Impact on Cybersecurity Without a 'Czar'No Major Problem Seen, for Now
GovInfoSecurity.com queried some leading experts in government and cybersecurity to get their take on the continuing vacancy of a White House cybersecurity coordinator - a position President Obama outlined in a late May address on cybersecurity, and the departures from government of Melissa Hathaway, White House acting senior director of cyberspace who conducted the "60-day" review of federal cybersecurity posture, and Mischel Kwon, director of U.S.-CERT, the Department of Homeland Security unit that coordinates public- and private-sector response to cyber attacks.
The experts, who responded to our questions by e-mail, include Ray Bjorkland, senior vice president and chief knowledge officer at FedSources, a government IT advisory firm; Greg Garcia, former assistant secretary for cybersecurity at the Department of Homeland Security; Eugene Spafford, a professor of computer science at Purdue University and a leading IT security expert who has testified before Congress; and Thomas Stanton, a fellow at the Center for the Study of American Government at Johns Hopkins University who has written about cybersecurity.
Is President Obama's delay in naming a White House cybersecurity coordinator having any significant adverse affect in the way the federal government secures federal IT assets and the nation's critical IT infrastructure?
Bjorkland: When key leadership positions go unfilled, there is almost always some adverse effect, usually resulting in inaction. But U.S. cybersecurity is not a new initiative. Our military and civilian agencies are pretty good at it. What's missing is coherent coordination of the many federal thrusts, coordination that could result in a more efficient (economical) defense or an even more effective cyber posture.
Garcia: Clearly, there's ample anticipation about who will come in and start the process of coordinating government decision making in cybersecurity. While this slows momentum palpably, at an operational level there shouldn't be any problems in executing day-to-day monitoring and incident response in its current form. But certainly a number of broader policy and budget decisions will be on hold until they get through this period of suspended animation.
Spafford: I don't see it as having a specific adverse effect. I am unaware of any major projects or initiatives on hold until someone is appointed. I see many things being done by different agencies, acting independently. And, I also know Congress has been looking into this area and is moving ahead. Having a coordinator in place might simply make things better.
Stanton: The appointment of a cybersecurity coordinator is an essential first step in developing and implementing a realistic and effective cybersecurity plan, both for the government and for the private sector. Given the growing threat of cyberattacks delay in developing and implementing a workable plan is very serious. It is serious, not only because we should be building protection more rapidly, but also for what it shows about the difficulty of filling this position and getting the job done.
As the president proposed, the cybersecurity coordinator would report to the National Security Council and the National Economic Council. Is that a good idea?
Garcia: How many bosses with differing - and sometimes conflicting -- mission objectives would you want?
Stanton: The problem of cyber defense is a problem of management and resources. The big question is not to whom the cyber coordinator reports, but rather what capacity that person has to get the job done.
Spafford: Cybersecurity is an issue of national security. It is also an issue of national economics. But it is also an issue of crime, education, efficiency, trade, international relations and a number of other areas. It is not a minor problem that is part of something else -- it is a full-fledged, difficult, cross-cutting set of issues. If it is going to be addressed in the appropriate way, it should be treated as a first-class problem area.
Bjorkland: I think it makes sense for the cybersecurity coordinator to report to the NSC. Cybersecurity is not the narrow purview of the military or the intelligence community. It has potentially far-reaching effects on national commerce. National security interests include cultural, diplomatic and economic dimensions, as well as military dimensions. But by elevating the position to the level of the NSC and not imbuing the position with far-reaching authority, the position can be less attractive to many people who don't want to take on the inter-agency battles (existing and to come) that can sap a leader's energy.
In your view, is the fact that the cybersecurity coordinator would report to General James Jones and Lawrence Summers a factor on why the position has not yet been filled?
Spafford: I don't believe they, personally, are reasons against the position being filled.
Stanton: I don't know. I suspect that the position needs to be reassessed and restructured to make it possible for the appointee actually to make a difference in cybersecurity.
Garcia: See his answer above.
What other factors do you see as reasons the cybersecurity coordinator position remains unfilled?
Stanton: Cyber defense is not easy. First, there is a myriad of relevant actors in both the public and private sectors that must work together to improve cyber defense of individual organizations as well as our collective cybersecurity. Second, cyber defense suffers from a "weak link" problem: a cyber attacker needs merely to find the most vulnerable access point to make an attack effective. That means that cyber defense must concern itself with shoring up the weakest and possibly organizationally least capable but critical parts of government and the private sector. I suspect that the job is not one that provides the right tools to deal with such a complex set of organizational and technical issues.
Garcia: Rank, authority and risk are discouraging factors. There is a small pool of highly qualified candidates who would be willing to dive in and hit their head on the bottom. There's an even smaller pool who have the charisma and cunning to stay afloat.
Spafford: Over 20 years ago,I articulated what was then called Spaf's 1st Law of Security Administration: "If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something goes wrong."
The position of cybersecurity coordinator may do some good by starting conversations and acting as cheerleader for good practice, but as now structured it is more likely to be a position where the occupant can be blamed when things go wrong. After all, they had the coordinator, so if bad things happen it can't be anyone else's fault. The position doesn't have authority to make necessary changes.
Anyone who really knows the field is unlikely to find the job attractive given its current position in the reporting/action hierarchy. Someone who is able to do the job is likely involved in something important elsewhere and would want some assurance of being able to make at least as much real difference in this position if she/he was going to move.
Salary could be pointed to by some, as experienced personnel can make a lot more in the private sector. However, that is true for most people working in high-level government positions. Many people have a strong sense of duty, and a deep concern, who would be willing to spend time in government -- and who do -- both in civilian positions and in uniform. Salary is not likely to be biggest concern.
The problem scope is huge and crosses every institution and agency of government. That poses huge challenges and not everyone is going to find that attractive.
What appreciable impact, if any, do the departures of acting White House adviser Melissa Hathaway and US-CERT Director Mischel Kwon have on developing federal cybersecurity policy and/or safeguarding federal IT and the nation's critical IT infrastructure?.
Bjorkland: It's unfortunate to lose anybody in a key government position who has been doing a good job. But as I suggested above, there are some really big cyber machines at work today defending the national cyber posture. While the White House is preoccupied while other pressing issues like economic recovery and healthcare reform, the nation can wait a little while longer for a cybersecurity coordinator.
Garcia: They served well and made a mark, and I trust DHS and White House leadership will find strong technical and program management support to pick up where they left off.
Stanton: My concern is that these departures are not merely a matter of whether particular individuals were suited for those positions. Rather, they seem to symptoms of larger problems in mounting an effective cyber defense.
Anything else you'd like to add on this topic?
Stanton: Cybersecurity is really important. The latest emerging issue concerns the need to ensure cybersecurity for the electronic health records that are being pushed so hard as part of the stimulus package.
Garcia: Congress needs to get organized, too. It is essential that congressional leadership bring together the committees of jurisdiction and develop a coordinated approach to oversight and legislative policy, rather than allow them to lob random paintballs downtown and expect there to be any cohesion in the implementation of a national strategy.