All I want for Christmas is a cybersecurity coordinator.
No, not really. (I'd rather have a PS3).
See, now that we're about to turn the page on 2009, and almost seven months have passed since President Obama declared cyberspace a strategic national asset and promised to put someone in charge of cybersecurity, we still don't have anyone on the job. And I don't care anymore. I don't care if Howard Schmidt gets the job -- again. I don't care if it's Paul Kurtz, Bruce Schneier or some obscure senator from Montana.
See, I don't care.
It's evident that these were hollow words from the president's mouth. It's evident the country's cybersecurity capabilities are best left to individual agencies and providers of critical infrastructure in the private sector. It's evident we don't need another bureaucrat telling us to update our antivirus and install a personal firewall on our PCs.
Give Melissa Hathaway her due; she knew when to get out of Dodge. Long thought to be a front-runner for the job, Hathaway bolted fast and furious in August. Hathaway, who oversaw the Cyberspace Policy Review, served as acting senior director for cyberspace for the Bush administration and once worked for the Director of National Intelligence, said she was dissatisfied with the process and timetable for hiring a coordinator. Chances are, the rest of the truth lies elsewhere: Like in the fact that it's just too big of a job for one person and one office. The turf battles aren't worth the rise in systolic blood pressure. And chances are, the coordinator position requires lots of hours testifying in front of senators and representatives who don't know their AV from their USB.
We should have sniffed out that this was doomed from the start. The Obama administration came out of the gates flying, promising to make cybersecurity a priority. Obama ordered Hathaway's 60-day review of federal policies and on May 29 when he announced the creation of the cybersecurity coordinator position, he said: "From now on, the networks and computers we depend on every day will be treated as they should be -- as a strategic national asset. Protecting this infrastructure will be a national security priority."
Big and promising words. But when you create a position that from the start must serve two masters -- the coordinator would report to both the National Security Council and the National Economic Council -- you immediately drive candidates away and lessen the potential good the job can do.
And you have what we have today: an empty seat that ultimately will be filled by an empty suit.
Some day, we'll get a coordinator. And they will be a politician with little power and even less budgetary authority. We'll get someone who knows their way around Capitol Hill, someone the Congress will grant hearings to.
What we won't get is one person who will get the government to clean its own house. We won't get one person who will dictate policy or budget -- or even coordinate.
And that's what we need. Obama got it right when he decided to create a "coordinator" position. We need a person who can aggressively accelerate understanding of the situation. We need a high-ranking advisor who is given some authority to influence and spend and can align agencies strategically.
When you consider the delay, the sad and frustrating part is that the problem is understood. Does government need further study on how interconnected we are? Does government still fail to understand how dependent our economy, critical services and even national security is on the well being of networked computers? Do we need another Page 1 Wall Street Journal story on more top-secret Air Force fighter jet plans whisked away through some proxy server in China? Even 60 Minutes' two FUD-filled reports on cybersecurity this year (the Symantec infomercial on Conficker and the most recent look at the state of critical infrastructure) brought some kind of awareness to the mainstream.
And still nothing. And very few seem to care anymore.
What started out on May 29 with such promise has been deflated with each passing week that the cybersecurity coordinator's position sits vacant. The perception is that cybersecurity is less of a priority, and the information security industry, for one, is let down.
People want to care -- and should care. Sad part is that too much time has gone and people are prioritizing other things -- such as a new PS3.
Michael S. Mimoso is Editor of Information Security. Send comments on this column to firstname.lastname@example.org.
Dig Deeper on Information Security Policies, Procedures and Guidelines