President Obama today announced the creation of a White House senior cybersecurity coordinator position but stopped short of naming the individual who will hold the post. He also presented a high-level outline of the 60-day Cyberspace Policy Review conducted by Melissa Hathaway that called for increased public-private partnerships, especially around critical infrastructure protection, and national cybersecurity awareness campaigns.
Obama said he will personally select the coordinator and that this official would have his full support and regular access to him.
The coordinator would be responsible for orchestrating and integrating all cybersecurity policies for the government, working closely with the Office of Management and Budgets to ensure that budgets reflect cybersecurity priorities and in the event of attack, the position would be responsible for coordinating a response.
The coordinator will not only run a new White House cybersecurity office, but will also be a member of the National Security Staff and National Economic Council.
Obama said his administration will pursue a new comprehensive approach to securing the country's digital infrastructure. That infrastructure has been under constant attack from nation states and hackers for much of the decade. Most recently, the electric grid was penetrated and plans for the Joint Strike Fighter stolen, reportedly by foreign interests.
"From now on, the networks and computers we depend on every day will be treated as they should be -- as a strategic national asset," Obama said. "Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect and defend against attacks and recover quickly from any disruptions or damage."
Obama quickly covered five key highlights to Hathaway's review. Hathaway, acting senior director for cyberspace for the National Security Council and Homeland Security Council, was directed by Obama to conduct a two-month review of the country's cybersecurity policies. Her review team engaged feedback from the public and private sector, academia, civil libertarians, military, intelligence agencies and lawmakers. The five key areas are:
- Develop a new comprehensive strategy to secure communication and information networks. The cybersecurity coordinator will work closely with federal CIO Vivek Kundra and CTO Aneesh Chopra on these efforts, Obama said. Cybersecurity will be a key management priority to ensure accountability across federal agencies.
- Work with state and local governments to ensure a unified response to cyber incidents. "Given the enormous damage that can be caused even by a single cyber attack, ad hoc responses will not do," Obama said.
- Strengthen public-private partnerships, especially around critical infrastructure, which is primarily owned by private sector companies. "My administration will not dictate security standards for private companies," Obama said. Instead, he promised collaboration with industry to find appropriate solutions.
- Invest in research and development for innovation. Obama pointed out the investments the current administration is making in infrastructure upgrades, including expanded broadband deployments, a smart electric grid, next-generation air traffic control systems and the movement to electronic health records.
- Promote national cybersecurity awareness through a national campaign targeting not only business, but the education sector.
In tandem, Obama said his new policies will not include monitoring of private networks or Internet traffic. He also promised to maintain his commitment to Net Neutrality.
Experts have lamented the inability of past cybersecurity czars or directors to impose any significant changes on policy or make headway in securing federal systems.
Security expert Bruce Schneier told SearchSecurity.com this week that an advisor should prioritize getting government systems and networks secure before they could make demands of industry. He also said that the adviser should have the authority to force government agencies to make those changes and adhere to policies. Coordination of research would also be a top priority, Schneier said, but none of it will happen without budgetary authority.
"Unless they actually control some purse strings, all they can do is beg, plead, cajole and evangelize," Schneier said. "They can't really get anything done and that's been traditionally the problem with cybersecurity czars."
Obama spoke of cybersecurity several times during his campaign last year and promised to make it a priority of his administration. He also indicated the position would report directly to him.
One of his first cybersecurity mandates was to order Hathaway's 60-day review of the nation's cybersecurity policies. Hathaway made her first public appearance last month at the RSA Conference, and during a keynote address, she made it clear that no single government agency should oversee cybersecurity. Also during the conference, National Security Agency director Lt. Gen. Keith Alexander stressed that NSA had no interest in running cybersecurity.
Obama has had Hathaway's review since mid-April. The report identified more than 250 needs, tasks and recommendations, Hathaway said.
The New York Times, meanwhile, reported today that the Pentagon would be stepping up its offensive capabilities in cyberspace and would create a military command for computer warfare. The Times said classified presidential directives would explain not only this new offensive strategy, but how the new command would work with NSA.