Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Melissa Hathaway: Government Must Keep Pace with Cybersecurity Threats

Securing the Internet means to much to the future of the U.S. economy and national security.

In December 2006, I received a phone call from one of my mentors and colleagues, Mike McConnell, who asked me to join him in serving our country to try to make a difference in a short period of time. As I contemplated leaving my private sector career, I was reminded of a quote from John Adams, "I am...under all obligations of interest and ambition, as well as honor, gratitude and duty, to exert the utmost of [my] abilities in this important cause." I accepted the challenge, and began my journey in serving our country.

During the course of my 30-month tenure, I had the privilege of serving two presidents and helped our government develop a cybersecurity strategy of unprecedented scope and scale that will facilitate revolutionary improvements in the United States' ability to secure and defend our critical national infrastructures. The strategy outlines an action plan to address the growing velocity and volume of threats to our information systems from attacks coming over the Internet, by insiders, and from the worldwide supply chain. Working across the executive branch, we developed and created a unified budget submission that gained bi-partisan approval from Congress and represents the initial down payment required to facilitate the actions outlined in the strategy. This was complemented by unprecedented engagement and openness with a wide variety of constituents during the review and publication of the Cyberspace Policy Review on May 29, and President Obama's detailed speech on cybersecurity that day, which marked the first time a global leader has spoken on the subject at length.

But I am worried that the government is not keeping pace to meet the challenges we identified in the Cyberspace Policy Review. During the last decade and a half, the United States has been seduced by phenomenal business and economic growth enabled by the effectiveness and efficiency of high performance global, networked environments. The United States has been one of the key global leaders on embedding technology into our day-to-day life, transforming the global economy and connecting people in ways never imagined. However, we have not invested in the resilience necessary to assure our businesses can operate in a degraded environment.

Our reliance on the conveniences of remote access, and the ability of our networked control systems to reduce costs and manpower needs, have led to weaknesses that are being exploited daily by our opponents. Our nation needs a safe Internet and we must take prompt actions to protect cyberspace for our current and future needs. I believe that our nation is at a strategic crossroad; that it is late in addressing this critical national need, and our response must be focused, aggressive, and well-resourced. We must work to understand the full extent of the vulnerabilities and interdependencies of this information and communications infrastructure, and work to increase its protections and resiliency across all of the sectors of government, military and commercial dependency that we have created.

Our government must take bold steps to operationalize a partnership with industry. We need greater information sharing between the government and private sector on what is being targeted, and how, and why it is important to protect ourselves (personally, professionally, corporately, and nationally). As more of our nation's networks are compromised and more corporate, proprietary data is stolen, America will continue to lose market advantage and begin to be deliberately displaced by our opponents.

Our opponents are targeting our multinational and private corporations on at least three fronts: (1) through industrial espionage, they target corporate intellectual property and other proprietary data; (2) they attack other targets as mechanisms to reach yet other targets, sometimes through supply chains and sometimes to target relationships; and (3) they target corporate infrastructure, by infecting networks or otherwise creating a persistent presence, as a means to allow for future targeting on either, or both, of the first two fronts.

Our government cannot develop a strategy independent of private sector insight and cooperation. Our nation will need the private sector and its services and capabilities to find these attack profiles, inform the government of them and develop the solutions to resolve them. Our government needs to cultivate a public-private partnership and action plan that identifies the requirements for the future architecture, hardware, software and services that enable security and resilience. I believe that the private sector is ready to work with government on these efforts, and in order to take advantage of this opportunity, the government must actively engage the private sector and set aggressive milestones toward achieving common goals.

This is just one of the serious policy matters facing the United States in its continued dependence on information systems. As our country moves forward, it requires the strongest leadership in cybersecurity to navigate the jurisdictional ambiguities between individual departments and agencies, the laws that inhibit our ability to share information and communicate the urgency of the situation. These efforts must be implemented in a manner that allows us to continue to foster innovation and enable our information and communications infrastructure to fuel the nation's economic growth. Cyberspace will not be secured overnight and on the basis of one good plan. The past 30 months represent the first steps toward making real and lasting progress, and are just the beginning of the beginning.

I am honored to be recognized with the Security 7 Award for the contributions made in the past 30 months. There are many leaders within the security profession who are deserving of this recognition. The distinguishing thing about being recognized by your peers is that you have to be nominated by someone who believes you are worthy of recognition, which, like most other opportunities, stems from a phone call or a request to take a different path--taking a chance that you can make a difference in another capacity.


TITLE Former Acting Senior Director for Cyberspace
COMPANY National Security Council

  • Led the 60-day interagency review of cybersecurity policies and programs throughout the federal government
  • Oversaw the development of the Cyberspace Policy Review
  • Served under the Bush and Obama administrations
  • Under the Bush administration as Senior Advisor to the Director of National Intelligence, helped build Comprehensive National Cybersecurity Initiative (CNCI)
  • Led development of a cross-agency budget submission to support CNCI
  • Established relationships in Congress to gain bipartisan support for cybersecurity initiatives
  • Testified and briefed with legislators more than 150 times
  • Former principal at Booz Allen Hamilton; consulted with DoD and the intelligence community.

Melissa Hathaway is an assertive, determined cybersecurity patriot, a person who devoted countless hours to bring cybersecurity to the forefront before Congress. Her work on the Obama 60-day review is landmark, and sets a high bar.

Make Critical Infrastructure a Priority: Critical infrastructure protection must be addressed today to protect our country tomorrow.
Government Must Keep Pace with Cybersecurity Threats: Securing the Internet means to much to the future of the U.S. economy and national security.
Report Security and Risk Metrics in a Business-Friendly Way: Security metrics must, not only provide a view of security posture, but must support security budgeting and investment processes.
Build a Security Control Framework for Predictable Compliance: Healthcare provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.
Improve SSL/TLS Security Through Education and Technology: Carnegie Mellon University's CyLab designs security to improve all aspects of society.
Communicate Effectively with Management About Risk: Learn how to communicate with senior management about risk; it's your job.
Prioritize Information Security over Compliance: Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.
Article 1 of 12

Dig Deeper on Government information security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All