The Cyber-Czar Challenge: Nobody Really Wants Security

As national cyber-security continues to degrade, as attacks become more sophisticated and nations get into the act, what we typically get from the US government is a lot of rhetoric.  Congress holds hearings, the President decries the lack of a national policy, and corporations strongly assert their commitment to protecting sensitive information.  But when the time comes to actually DO something, the back-pedaling begins.

In a recent Computerworld article, which appeared on CSOonline, Jaikumar Vijayan wrote about the problems Obama is having filling the open cyber-czar position.  It seems the position, reporting to both the National Security Council and the National Economic Council, will have little clout–a largely symbolic role to go along with the rhetoric.  Vijayan writes,

…leaders at the National Security Council and the National Economic Council are apparently reluctant to vest the new cybersecurity official with too much authority, said Alan Paller, director of research at the SANS Institute. “The National Security Adviser thinks cyber is very important — but not more important than other threats like nuclear,” Paller said.

Meanwhile, the National Economic Adviser’s office has apparently taken the stance that too much emphasis on cybersecurity will hamper economic growth, Paller said. “That means that the President’s two most powerful advisers are not supportive of a strong cyber-czar,” he said.

Several factors appear to have contributed to a “neutering” of the White House cybersecurity role, [Tom Kellerman, vice president of security awareness at Core Security Technologies] said. Like Paller, Kellerman believes that there has been a strong effort by corporate interests to keep the White House from getting too involved in implementing major cybersecurity changes.

Source: CW: The Cybersecurity Job No One Really Wants, 6 August 2009

It’s no wonder no one wants this job.  It has no power, but the czar will likely serve as a scapegoat when something goes wrong.  It’s a position that helps support the rhetoric; “See, we’re doing something.” 

If Obama wants to make this work, he has to give the position some teeth.  The cybersecurity chief’s position must reside at least at the same level as the heads of the Security and Economic counsels.  He or she must have a formal and equal “seat at the table” when security and economic policy is discussed and created.  Building security into every decision made in these areas should be institutionalized.

No, we can’t tie the hands of the directors of our defense and economic planning and implementation.  However, the conversation about balancing security with activities in these two critical areas must happen openly, routinely, and with the understanding that bad security is not acceptable.  No excuses.  On the other hand, the administration must guard against knee-jerk reactions which impose unreasonable and inappropriate controls on the national infrastructure.  Again, balance…