NATIONAL HARBOR, Md. — Amid all the recent talk in Washington about getting serious about cybersecurity, some skeptics have expressed concern that it might be just that — all talk, followed by little action.
But a senior White House official this morning official promised an audience of security professionals that unlike past federal reviews, which have been criticized for making promises that policymakers didn’t keep, this time is different.
Speaking at research firm Gartner’s annual Information Security Summit, Christopher Painter, the National Cybersecurity Council’s director of cybersecurity, outlined the steps the Obama administration is taking to move ahead with the recommendations of a 60-day review the president commissioned earlier this year.
In a speech accompanying the release of the review in May, Obama outlined a multi-prong plan to tighten up the nation’s cyber defenses, including the formation of a new position to coordinate cybersecurity policy across the agencies, Congress and the private sector.
But despite Obama’s assurance that the cybersecurity coordinator would have his full support and regular access to the Oval Office, critics have speculated that the position is too far down the bureaucratic pecking order to have any real clout. In practice, they warn, the role might end up little more than a glorified cheerleader.
Painter promised otherwise.
“The cyber coordinator is going to be more than just a figurehead,” he said. “We really have to deliver on the action plan.”
The previous two administrations have made noise about cybersecurity, including a policy review President Bush ordered in 2001, which resulted in a strategy directive two years later. But Painter noted that those efforts didn’t come with the mandate of a White House address, a jump-off point that he said elevated the issue to a chief policy priority.
“That’s really a watershed event,” Painter said of Obama’s speech. “That really sets the tone, not only in this country, but around the world.”
He added, “We had a strategy in 2003, but you didn’t have the president coming out and giving a speech on this, and that’s really, really important.”
In that address, Obama made the case that defending critical infrastructure against online threats is as much an economic priority as it is a security issue.
That was reflected in the structuring of the cybersecurity coordinator position, which will serve on both the National Security Council and the National Economic Council. He has yet to fill the position.
Obama’s efforts to bring cybersecurity into the mainstream fit with many of his other policy initiatives, where he is trying to apply technology solutions to areas like energy and health care. The idea of connecting the power grid to an interoperable network, while alluring for the energy savings it could yield, could have disastrous results if hackers were able to infiltrate the system and knock it offline. Similarly, the grand vision of an IT-based health care system where patients’ records are digitized and doctors can provide treatment to patients in remote areas through robust networks could quickly unravel if the technology were compromised.
“It’s really important to have security baked in from the beginning,” Painter said.
That goes for government, too. Other members of Obama’s tech team, particularly Aneesh Chopra and Vivek Kundra, who respectively fill the new positions of federal CTO and CIO, have been talking loudly about bringing new technologies to the federal computing apparatus to make it more efficient and collaborative.
[cob:Special_Report]As Chopra, Kundra and others tinker with new Web 2.0 technologies and moving the federal IT infrastructure to the cloud, Painter said they will work closely with the new cybersecurity coordinator to ensure that the government is leading by example.
“The cybersecurity coordinator is going to work very closely with [Obama’s] CTO and CIO,” he said. “The idea is, when we’re thinking about these new technologies, we’re thinking about security.”
Painter stressed the need to partner with foreign countries to develop a coordinated approach to combat cyber threats. He spoke of the “weakest-link problem,” where hackers will scour the globe to find a nation with lax cyber defenses, and route their attacks through servers in that nation to reach their ultimate target.
“It is clear that given the ubiquitous borderless nature of computer systems and computer networks that it doesn’t matter if we do everything right” if other nations aren’t on board, he said. “We need to have a dialogue with other countries.”
He also spoke of the delicate balance of protecting privacy while maintaining a reasonable level of security in networks that are under continuous threat. Obama has said he will appoint a privacy official to the National Security Council’s cybersecurity directorate to help ensure that the government’s cyber policing efforts don’t run roughshod over Americans’ civil liberties.
The two aren’t mutually exclusive, Painter said, pointing out that properly securing the systems that house personal information such as health records will keep people’s sensitive data private.
“It’s not a zero-sum game,” he said. “If we’re doing this right, we’re enhancing privacy.”