The woman who conducted a 60-day, top-to-bottom review of U.S. cybersecurity policy has said there needs to be more leadership on the issue from the very top — the Obama White House.
Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils, provided plenty of discussion material Wednesday for those attending the 2009 RSA Conference in San Francisco, one of the major annual gatherings of information security specialists in the world. However, it remains to be seen what official recommendations will soon follow for revamping cybersecurity initiatives — in an Internet full of botnets and rogue-nation hackers — with actions that match her rhetoric.
Effective protection of America’s networks “requires leading from the top — from the White House to departments and agencies, state, local, tribal governments, the C-Suite, and to the local classroom and library,” Hathaway said in her keynote speech. “Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education and, perhaps, law.”
Hathaway, a holdover from the Bush Administration, completed her policy review last week, and it is now in President Obama’s hands.
Security Industry Reaction
Why didn’t the administration authorize Hathaway to release the details of her report in front of the audience with the most at stake in the issue? Because President Obama’s advisers are smarter than that, suggested Cigital Chief Technology Officer Gary McGraw.
“If you had to announce interesting new thoughts on the way to organize cybersecurity in the country, perhaps announcing it at the world’s largest computer security show wouldn’t be very savvy,” McGraw told TechNewsWorld. “The first thing you would get is criticism from people who know what they’re talking about. It could just be part of the PR strategy for the report’s release. I think the Obama guys are very savvy along those lines.”
Hathaway’s speech garnered mixed reviews, according to McGraw, who moderated a panel at RSA concerning the balance between security and protecting privacy.
“We all agree that the White House needs to take a leadership role in cybersecurity, but we don’t all agree on how this should be accomplished,” he said. “There is a real need for strong leadership, but it is clear that the kind of leader we need has not yet been identified. Hopefully, [the report] will not simply be a set of cyberplatitudes that are the political equivalent of motherhood and apple pie.”
What Kind of Public-Private Partners?
There is a need for a new process among the government agencies tasked with protecting America’s cybersecurity infrastructure, argued Gary Moore, chief architect for Dallas-based enterprise security company Entrust. The turf wars involving civilian agencies and the military that have erupted since 9/11 have turned the cybersecurity “czar” office into a high-stakes game of musical chairs. Just last month, former czar Rod Beckstrom handed in his resignation over concerns that the National Security Agency was trying to muscle in on his territory.
“I think what she’s saying is that it has to be a centralized approach, but that doesn’t necessarily mean everybody marching to the same drum,” Moore told TechNewsWorld. “I think it means they want to make sure the overlap is something that is better handled than it is today, from a cost perspective as well as from an operational, functional perspective.
“I think it’s a good approach,” Moore continued, “certainly from the civilian agencies who need to be better focused on the single approach to things, because the civilian agencies have a common goal — a common mission in terms of servicing the public but at the same time protecting the infrastructure. I think [Department of Defense officials have] their own concerns, which will stay separate while building up their own assets, which is something they need to do.”
Three areas — the public/private partnership, education and policy — should get the most attention in the forthcoming report, in Moore’s view. “If they start focusing on policy only, or technology only, then they’re missing a large opportunity.”
The Balance of Cybersecurity Power
How will a hands-on approach from the Oval Office impact those who are working different sides of the cybersecurity street — those in charge of defending networks, and those who might have to play offense for national security interests?
“Here’s the thing you’ve got to accomplish when you’re trying to make cybersecurity work,” McGraw said. “You have to build things properly; you have to make sure they don’t have vulnerabilities in them. The idea of building things to be secure is essential to computer security, but if you’re in charge of spying on, say, other countries and other entities, having vulnerabilities in software products and technologies is very useful in getting your spying done.
“I would not want to see the guys in charge of spying also be in charge of making sure the products are secure,” he added. “They’d be working at cross purposes.”