Coordinator in chief
What experts say Obama's cybercoordinator must do to succeed
By Ben Iannotta
July 01, 2009
July 01, 2009
When America's first national cybersecurity coordinator arrives at the White House, he or she will have to settle long-standing questions about the precise roles of the military, private companies and federal regulators in protecting the country's electrical systems, water supplies and other services from a hacker's computer keystrokes.
President Barack Obama said he would personally choose and meet regularly with the coordinator, a position he announced in a May 29 speech at the White House. He said this person will have an office and staff in the White House, and will draft a "comprehensive" national cyberstrategy in "partnership" with the U.S. computer industry and government agencies. The coordinator — White House officials are not using the term "czar" — would work closely with White House budget officials on spending decisions and coordinate U.S. responses in the event of a cyberattack, he said.
Obama spoke in the East Room before a cast of 120 mostly civilian VIPs, an exception being Marine Corps Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, whose job is to set the military's buying priorities. Also in the East Room were corporate CEOs and independent analysts who participated in the administration's "Cyberspace Policy Review," a fact-finding mission led by Melissa Hathaway, a former Bush administration intelligence official and now the top cyberofficial at the National Security Council. Hathaway and her staff met with networking companies, independent analysts and defense officials over the course of 60 days.
By placing responsibility for cybersecurity within the White House, and announcing a partnership with the industry, Obama set the U.S. on a different path than that of the Bush administration, which had relied on a combination of free market forces, presidential directives and the leadership of the Department of Homeland Security (DHS) to protect the private infrastructure. Instead of DHS leading the way, a White House official would be in charge, and this official would have a direct line to the White House Office of Management and Budget (OMB), which assembles spending requests from U.S. agencies into the annual budget requests to Congress. "It's going to be very important for the coordinator to work with OMB to ensure cybersecurity is adequately funded," said an OMB official in the East Room.
Neither Obama nor the 38-page Hathaway report spelled out precisely what actions the new spending authority and partnership with the industry would produce.
Would the government work with computer and software companies to draft regulations defining the security standards for the software underlying the U.S. infrastructure? Electrical hubs, for example, now have Internet Protocol addresses, which helps managers run electrical grids more efficiently, but also makes them vulnerable. Would better cybersecurity at such sites remain voluntary, as was the case under the Bush administration? Would the government cover the costs of beefed up cybersecurity in the private sector? For its part, the Hathaway report called for refining "government procurement strategies" and improving "market incentives" as the answer, but it did not define those steps any further. Would the coordinator's decisions affect the 2010 budget, which is currently before Congress, or wait until 2011 for impact?
Obama also did not discuss the controversial issue of America's offensive cyberattack planning, nor the precise role of the intelligence community and military in securing the U.S. private-sector infrastructure.
Military efforts
In recent months, military officials have been engaged in their own effort to reorganize themselves for cybersecurity. In May, for example, the U.S. Air Force announced it would establish a 400-person cyberheadquarters and operations center at Lackland Air Force Base, Texas, to coordinate cyberdefense with other services and, when necessary, launch offensive cyberactions. Originally, the Air Force planned on establishing its own cybercommand but backed away when critics said the service should focus on working with the other services instead of trying to lead in the cyberdefense domain.
Air Force Maj. Gen. William Lord, the service's top cybercommander, said "six verbs" would govern the work of the new 24th Air Force, the group focused on cyberspace: "establish, operate and maintain, defend, and exploit and attack." He spoke in late March at the National Space Symposium, before the service announced the location of the cyberheadquarters and operations center.
Lord said U.S. offensive cyberactions could turn out to be critical in future wars: "If you think about not warfare today, but warfare maybe 20 or 50 years from now, maybe it's not about the kinetic destruction of people or facilities. Maybe it's about so confusing a technologically advanced force by scrambling their technology that they don't have the ability to conduct warfare."
Part of the Obama strategy is likely to focus on technologies for identifying cyberattackers without violating the privacy of Internet users, something defense officials said would not be technically easy. "Two years ago in April, a million computers from 75 different nations attacked Estonia. Who do you go to war with?" he said. "Most of that attack came from [unknown people in] the United States. We're friends with Estonia," he said. "So figuring out: One, who the enemy is, and second, what's the intent of an enemy, in this domain, is very, very challenging."
Lord said the Air Force advised the Hathaway panel indirectly about the Air Force's plans and views on major cyberissues through the Pentagon's Joint Staff and the Office of the Secretary of Defense. Lord said reacting quickly to a cyberattack would be one of the great challenges confronting the country.
"What happens when you track back an IP address to you-name-the-country? How do you get law enforcement to that address, that physical address and using the laws of that country say, 'Stop that stuff?' That process takes weeks today. And we've got figure out how to make it occur more quickly," he said.
As far as military management of cyberdefense, Lord said defense officials were discussing the possibility of establishing a "sub-unified command" under U.S. Strategic Command to coordinate cyberwork among all the services. At about the time of Obama's announcement, The New York Times and The Associated Press reported that the U.S. was on the verge of establishing a new Cyber Command.
Though much is left to be sorted out, industry officials, by and large, said they were pleased that the White House had set a tone of partnership and will establish a high-level authority to define the national cyberstrategy under which the government, in all likelihood, would spend billions of dollars to improve security.
"It's encouraging to watch the United States and President Obama take the lead here in trying to innovate," said David DeWalt, CEO and president of McAfee, the computer security giant. DeWalt was one of those invited to gather in the East Room.
He said the importance of the word partnership, meaning with the industry and government, should not be discounted. "We believe the lack of partnership in the past has actually enabled the criminal behavior and terrorist behavior to emerge quicker, and with more force than had we had this interlock," he said.
Gregory Q. Brown, president and CEO of Motorola, also was in the East Room. "My team has met with [Hathaway], and we're very supportive," he said. He said Motorola is ready to help advise the government about how to keep networks secure, particular during emergency responses.
Budget link
Obama's most significant move, several attendees said, might have been when he underscored the cybercoordinator's relationship with the White House Office of Management and Budget.
"The way you get anyone to do anything is through the budget," said Alan Paller, director of research and defense at the SANS Institute, which researches information security technology. "That's what was wrong before. DHS didn't have any leverage" over spending at other agencies involved in cybersecurity, he said. "DHS could say anything they wanted and everyone could ignore them because there were no consequences."
Agencies have to listen to OMB or risk losing spending for other priorities, he said. "If you ignore OMB, the consequences are very sharp," he said.
Obama said he will designate cybersecurity one of "my key management priorities" and that the office of the cybercoordinator would set cyberpriorities and work "closely" with OMB "to ensure agency budgets reflect those priorities."
How much time the government should take before spending money under the new plan could emerge as an area of disagreement between the government and the industry. The Hathaway review describes refinement of government procurement strategies and establishment of market incentives as "Mid-Term" actions. Even at that, they are listed in line No. 14 of a table showing 14 mid-term actions.
Even so, Paller predicted the Obama administration would begin using the procurement process, in particular the defense process, in the near term "because it's the lever. It's the one you can move."
Also unclear in the Obama announcement was whether the emerging cyberstrategy would affect spending in the 2010 budget, which the administration sent to Capitol Hill three weeks before Hathaway's finding were made public and Obama announced the cybercoordinator office.
DeWalt of McAfee said it would be unwise to wait until the 2011 budget request to start applying funds under the administration's emerging cyberpolicy. "My opinion is, every day that we wait is another day that we're completely vulnerable. And I think, again, this activity [in the White House East Room] was a step in the right direction," he said.
DeWalt said the government already has billions of dollars of cyberdefense money in play because of the Bush administration's cyberinitiative. In 2008, with attempts to penetrate U.S. networks on the rise, the Bush administration launched the largely-classified Comprehensive National Cyber Security Initiative, which was defined by two executive directives, Presidential Directive 54 and Homeland Security Directive 23.
Former-Homeland Security Director Michael Chertoff announced the initiative and his agency oversaw the effort. Observers expect the Obama team to rework much of the Internet monitoring and intelligence-gathering policies contained within the Bush initiative. Obama, for example, said this cyberoffice "will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people."
The differences in philosophy are huge, but the money and momentum remain. "This isn't starting from scratch with nothing," DeWalt said. "There is been some budget laid out from the previous administration. There is some opportunity to leverage that into the new programs," he added.
Industry officials said they expect the Obama strategy to focus less on spying on individual Internet users and more on securing private-sector networks related to critical infrastructures, and improving early-warnings of attempts to spread viruses and computer worms.
Federal regulations
One of the great debates among industry officials and analysts has been about the appropriate role for federal regulations, and whether it would be wise for an administration and Congress to create a new regulatory law that would require certain security software and procedures for private-sector networks. Such an act could be patterned after the U.S. Sarbanes-Oxley law that defines the kind of records financial institutions must make public, DeWalt said.
The topic of regulations was a hotly contested one during a series of meetings in 2007 through 2008 organized by the Center for Strategic and International Studies (CSIS), a think tank based in Washington. CSIS officials wanted to recommend a cyberstrategy for the incoming president. The experts met periodically over the course of more than a year, and in December, the group released its report, "Securing Cyberpspace for the 44th Presidency."
"We deliberated for about 14 months on that issue," said Phyllis Schneck, McAfee's director of threat intelligence for the Americas, and a member of the CSIS panel.
In the end, the CSIS panel was not shy about recommending federal cyber-regulations. The panel blasted the Bush administration's 2003 National Strategy to Secure Cyberspace for relying on market forces and ruling out federal regulation as a major player.
"In pursuing the laudable goal of avoiding overregulation, the strategy essentially abandoned cyber defense to ad hoc market forces. We believe it is time to change this. In no other area of national security do we depend on private, voluntary efforts. Companies have little incentive to spend on national defense as they bear all of the cost but do not reap all of the return. National defense is a public good. We should not expect companies, which must earn a profit, to survive, to supply this public good in adequate amounts," the CSIS panel said.
Obama stopped well short of embracing the CSIS wording: "My administration will not dictate security standards for private companies. On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity," he said.
Schneck said the Obama administration will need to find incentives. "How do we take a private-sector company that at the end does need to make money, and enable them to not only protect their infrastructure, but do things in the public good, and still remain profitable?" she said.
In the coming months, those in the East Room said one passage in Obama's 16-minute speech makes them certain that cybersecurity will remain a priority for the administration. Obama said that between August and October 2008 — the final stretch of the U.S. election campaign — "hackers gained access to e-mails and a range of campaign files, from policy position papers to travel plans." He said his campaign hired security consultants and met with the FBI and the Secret Service.
"It was a powerful reminder: In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities," he said.
Posts
