• United States



by Senior Editor

Cybersecurity Crossroads: Will White House Czar Choose the Right Path?

May 28, 20095 mins
ComplianceData and Information SecurityInternet Security

President Obama is set to name a new cybersecurity czar with unprecedented access to the Oval Office. The move will please some security pros, but frustrate others who think government is already in too deep.

In his 1981 inaugural address, President Ronald Reagan declared that government is not the solution to our problems, but that “government is the problem.”

Fast-forward to 2009: A new president is in town who believes government can solve some of our problems, including cybersecurity. And he’s getting ready to make some announcements on the matter.

Tomorrow the White House is expected to release the details of a 60-day cybersecurity review led by Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils [Related: Why the Top U.S. Cyber Official is Losing Sleep]. Meanwhile, President Barack Obama is set to name a new cybersecurity czar who will have unprecedented access to the Oval Office. Potential candidates for the post include Hathaway and Paul Kurtz, former special assistant to President George W. Bush and senior director for critical infrastructure protection on the White House’s Homeland Security Council.

All this comes as a bill sits in Congress that would give the feds greater cybersecurity enforcement power over the private sector.

The latter item has already sparked healthy debate among security practitioners, as seen in one of our recent articles, “Federalizing Cybersecurity: Necessary or Nitwitted?

If a recent CSOonline poll of security practitioners via social networking sites like Linkedin, Facebook and Twitter are any indication, the debate over government’s cybersecurity role is about to intensify.

Let’s start with this week’s activity at the White House.

On this security pros appear hopeful, including Atlanta-based Ariel Silverstone, a veteran of the Israeli Defense Forces with experience in physical and information security whose consultancy has included such clients as USAA, Chase Manhattan, Citibank, GTE, General Motors, Ford Motor Company and Vanguard Funds.

He thinks a new White House-based cybersecurity czar is a step in the right direction. At the very least, he said, one is needed to reign in federal agencies who have a history of not playing nicely together.

“Turf wars are a fact of life, from the Department of Interior to the Department of Defense,” Silverstone said. “Putting all the responsibility for online security in the hands of the Department of Homeland Security is a mistake, because other agencies can shrug off cybersecurity as DHS’s problem. Obama is doing the right thing by making this a report-directly-to-him position. That needs to happen to force more inter-agency cooperation.”

Silverstone covered this and other issues in a paper he recently wrote and released, “A Strategy to Secure the Federal Cyberspace.”

But there’s also concern in security circles that it will be nearly impossible for such a cybersecurity czar to get things done. Sure, that person could end or at least lessen inter-agency squabbles over control, but he/she could also get crushed between the cogs that make up the slow-moving federal bureaucracy.

The latter example is what worries those who have looked over the legislation kicking around Congress. Some worry that deeper federal control over cybersecurity could lead to what one might call Red Tape 2.0. The concept of having to “cut through the red tape” dates back to the Civil War, when official government documents bound by red twine tape moved slowly through the bureaucracy. Some of those polled by CSOonline worry about the red tape clogging the gears of cyberspace, especially when one considers the government’s troubles securing its own online infrastructure. There are also those who believe the government simply shouldn’t have its hand in areas beyond its control.

“Government needs to play a guiding and regulating role, and not necessarily be the end all be all of security,” Justin Hornberger, Chinese cyber analyst at Spiral Solutions and Technologies Inc., wrote in a discussion thread on LinkedIn’s CYBER WARFARE Forum Initiative (CWFI) group. “There are too many private functions that the government should not be privy too, and does the government really want the onus to be on them if a private electric company has some equipment destroyed because they dropped the ball?”

But the vast majority of those polled agree the government must play a greater role in online security.

“To which extent would our government help our private sector fulfill the responsibility of securing cyberspace? By fostering IT security training within the private sector, by creating regulations, standards and incentives to help the software industry clean their code, by working side-by-side with the private sector when performing cyber exercises,” AT&T Chief Security Engineer Paul V de Souza wrote in the same discussion thread. “We all have to keep in mind that our National Security must never be compromised, no matter how innovative we want to be, security must always be present and I believe that our government must lead the way by example.”

On the same forum, Hank Hernandez, executive BD/Capture consultant at Syndetics Inc. and president/CEO at The Vyndicar Group Inc., wrote, “One way our government can help our private section fulfill the shared responsibility of securing cyberspace is to apply the power of federal procurement and incentives to cause IT providers to deliver safer, more secure IT applications and systems. By focusing on the guiding, regulating and orchestrating roles, the slow responding hand of government can enable swift response by industry and individuals.”

Silverstone’s view is that while there is a stronger role for the White House to play, more legislating isn’t exactly necessary.

“I don’t believe Congress needs to have more legislation. Things like FISMA and NIST are already in place,” he said. “But private industry isn’t looking at that. They look at things like PCI DSS.”