President Obama’s promise to take the lead in shoring up the government’s cybersecurity efforts has drawn high praise from all corners of the tech world.
Members of Congress, industry groups and activist organizations have heralded his announcement this morning and the report that accompanied it as a mighty step forward in a long-neglected and critically important area of national security.
But, emphatic as Obama’s speech was, many questions were left unanswered.
He pledged to recenter government cybersecurity in the White House, creating a position that amounts to a cyber czar to coordinate the activities among the different agencies.
But he made no mention of resolving the long-running turf wars between the Department of Homeland Security, the National Security Agency, the Defense Department and myriad other agencies that all have a hand in protecting the nation’s communications and information networks. To be fair, many in Washington have pointed to a recent thaw in relations between some of those agencies, but good-faith cooperation remains a work in progress.
Obama suggested that the cybersecurity coordinator, which has yet to receive a formal title, would have broad oversight over the various agencies, describing the role as something of a bridge-builder.
Obama did not name an individual to fill the position, though he did say the role will have the twin functions of serving on the president’s National Security Council and National Economic Council.
“I think it is light on specifics,” said Phil Dunkelberger, CEO of the security firm PGP and chairman of TechAmerica’s Cybersecurity Advisory Group, an industry coalition.
Formulating a coherent national cybersecurity strategy
The review released today, the product of a two-month review Obama commissioned in February, is only a starting point. Obama said that one of the next priorities is to formulate a coherent national cybersecurity strategy, complete with “clear milestones and performances metrics,” eventually.
“Until he gets someone in that job, the specifics are going to have to wait,” Dunkelberger told InternetNews.com. “I think what people are coming to realize is this is a massive undertaking.”
Dunkelberger praised Obama for tying cybersecurity to the economy, a coupling evident both in the twin hats the cyber czar will wear and the recommendations of the report.
Next page: Why Cybersecurity is a mainstream issue
Page 2 of 2
Obama’s speech this morning could be seen as his first step toward trying to position cybersecurity as a mainstream issue. He defined “digital infrastructure” as “the backbone that underpins a prosperous economy and a strong military and an open and efficient government.”
The presidential imprimatur also helps. Obama said that he would personally select the cyber czar and vest the office with the authority and resources needed to get the job done.
“I’ll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me as we confront these challenges,” he said.
But in structuring the position in the NSC and NEC, Obama backed off from a campaign promise to establish a cyber advisor who would report directly to him.
“It is critical that President Obama establish clear leadership at the top to drive a significant cybersecurity focus,” Chris Schwartzbauer, senior vice president at security firm Shavlik Technologies said in a statement e-mailed to InternetNews.com.
In addition to bringing together senior officials at the various agencies, the cybersecurity coordinator will also be a liaison to private industry and Congress.
As the administration’s cybersecurity point person on the Hill, the cyber czar will have a full plate.
Given the apparent focus on coordination, the administration’s legislative agenda for cybersecurity could begin with an issue like setting a uniform national requirement for data-breach notification to replace the patchwork of 44 different standards in place today.
“I think they would start with standardization,” TechGuard CEO Suzanne Magee told InternetNews.com. “It’s very hard to bring everything together without standardization.”
Following several failed attempts in previous sessions, data-breach legislation is back on the table in this Congress.
Another issue that the cyber czar will likely dive into is the push to update the Federal Information Security Management Act (FISMA), which established baseline criteria for secure computing practices in the agencies.
“In my view, FISMA serves a useful function because it defines how the risk assessment, control selection and audit processes are supposed to work at a federal level,” Forrester analyst Andrew Jaquith wrote in a blog post. “This is a good, but it is important to remember that FISMA is mostly about compliance with a security program and its processes, and not about the effectiveness of the security itself.”
Regarding the private sector, Dunkelberger said he took comfort in Obama’s pledge not to impose security regulations on the industry, as well as the commitment to Net neutrality he reiterated this morning.
“They’re going to continue to focus on the what, and they’re going to let industry focus on the how,” he said.