Governance & Risk Management

Lifting the Veil on Cybersecurity Secrets

Melissa Hathaway Speaks Out on CNCI Declassification
Lifting the Veil on Cybersecurity Secrets
Perhaps no one is as familiar with the Comprehensive National Cybersecurity Initiative as Melissa Hathaway.

In the Bush White House, she served as senior adviser and cyber coordination executive under then-National Intelligence Director Michael McConnell, and chaired the National Cyber Study Group, which contributed to the development of the CNCI, a series of initiatives aimed at securing federal government information assets and the nation's critical IT infrastructure. That led to her appointment as director of the Joint Interagency Cyber Task Force in January 2008. Thirteen months later, President Obama tapped Hathaway to lead his administration's 60-day cyberspace policy review that assessed the CNCI, a series of initiatives aimed at securing federal government information assets and the nation's critical IT infrastructure.

At the RSA Conference 2010 in San Francisco earlier this month, where White House Cybersecurity Coordinator Howard Schmidt announced the release of a declassified summary of CNCI Hathaway stopped to chat with's Eric Chabrow. (The transcript of the interview is found below.)

In their conversation, Hathaway also addressed the challenges facing business and government to collaborate on cybersecurity and how much regulation the government should impose on the private sector to assure IT security.

Hathaway left government service last summer, forming an IT security consultancy. Among her clients: Harvard Kennedy School's Belfer Center for Science and International Affairs and Cisco.

ERIC CHABROW: What do you think of the White House decision to declassify parts of CNCI?

MELISSA HATHAWAY: I think that it was really important to get that information out into the public domain, especially the list of all 12 (initiatives). I had spoken about CNCI in the transition between the two administrations pretty extensively at different conferences and there was some information published on the DHS website, but this is the first time that I think it was all put together and there was some more information put out on Initiative 3 in particular, which is Einstein 3 (an intrusion prevention system), which I know there have been a lot of inquiries by both the private sector and Congress on that particular initiative, so I think it was a really good thing to do to get out into the public.

CHABROW: You just finished participating in a panel discussion in which partnerships have been discussed, not only among government and private sector but even private sector and private sector. After listening to that I left out kind of pessimistic because it sounds like the private sector can't even get together to collaborate on cybersecurity let alone the government and the private sector. How do you feel? Are you optimistic, pessimistic?

HATHAWAY: I am optimistic that we can have more increased private collaboration. I think that the defense industrial base is moving things along. I have been working with the defense industrial base on the new intrusion threats that they are seeing. The Department of Homeland Security is working with the Department of Defense to replicate that in the financial services sector. And I think because security has become top of mind in many of the commercial enterprises now, based on general broader awareness of what is happening, based on Heartland Payments being out and talking about it more often, and the Google attack, of course, that more organizations are asking about security. And I think that the more organizations are asking about security and asking if it is happened to them and what breaches they are going to have, then I think that that will begin to move the public/private partnership forward.

CHABROW: There has been a lot of discussion about regulating businesses that control the critical IT infrastructure and/or providing them with incentives to comply. Where do you stand on that?

HATHAWAY: I think that we need a good mix of market leaders. Some of the infrastructures that support our critical infrastructure are already regulated markets. Information technology providers, telephone, is already a regulated market; the utilities; energy; they are already regulated markets and I think we need to learn from some of the regulated markets of what can we add to those regulations. We discussed today about whether or not it would be a good thing to have the Internet service providers start to clean some of the bad malware, the bad traffic, and alert citizens whether or not they have been penetrated, and that could be easily done in the current existing regulations.

Other market leaders that could be used are certainly further regulation or tax incentives, or other incentive mechanisms, which I think actually go further into encouraging market behavior.

CHABROW: Some 10,000 people are at the RSA Conference; you're well known, and a lot of people are coming up to you. Have you heard something new that you haven't thought about before in the sense of cybersecurity for the nation?

HATHAWAY: Have I heard something new? That is a good question. I think that there are a lot of good ideas that are being exchanged here and if we could start to pool all of the good ideas together, sort of the "learn from my mistakes so that you don't' have to make those same mistakes." That is something that we should all start to build on.

* * *

Here are other interviews and stories about Hathaway from the archives:

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.