• United States




The Cyber-Czar Challenge: Nobody Really Wants Security

Aug 10, 20093 mins
Business ContinuityIT Leadership

As national cyber-security continues to degrade, as attacks become more sophisticated and nations get into the act, what we typically get from the US government is a lot of rhetoric.  Congress holds hearings, the President decries the lack of a national policy, and corporations strongly assert their commitment to protecting sensitive information.  But when the time comes to actually DO something, the back-pedaling begins.

In a recent Computerworld article, which appeared on CSOonline, Jaikumar Vijayan wrote about the problems Obama is having filling the open cyber-czar position.  It seems the position, reporting to both the National Security Council and the National Economic Council, will have little clout–a largely symbolic role to go along with the rhetoric.  Vijayan writes,

…leaders at the National Security Council and the National Economic Council are apparently reluctant to vest the new cybersecurity official with too much authority, said Alan Paller, director of research at the SANS Institute. “The National Security Adviser thinks cyber is very important — but not more important than other threats like nuclear,” Paller said.

Meanwhile, the National Economic Adviser’s office has apparently taken the stance that too much emphasis on cybersecurity will hamper economic growth, Paller said. “That means that the President’s two most powerful advisers are not supportive of a strong cyber-czar,” he said.

Several factors appear to have contributed to a “neutering” of the White House cybersecurity role, [Tom Kellerman, vice president of security awareness at Core Security Technologies] said. Like Paller, Kellerman believes that there has been a strong effort by corporate interests to keep the White House from getting too involved in implementing major cybersecurity changes.

Source: CW: The Cybersecurity Job No One Really Wants, 6 August 2009

It’s no wonder no one wants this job.  It has no power, but the czar will likely serve as a scapegoat when something goes wrong.  It’s a position that helps support the rhetoric; “See, we’re doing something.” 

If Obama wants to make this work, he has to give the position some teeth.  The cybersecurity chief’s position must reside at least at the same level as the heads of the Security and Economic counsels.  He or she must have a formal and equal “seat at the table” when security and economic policy is discussed and created.  Building security into every decision made in these areas should be institutionalized.

No, we can’t tie the hands of the directors of our defense and economic planning and implementation.  However, the conversation about balancing security with activities in these two critical areas must happen openly, routinely, and with the understanding that bad security is not acceptable.  No excuses.  On the other hand, the administration must guard against knee-jerk reactions which impose unreasonable and inappropriate controls on the national infrastructure.  Again, balance…


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.