An Assessment: Cybersecurity Reform Reality CheckEarly-in-the-Year Optimism Fades as Fissures Appear
Just weeks earlier, a prestigious, nonpartisan commission of legislators, policymakers and computer experts - the Commission on Cybersecurity for the 44th Presidency - issued a highly praised report providing the blueprint on how government could reorganize to battle the threats facing federal computer systems and the nation's critical IT infrastructure. Among its chief recommendations: the establishment of an Office of Cyberspace within the White House to oversee the federal government's response to the cyber menace.
The new tech-savvy, BlackBerry-toting president acted swiftly after taking office, naming a champion of Web 2.0 technologies, Vivek Kundra, as federal CIO, and tapping senior National Security Agency policy adviser Melissa Hathaway to conduct a sweeping review of the government's cybersecurity posture. As Hathaway conducted her "60-day review" - which stretched to nearly 100 days - lawmakers introduced bills to reform the way the government governs IT security, most notably the U.S. Information and Communications Enhancement Act, sponsored by Sen. Tom Carper, D.-Del., and the Cybersecurity Act, sponsored by Sens. Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine.
In late May, after Hathaway submitted her report, Obama unveiled his cybersecurity agenda in a White House speech, including his intent to name a White House cybersecurity adviser. The speech proved to be the apex of cybersecurity optimism for the year. The president wasn't even back to the Oval Office when the grumbling began. In his speech, Obama characterized the cybersecurity adviser as a coordinator, with the official not reporting to the president, but to two White House chieftains: National Security Adviser James Jones and National Economic Council Chairman Lawrence Summers. A quarter of a year later, the post remains unfilled.
While lawmakers returned home for the August recess, their staffs busily revised the cybersecurity legislation. The Rockefeller-Snowe measure softened a provision to grant the president the power to shutter Internet traffic to and from federal networks and the nation's critical IT infrastructure during a cyber emergency. The Carper bill axed a provision establishing the White House cyber office, and gave additional authority to shape government IT security policy to the Department of Homeland Security.
Meanwhile, events of this past summer reminded us about the real and virtual challenges the government faces in securing IT. Two highly regarded cybersecurity officials, Hathaway and U.S. CERT Director Mischel Kwon, announced their departure from government service. Over the Independence Day weekend, hackers assaulted a number of government websites. A month later, several congressional representatives reported virtual assaults on their homepages, too.
But the shift in this perceived attitude is just how Washington operates. Nothing remains as upbeat as it seems at the onset. Just look at healthcare reform. And cybersecurity reform - which has bipartisan support - is in much better shape than that.
True, as Congress returns from its August recesses, the squabbling will continue over how senior a White House cybersecurity adviser should be, or whether Homeland Security should be given more authority to control IT security policy, or if the president should be granted the power to halt some Net traffic in a cyber emergency. These are just the details. The fundamentals -- that the government must organize in a collaborative way to address cybersecurity threats -- will likely be achieved if not in this session of Congress, then in the next one.
Indeed, back in February, Carper predicted the president would sign in the Rose Garden legislation to reform the Federal Information Security Act on the senator's birthday: Jan. 23.