As I write this, the security community is buzzing with speculation over who President Obama will choose as his new, White House-based cybersecurity czar. My e-mail inbox is brimming with requests from PR folk who want me to interview their security vendor clients about the big announcement.
The PR push makes me wonder what the calls would be about. Perhaps their vendors have shiny new products to meet any company's cybersecurity-czar challenges? Maybe the product will automate the Administration's cybersecurity machinery in the event the new cyber czar quits in frustration after a few weeks or months. [See: Federal Cybersecurity Director Quits, Complains of NSA Role]
The thing is, for those of us who focus on Internet security for a living, nothing Obama says today will be new.
From the beginning Obama has floated the concept of putting cybersecurity more directly in White House hands. We all want to know who will get the position, but as of this writing the White House is saying candidates are still under consideration and no announcement to that effect will be coming today.
As for the 60-day review Obama ordered shortly after taking office, Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils, ran through some of the high points at last month's RSA security conference [Why the Top U.S. Cyber Official is Losing Sleep]. We're supposed to get a deeper look at the details today, but I doubt we will hear anything we didn't already know.
We already know, as Hathaway put it last month, that "despite all of our efforts, our global digital infrastructure, based largely upon the Internet, is neither secure enough nor resilient enough for what we use it for today and will need in to the future" and that "this poses one of the most serious economic and national security challenges of the 21st century."
We already know that critical infrastructure, including the power grid and water supply system, is under threat from those who would hijack the IT machinery used to run it all. Industrial control systems, including SCADA (supervisory control and data acquisition) systems, have been in the crosshairs for years. Go back to 2003 for the example of the Slammer worm infesting systems at Ohio's Davis-Besse nuclear power plant. [Why SCADA Security Must Be Addressed]
And security experts have repeated time and again that a key to making things better is user education/awareness.
But the wider public isn't anywhere near as aware as it should be. For that reason, the activity coming from the White House today is cause for hope.
This is arguably the biggest spotlight a president has shined on the issue to date. By creating a White House-based position to coordinate cybersecurity efforts across the federal government, Obama is making it clear that the various agencies can no longer shrug off the problem as the Department of Homeland Security's problem.
His announcement will by no means be ironclad against criticism. Some security experts have already frowned upon reports that the new cybersecurity czar will not have direct, unfettered access to the Oval Office as had been suggested earlier. Rather, according to the Associated Press, the post will carry a special assistant title that's not as high in the White House hierarchy as some officials sought. As the AP reported, the official would report to senior NSC officials -- a structure many say will stifle attempts to usher in major changes within the federal bureaucracy.
But it appears this person will be much closer to the Oval Office than those who have labored in frustration inside DHS in recent years.
And while we've all been calling for better user awareness and education, a lot more people listen outside security circles when it's coming from the president.
So don't look for perfection today. But do have hope that we are at least moving in the right direction.
About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to firstname.lastname@example.org.