly."
In Part 1 of the interview (click here), Hathaway said government and business must think creatively to help safeguard America's digital assets. She also addressed the critical posture of cybersecurity in the United States, the importance of government and private-sector collaboration on cybersecurity and the need to use the government's massive purchasing power to require security-ready IT wares.
President Obama in February named Hathaway White House acting senior director of cybersecurity and assigned her to lead a wide-ranging, interagency review the government's cybersecurity plans and activities. Her review resulted in the administration's cybersecurity policy agenda the president unveiled in May.
She resigned her White House job in August, and shortly thereafter started the consultancy, Hathaway Global Strategies, and this fall joined the Belfer Center for Science and International Affair at Harvard University's Kennedy School of Government as a senior adviser.
Hathaway is a protégé of retired Adm. Mike McConnell, who served until earlier this year as the National Intelligence director. Under McConnell, Hathaway served as a senior advisor and cyber coordination executive. She chaired the National Cyber Study Group, contributing to the development of the Comprehensive National Cybersecurity Initiative. That led to her appointment as director of the Joint Interagency Cyber Task Force in January 2008. At the business consultancy Booz Allen, where she first worked with McConnell, Hathaway served as a cybersecurity strategist, leading the information operations and long-range strategy and policy support business units.
Hathaway holds a BA from American University and a special certificate in information operations at the U.S. Armed Force Staff College.
ERIC CHABROW: You're a senior adviser at the Harvard Kennedy School's Belfer Center for Science and International Affairs. How does collaborating internationally benefit the security of America's critical IT systems?
MELISSA HATHAWAY: There are more than 20 different international bodies that are designing and/or voting for the next generation standards for the technology. And principal to that is the UN International Telecommunications Union, and secondarily to that would be the ICANN Internet Governance Forum or the Internet Engineering Task Force. One is treaty-based ,International Telecommunications Union of the UN, and the other one is really voluntary based or sort of grass roots, and if you don't participate in the standards making then you won't necessarily to be able to have your technology sold on the front lines or across all of the different borders, and that is what actually allows us to be interoperable internationally across the standards.
A good example of that would be how the Internet actually works, with different root servers and that your e-mail can go anywhere around the world just because everybody has generally agreed to the same standard.
The second example would be the world wide web or USB devices; everybody is designing their computers so that you can stick a USB into the computer and allow for the easy movement of data.
There is another set of international bodies that are then talking about policy formulation and policy synchronization as well as behavior, and in and on that telecommunications backbone and/or the Internet. And that includes military and law enforcement organizations like NATO and the UN, Organization of American States as well as economic forums like Asia Pacific Economic Cooperation, Organization for Economic Cooperation and Development or Group of Eight
If you start to think about all of these different international bodies that are determining or working together to try to determine what is a crime in cyberspace or on the Internet and what is an active war or active aggression and how should we all work together internationally to enable and ensure that that global backbone can enable our global economies respectively, it is very important to work the international sphere. The United States can't do it alone and our private sector can't do it alone. It certainly has to be an international approach to moving everybody's security posture into a better place.
CHABROW: Who is the greatest threat to our country? Are they criminals? Are they nation states? Are they terrorists?
HATHAWAY: There is a wide range of people and/or entities that are able to do harm to either our networks or our enterprises and ranges from just individual hackers to organized crime to terrorist organizations to nation states. Right now, it is a very low bar to entry, even the distributed denial of service attacks that the United States and other countries experienced in July, we are not all that sophisticated but they definitely reeked a fair amount of havoc.
CHABROW: You worked in the White House. Why do you think that we have yet to have a cybersecurity coordinator?
HATHAWAY: The cybersecurity coordinator has got to have a unique set of skills that have both national security background and an economic security background or an appreciation of the economics. There are just not that many people who have that kind of resume and have the experience within government and within the private sector that is going to be necessary to help really lead both the government and the private sector forward as what is needed for the president.
CHABROW: Are we harmed at all by not having one yet?
HATHAWAY: Certainly, if there was a champion and an advocate within the government right now that could be out more aggressively working with the private sector, that that would be helpful to galvanize things. Certainly, we don't have the momentum that we could currently.
CHABROW: Some would say maybe partly Homeland Security is doing some of that right now, the Secretary Napolitano and other top aides there in the cybersecurity area seem to be very vocal and seem to be taking the ball and moving with cybersecurity as something that the whole nation should be concerned about.
HATHAWAY: Certainly, the Department of Homeland Security is doing a great job. October was Cybersecurity Awareness Month where they held many forums, in and out of the government and in the private sector, to raise awareness. The Department of Defense is moving forward in the establishment of cyber commands and there are other parts of the government, the Department of Commerce has just elevated and appointed somebody for setting the standards within NIST. So the government is moving out on a number of different areas, but sometimes you need a coach or the team lead to help get everybody continuing to work toward specific goals. I think that is something that we need. but in the meantime everybody is doing their parts, which is good.
CHABROW: Sen. Susan Collins of Maine, as you know, is the ranking Republican on the Senate Homeland Security and Governmental Affairs Committee, has proposed establishing the senior cybersecurity adviser position within the Department Homeland Security, although it would be confirmed by the Senate. She said that person would be looking over the federal government's non-military cybersecurity coordination and would also advise the president. Do you think it is a good idea placing that position in Homeland Security?
HATHAWAY: No. There needs to be leadership out of the White House. There are many reports that have been written that if you establish a lead in one particular agency, they don't necessarily have the authoritative responsibility over all of the other departments and agencies. While I think it is important to have leadership at the Department of Homeland Security, without having the leadership at the White House, you will not be able to really drive the federal government in the direction that it needs to go.
CHABROW: Do you think we will be hearing in the next few weeks or sooner the naming of a cybersecurity coordinator?
HATHAWAY: I am hopeful. I have no idea what the current timeframe is for the appointment of the cybersecurity coordinator.
CHABROW: Now that you have left government service, what personal involvement will you have in helping develop the nation's cyber defense? Are you on any committees, commissions, are you advising the administrations, members of Congress formally or informally?
HATHAWAY: I am working personally on trying to move forward on the recommendations that were put forth in the Cyberspace Policy Review. I am participating in the Center for Strategic International Studies' Commission phase two, which is the Cybersecurity for the 44th Presidency; they're writing a second report. I am writing often about what needs to be done and I am advising, when asked, the government and/or Congress with my opinion on what I think needs to be done.
CHABROW: Your consultancy, who are your clients?
HATHAWAY: I am currently working with the Harvard Kennedy School and Law School, and working on a joint project with Harvard and MIT for the Department of Defense. I am actively supporting (military/intelligence IT provider) ManTech International and am in conversation with a number of other Fortune 100 companies. In addition to that, I am supporting the director of National Intelligence on an as needed basis.
CHABROW: How secure should the public individuals feel about banking or shopping online?
HATHAWAY: E-commerce fraud is up significantly, I think over 70 percent, that is a recent statistic that I saw. It is important to have better credentialing and authentication of customers online in order to ensure their security with banking and e-commerce broadly.
CHABROW: Do you bank or shop online?
HATHAWAY: Occasionally, I shop online and I do not do banking online.
CHABROW: Is that because you don't trust the current environment?
HATHAWAY: I believe that the banks will certainly cover all liability if your accounts were taken, but I just don't have the comfort level of e-commerce yet based on the current technology.
CHABROW: Was that always your feeling or that something you have discovered recently?
HATHAWAY: No, it has actually always been my feeling.
CHABROW: So someone like me should think twice about my online banking?
HATHAWAY: Certainly your bank will cover you if there is a problem, but I think that as you are going to perhaps an unknown vendor out in cyberspace and you are going to give them your credit card, you should think twice about that.
CHABROW: But you say you do that occasionally?