Cybersecurity czar candidate questions clout of new position

By Robert Westervelt, News Editor 23 Jun 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A former U.S. congressman, reportedly one of the leading candidates for the White House position of cybersecurity czar, this week questioned whether the new post would have any clout, suggesting the legislative and bureaucratic issues that lie ahead are so complex that it's unclear what the position would entail.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

"If you think it's difficult to get through the bureaucracy, wait till you get to Congress," said Tom Davis, a former Republican congressman from Virginia. "If there's a crisis things can move quickly, that's one thing we've seen in this town … but the difficulty right now is that there are so many things going on in Washington."

Speaking on a panel discussion at the National Press Club Tuesday, Davis said the position needs a person with name recognition; someone with the ability to work with Congress to get legislation passed on cybersecurity issues. But the task is very difficult, with almost every congressional committee claiming to have authority over a particular aspect of cybersecurity, he said.

"I think we need to understand that this is a very complicated, difficult task and if nothing else you get to deflect blame if you're on top and have a czar and something happens," Davis said, calling the new position a good first step. "It's fair to say that both parties failed to put together the appropriate leadership in the past."

In May, President Obama announced the creation of a cybersecurity coordinator, or cybersecurity czar, who would be responsible for integrating all cybersecurity policies for the government, working closely with the Office of Management and Budgets to ensure budgets reflect cybersecurity priorities as well act as the coordinator in the event of a cyber attack.

More on national cybersecurity: Obama announces creation of cybersecurity coordinator position: The president promised to treat critical infrastructure as a strategic national asset, and that the cybersecurity coordinator would be responsible for orchestrating cybersecurity policy. VIDEO: Face-Off: Who should be in charge of cybersecurity?  Schneier and Marcus Ranum debate who should be in charge of national cybersecurity. Cybersecurity's profile rising under Obama: The Obama Administration is conducting a review of the government's cybersecurity policies and process. We should be encouraged that security could move beyond the useless paper exercise it is today.

Time magazine reported last week that Davis, the former head of the Government Reform Committee, was Obama's top candidate for the new position. Davis, who co-authored the Federal Information Security Management Act (FISMA), predicted a "cyber Pearl Harbor," in which attackers penetrate sensitive systems within the federal government.

At the National Press Club panel on Tuesday, Davis said FISMA should be strengthened and government agencies given funding to better meet the rules. The panel discussed what the Obama administration's cyber czar would confront in his first 100 days. In addition to Davis, it included retired Air Force Major General Dale Meyerrose, former CIO for the U.S. intelligence community and current vice president for cyberspace at Harris Corp. and James Bamford, an investigative reporter and author who has reported extensively on National Security Agency issues.

Meyerrose said whoever is appointed to the position would need to scale back and choose one or two priorities to address immediately. The person would also need to be surrounded by a strong team and must have enough stature to be taken seriously by Congress. But it's unclear how much work could get done since the position would report to two committees, the National Security Agency and National Economic Council.

"I think the most encouraging thing about the president's statements is that the status quo is no longer acceptable," Meyerrose said. "Just establishing leadership in the White House is a necessary first step but it's not the end game."

Bamford, who wrote five books on intelligence gathering and the National Security Agency, said the real work around cybersecurity is already being done by the NSA. Currently the agency is restructuring to address cybersecurity. In April, Defense Secretary Robert Gates nominated Keith Alexander, a three-star general, to head the new Cyber Command within the agency.

"Just looking at the [cyber czar] position on a piece of paper you can see it's very low down on the totem poll," Bamford said. "The idea of creating the position is a great idea. I just think there was a bit of a disappointment that the position didn't have the stature that it might have had."

SearchSecurity radio:

The new cybersecurity coordinator position is the outcome of a 60-day Cyberspace Policy Review, which was conducted by Melissa Hathaway, acting senior director for cyberspace for the National Security Council and Homeland Security Council. The new cyber czar is expected to act on areas highlighted in the review, including developing a strategy to secure communication and information networks across federal agencies, strengthen public-private partnerships and help the administration identify areas to invest in research and development.

But Bamford said the position doesn't appear to hold enough stature to make a major difference in Washington. A person is needed who could bridge the divide between those calling for more cybersecurity and those careful that it doesn't result in treading on civil liberties, he said.

"It needs somebody who could break through the bureaucracy," he said. "If you're powerful you're not gong to take a junior staffer position."

Tags: Information Security Policies, Procedures and Guidelines,  Security Industry Market Trends, Predictions and Forecasts,  Information Security Laws, Investigations and Ethics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Policies, Procedures and Guidelines How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Security Industry Market Trends, Predictions and Forecasts Research Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Federal efforts to secure cyberinfrastrucure

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary