Reporting Structure of Cybersecurity Czar Up In the AirWhite House Said to Be Undecided If New Post Should Report to Obama
Hathaway met with members of the House Cybersecurity Caucus Thursday, briefing them half-way through her review, which is expected to be made public in a month.
Later in the day, Caucus Chairman James Langevin, D-RI, and Yvette Clarke, D-NY, chairwoman of a House subcommittee on cybersecurity and emerging threats, told reporters that Hathaway said the new cybersecurity policy would protect American's civil liberties and privacy. The policy also would use a combination of incentives and regulations to get the private sector to cooperate with the government on protecting federal information systems and the nation's critical IT infrastructure.
A final decision on how cybersecurity will be governed from the White House will come after Hathaway submits her report, but Langevin suggested the final report would accept many of the recommendations detailed in a study issued last fall by the Center for Strategic and International Studies, which he co-chaired, that calls for the creation of a White House cybersecurity office with its leader reporting directly to the president. "I've have heard nothing that would suggest that the recommendations she will come up with at the end of the 60-day review would be in sharp contrast with the findings of the CSIS report," Langevin said. (Click here for an interview with the another commission co-chairman.)
On protecting civil liberties and safeguarding privacy, Langevin said balancing them with security has been a "paramount concern" of Hathaway and not an afterthought, adding that she recognizes protecting citizens' rights is crucial in getting public buy-in for a new national cybersecurity program. Clarke said that Hathaway took great pride in reaching out to civil libertarians and privacy advocates from the start of her review in mid-February. "She even remarked that this has been the first time that this has happened in maybe 10 years," Clarke said. "I feel confident that civil liberties and privacy concerns of our citizenry will be embedded in this process review."
Federal cybersecurity policy includes protecting critical private-sector IT infrastructure such as systems used to manage the nation's energy production and distribution and the financial sector, and the cooperation of business is crucial to protect government and private networks from attacks and espionage. This might require some regulations, and Langevin said Hathaway has been visiting government regulators to see if they have policies that can be adopted for cybersecurity. "It's clear that it's not going to be one or another incentives or regulations it has to be a combination of both," Langevin said of getting private-sector support, adding that "I think you can look at Y2K (year 2000 computer remediation) as a model, where it was a combination of incentives and regulations."