A new White House cybersecurity czar will face a number of major obstacles, the least of which will be to coordinate the security of federal agency systems on a massive scale, according to security experts and former government officials tasked with heading federal cybersecurity efforts. While the position could reduce interagency squabbles over control, it also has the potential to get bogged down in red tape and bureaucracy.
The White House is expected to announce the creation of a cyberczar position that will focus on protecting the nation's critical networks from cyberattacks.
The position could be announced as early as this week, according to The Washington Post. It would be the first of its kind at the White House level and could have broad authority over cybersecurity matters and would maintain extensive oversight of federal agencies to harden their networks from outside attack.
Citing senior White House sources, The Post reported the new position would be a member of the National Security Council and would report to the national security adviser as well as the senior White House economic adviser.
If the new position is given a seat in the National Security Council it could hold some clout, but if it has no budgetary authority it would lack the ability to force any major security improvements, said noted security expert Bruce Schneier, chief security technology officer of BT.
"People in this country who have budgetary authority loathe to give it up," Schneier said. "Unless they actually control some purse strings, all they can do is beg, plead, cajole and evangelize; they can't actually get anything done."
Michael Markulec, chief operating officer at network security vendor Lumeta Corp., said the new position must have enough authority to manage the interagency battles for control that have been ongoing at the federal level.
Cybersecurity's profile rising under Obama: The Obama Administration is conducting a review of the government's cybersecurity policies and process.
White House cybersecurity advisor calls for public-private cooperation: Melissa Hathaway delivered precious few details about her 60-day review of the country's cybersecurity policies and structures during her RSA Conference keynote.
NSA does not want to run cybersecurity, director says: Instead, Lt. General Keith B. Alexander pushed for a collaborative effort among the intelligence communities, government and private industry to secure cyberspace.
Senators hear call for federal cybersecurity restructuring: Congress is mulling over whether to give more authority on cybersecurity issues to the Department of Homeland Security or create a new office within the White House.
"I'm concerned that such a position, a so called cyberczar, will wind up like most of the other czar positions that we've created in the government; somebody that is responsible for policy, but not implementation," Markulec said.
Markulec, who is an expert on industrial control systems security has provided information related to the CSIS report "Securing Cyberspace for the 44th Presidency." He has been in favor of giving authority over cybersecurity to the Director of National Intelligence. Markulec said a new cyber czar would need to review current policy and practice, evaluate what makes up the nation's networks and coordinate efforts to reach out to the private sector for expertise.
"We're adding things like physical security devices and control systems," Markulec said. "I think there are organizations, especially in the financial services community, that have gotten this right and the government can learn a lot from them."
Even with the help of the private sector, the new post will have a number of bureaucratic problems to overcome, said Amit Yoran, a former top Department of Homeland Security cybersecurity official, now CEO of NetWitness Corp. Yoran said his position at DHS was consistently bogged down in a number of administrative problems that continue to plague the agency today.
Yoran said the person appointed to the new cyberczar position also might seek some modifications to the Comprehensive National Cybersecurity Initiative (CNCI), reviewing it to determine what is working. The $40 billion classified plan has 12 components, including the Trusted Internet Connections (TIC) program, to trim the number of federal network connections and the Einstein system, a network-monitoring tool used by DHS to monitor and analyze traffic moving through federal networks.
"The programs themselves at their base are well intentioned and well designed," Yoran said. "But a lot of the fundamentals of the program that carry into the new administration come with some challenges; the over-classification of the CNCI activities as a whole, relying on the intelligence community for so much of the CNCI activities will remain a challenge."
The new czar position will also have to iron out differences and get agencies with different goals at the same table, Yoran said.
"This is not a challenge that can be addressed by any department or agency," Yoran said. "It really needs the White House orchestration for this to be successful."
The person selected for the new position should also resist the temptation to micromanage agencies, said Gregory Garcia, the former assistant secretary for cyber-security and telecommunications under the DHS, who currently heads his own consulting firm, Garcia Strategies LLC. Garcia said there is a need for a new White House cyber czar to guide Congress in enacting better legislation.
"There is not a systematic or comprehensive effort to identify what is it really that Congress can do; what really are the gaps that Congress can fill with legislation that is going to push our marketplace, push our governments to be more secure," Garcia said. "So the White House can do a lot to push the Congress to show some discipline in the manner in which it approaches this issue."
The cyberczar announcement is expected to coincide with a report issued by Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils. Hathaway led a team that conducted a 60-day review of the country's cybersecurity policies and infrastructure. She was a keynote speaker in April at the 2009 RSA Conference, but released few details of the cybersecurity review. The security community has pegged Hathaway as a natural candidate for a national cyber advisor position that would oversee U.S. cybersecurity efforts both domestically and internationally.
The report was delivered to President Barack Obama in April and identifies more than 250 recommendations. The review touches on every facet of government networks, including computer network defense, investigations, military and intelligence activities, and how those intersect with information assurance, counterintelligence, counterterrorism, telecommunications policies and general critical infrastructure protection.