Obama announces creation of cybersecurity coordinator position

By Michael S. Mimoso, Editor, Information Security magazine 29 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

President Obama today announced the creation of a White House senior cybersecurity coordinator position but stopped short of naming the individual who will hold the post. He also presented a high-level outline of the 60-day Cyberspace Policy Review conducted by Melissa Hathaway that called for increased public-private partnerships, especially around critical infrastructure protection, and national cybersecurity awareness campaigns.

More on national cybersecurity VIDEO: Face-Off: Who should be in charge of cybersecurity?  Schneier and Marcus Ranum debate who should be in charge of national cybersecurity. Cybersecurity's profile rising under Obama: The Obama Administration is conducting a review of the government's cybersecurity policies and process. We should be encouraged that security could move beyond the useless paper exercise it is today.

Obama said he will personally select the coordinator and that this official would have his full support and regular access to him.

The coordinator would be responsible for orchestrating and integrating all cybersecurity policies for the government, working closely with the Office of Management and Budgets to ensure that budgets reflect cybersecurity priorities and in the event of attack, the position would be responsible for coordinating a response.

The coordinator will not only run a new White House cybersecurity office, but will also be a member of the National Security Staff and National Economic Council.

Obama said his administration will pursue a new comprehensive approach to securing the country's digital infrastructure. That infrastructure has been under constant attack from nation states and hackers for much of the decade. Most recently, the electric grid was penetrated and plans for the Joint Strike Fighter stolen, reportedly by foreign interests.

"From now on, the networks and computers we depend on every day will be treated as they should be -- as a strategic national asset," Obama said. "Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect and defend against attacks and recover quickly from any disruptions or damage."

Obama quickly covered five key highlights to Hathaway's review. Hathaway, acting senior director for cyberspace for the National Security Council and Homeland Security Council, was directed by Obama to conduct a two-month review of the country's cybersecurity policies. Her review team engaged feedback from the public and private sector, academia, civil libertarians, military, intelligence agencies and lawmakers. The five key areas are:

1. Develop a new comprehensive strategy to secure communication and information networks. The cybersecurity coordinator will work closely with federal CIO Vivek Kundra and CTO Aneesh Chopra on these efforts, Obama said. Cybersecurity will be a key management priority to ensure accountability across federal agencies.
2. Work with state and local governments to ensure a unified response to cyber incidents. "Given the enormous damage that can be caused even by a single cyber attack, ad hoc responses will not do," Obama said.
3. Strengthen public-private partnerships, especially around critical infrastructure, which is primarily owned by private sector companies. "My administration will not dictate security standards for private companies," Obama said. Instead, he promised collaboration with industry to find appropriate solutions.
4. Invest in research and development for innovation. Obama pointed out the investments the current administration is making in infrastructure upgrades, including expanded broadband deployments, a smart electric grid, next-generation air traffic control systems and the movement to electronic health records.
5. Promote national cybersecurity awareness through a national campaign targeting not only business, but the education sector.

In tandem, Obama said his new policies will not include monitoring of private networks or Internet traffic. He also promised to maintain his commitment to Net Neutrality.

Experts have lamented the inability of past cybersecurity czars or directors to impose any significant changes on policy or make headway in securing federal systems.

Security expert Bruce Schneier told SearchSecurity.com this week that an advisor should prioritize getting government systems and networks secure before they could make demands of industry. He also said that the adviser should have the authority to force government agencies to make those changes and adhere to policies. Coordination of research would also be a top priority, Schneier said, but none of it will happen without budgetary authority.

"Unless they actually control some purse strings, all they can do is beg, plead, cajole and evangelize," Schneier said. "They can't really get anything done and that's been traditionally the problem with cybersecurity czars."

Obama spoke of cybersecurity several times during his campaign last year and promised to make it a priority of his administration. He also indicated the position would report directly to him.

One of his first cybersecurity mandates was to order Hathaway's 60-day review of the nation's cybersecurity policies. Hathaway made her first public appearance last month at the RSA Conference, and during a keynote address, she made it clear that no single government agency should oversee cybersecurity. Also during the conference, National Security Agency director Lt. Gen. Keith Alexander stressed that NSA had no interest in running cybersecurity.

Obama has had Hathaway's review since mid-April. The report identified more than 250 needs, tasks and recommendations, Hathaway said.

The New York Times, meanwhile, reported today that the Pentagon would be stepping up its offensive capabilities in cyberspace and would create a military command for computer warfare. The Times said classified presidential directives would explain not only this new offensive strategy, but how the new command would work with NSA.

Tags: Information Security Policies, Procedures and Guidelines,  Security Industry Market Trends, Predictions and Forecasts,  Information Security Laws, Investigations and Ethics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Security Industry Market Trends, Predictions and Forecasts SCADA system, critical infrastructure security lacking, survey finds Security architects fear savvy botnet attacks, IPv6 security issues Security compliance predictions for 2010: New regulations, new technology IAM trends: Rebuilding security with provisioning technologies Gartner acquires Burton Group, bolsters presence Securosis adds Security Incite, Rothman to its roster Five security industry themes to watch in 2010 How to advance in your infosec career in the current economic storm Top cybersecurity stories of 2009 Security industry praises Schmidt but sees challenges ahead Security Industry Market Trends, Predictions and Forecasts Research Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Federal efforts to secure cyberinfrastrucure

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary