Cyber leader powers still unknown

Experts say access to president is important to effect change

It's common for presidents to appoint a single powerful coordinator, sometimes informally called a czar, to oversee efforts on a specific issue. However, not all of those positions are equal, and experts say it remains to be seen whether President Barack Obama’s yet-to-be-named cybersecurity coordinator will be able to make the comprehensive cybersecurity improvements that many say are needed.

Industry officials, lawmakers and cybersecurity experts said they were generally pleased with Obama’s announcement that he would name someone to lead a new White House cybersecurity office to integrate cybersecurity policies.

Although Obama’s announcement ended one debate about bureaucratic structure, it also started speculation about what comes next. Since his announcement May 29, observers have been pondering who Obama will name as coordinator, how much access that person will have to Obama, and how the official will differ from previous government cybersecurity coordinators.

“As many folks who have spent time in the White House know, proximity and access to the president matter,” said Amit Yoran, chief executive officer of network security company NetWitness and former director of the Homeland Security Department's National Cybersecurity Division.

Obama said he would personally choose the new official and depend on him or her in all matters relating to cybersecurity. In addition, the coordinator “will have my full support and regular access to me as we confront these challenges,” Obama said, adding that the official would be a staff member of the White House’s National Security Staff and National Economic Council.

Dale Meyerrose, former chief information officer at the Office of the Director of National Intelligence and now vice president and general manager of cyber programs at Harris, said the cybersecurity coordinator should be someone with a national reputation in government and industry. Meyerrose said the administration hasn’t proven this position is different than previous cybersecurity positions, but he hopes it will do so. He also said it’s important for the new official to have access to Obama.

“The further away you get from being the person who has the president’s ear, the harder it is to entice a person of note to accept that challenge,” Meyerrose said.

Yoran said he thinks the eventual holder of the office will have an opportunity to succeed because Obama is sending a clear message that cybersecurity matters. He also said Obama's decision to have the coordinator work with White House security and economic advisers is a positive sign because of the cross-cutting nature of cybersecurity.

However, James Lewis, director of CSIS’ Technology and Public Policy Program and of the CSIS cybersecurity commission, said although the announcement that there would be a top White House cybersecurity official was a good, questions about the new official need to be answered before it can be assessed. For example, Lewis said it remains to be determined what the new official’s lines of authority will be.

"We can’t assess this until we know who will do it and what authority they will have," Lewis said.

Obama also released a report May 29 that details the findings of the administration’s 60-day review of cybersecurity policy. He said the report outlines actions the administration would take to develop a new comprehensive strategy, ensure an organized response to future cyber incidents, foster public/private partnerships, continue to invest in cutting-edge research and development, and start a national educational campaign.

The report states that the new White House cybersecurity coordinator shouldn’t have operational responsibilities, but the operational cybersecurity authorities of different agencies — which often overlap — needed to be coordinated. However, the report didn’t state which agencies should have specific cybersecurity responsibilities, leaving questions about the roles different agencies and departments will play.

“You can see the seeds of bureaucracy or the possibility of this can be something different, and the administration has to prove which it is, and they need to do so in pretty quick order,” Meyerrose said. “There are seeds of failure and seeds of success both present here, so let’s hope we water the correct ones.”

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

Reader comments

Mon, Jun 8, 2009 tuomoks Chicago

As much as titles like "cybersecurity coordinator", etc are useless / meaningless / for public consumption, having a "cybersecurity coordinator" can only be good. Or maybe be great done right, right person with with balanced responsibilities (not hidden behind the normal government / private business secrets) and the power to make them happen. Just an opinion from a person working 40 years in and on federal, government, army, private, etc security in several countries, mostly in IT. Other headlines in FCW today actually show why - NIST is doing / has always done a good work but they are (mostly) limited for recommending something, DHS mixes "database" / technology with real life failing to see the forest for the trees (have some experience on that), Deepwater / DeKort story tells a common behavior today(?), milk the government for money no matter of security. And believe me, even in IT security a well working system is as much or sometimes even more important than some "security" gadget, expensive firewall which goes unused, a certified person, etc. So, the "we" doesn't seem to work too well - has it ever worked? I just hope that this doesn't fall back to the old ways, compromises, secret and hidden contracts, politics, whatever. Security through obscurity has never worked / will never work no matter how much people who have something to hide try to convince the public.

Fri, Jun 5, 2009 Don O'Neill

A lot has been said about power and positions in discussing the role Cyber Security czar. What I want to know from the candidates for this position is what defines success and what defines failure. With this in hand, it may be possible to make the right choice.

Fri, Jun 5, 2009 Don O'Neill

A lot has been said about power and positions in discussing the role Cyber Security czar. What I want to know from the candidates for this position is what defines success and what defines failure. With this in hand, it may be possible to make the right choice.

Fri, Jun 5, 2009

Unlike the title of the article, its last sentence is well-chosen. Dale Meyerrose identifies the actors in cyber security garden as "we." Responsibility for growing solutions and not thorns cannot rest solely with the President, the cybersecurity coordinator, or the two of them together. The cyber security problem spans every facet of the economy and every governance domain, and resolving it will require more collaboration than diktat. The question is not whether the cyber chief will have teeth to threaten and compel but whether he or she will have good ideas, earn the President's support, share the bully pulpit, flash the pearly whites and lead successfully by persuasion.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above