Cybersecurity: As Seen Beyond the Beltway
There's been much hullabaloo over the past few weeks emanating from Washington about the departure from government service of two senior cybersecurity practitioners, Melissa Hathaway and Mischel Kwon. Some of the coverage seems near hysterical, especially when the fact that President Obama has yet to appoint a senior White House cybersecurity adviser nearly three months after saying he would.
We've had our fair share of coverage on the departures of Hathaway, the White House acting senior director of cyberspace, and Kwon, director of U.S.-CERT, as well as the absence of a cybersecurity coordinator. It's important and appropriate. But these matters will have very little impact on the current posture of federal government IT security, at least that's the view from outside the Beltway.
I just received an e-mail from Gene Spafford, the nationally recognized IT security authority from Purdue University, who responded to my query, Is President Obama's delay in naming a White House cybersecurity coordinator having any significant adverse affect in the way the federal government secures federal IT assets and the nation's critical IT infrastructure? Here's his response:
"I don't see it as having a specific adverse effect. I am unaware of any major projects or initiatives on hold until someone is appointed. I see many things being done by different agencies, acting independently. And I also know Congress has been looking into this area and is moving ahead. Having a coordinator in place might simply make things better."
Another highly respected IT security expert from the hinterlands - in this case, the Pacific Northwest - with a great understanding of how government functions is Howard Schmidt, and he, too, isn't bothered about the delay in naming a cybersecurity coordinator (some people say he should be named to the job). From a recent interview I had with Schmidt:
"Quite honestly, I have little concern about the timeframe or the position, just the fact that it has got the right people doing the right things and for the right reason.
What is unsatisfactory about the matter is not that the president has yet named a cybersecurity coordinator - indeed, Obama has been preoccupied by the national healthcare insurance debate, the faltering economy and a couple of wars in the Middle East - but the White House's refusal to publicly discuss the delay except for statements that the administration is actively searching for someone to hire. (More on this later.)
I asked Spafford what appreciable impact, if any, do the departures Hathaway and Kwon have on developing federal cybersecurity policy and/or safeguarding federal IT and the nation's critical IT infrastructure? Spaf's answer:
"Both were very capable individuals, with many established contacts and who understood many of the deeper nuances of their positions. Anyone else moving in will need to spend time and energy to recreate all that. And in the meantime, although there are capable staff members, the positions will be empty. Some decisions that may need to be made from those posts may not be made by whoever is acting in charge. Their departures could push some changes in the overall situation, but most likely they will simply generate some interest (such as this story) for a short while."
No doubt, Hathaway and Kwon are highly talented, and offered much to the government that will be missed. Though their departures may be regrettable, they're not calamitous as some in the blogosphere suggest. The government and the critical IT infrastructure will be safeguarded by thousands of individuals. What's also important is President Obama's commitment that he's serious about cybersecurity and not when the cybersecurity post is filled.
Still, to demonstrate its commitment to IT security, the White House must be more transparent about the status of the cybersecurity coordinator search and the impact the departure of key players have on IT security. Such a common-sense approach makes senses to those of those outside the Beltway.