Phantom Post

Delays in appointing a cybersecurity czar cast doubt on the position.

As candidate for president, Barack Obama said he would appoint a national cyber adviser who would report directly to him and oversee the security of federal networks. Two months after he took office, President Obama announced Melissa Hathaway, the top cybersecurity adviser to the Director of National Intelligence, would spearhead a 60-day review to benchmark the security of federal networks and to determine what would be needed to shore up the systems.

Then in May, during a speech at Purdue University to release the results of the review, Obama confirmed that he would personally select a cyber coordinator. Government security specialists said such an announcement, issued by a sitting president, shined a spotlight on what had been an often overlooked, yet significant, issue of national security.

But as of mid-November, seven months after Obama's historic speech at Purdue, federal managers and the IT industry still were waiting for someone to fill the cyber post, and the White House continued to issue vague statements about the appointment.

Hathaway, considered the front-runner for the post, resigned from the acting role in August. Then Frank Kramer, an assistant Defense secretary in the Clinton administration, emerged as the lead candidate, but the Obama team remained mum.

The delay tested the patience of Republicans, and even Democrats. In September, Reps. James Langevin, D-R.I., and Michael McCaul, R-Texas, co-chairmen of the House Cybersecurity Caucus, sent a letter to Obama saying the continued absence of a cybersecurity coordinator "impedes the ability of federal agencies to move forward in updating and strengthening their aging cyber policies."

A former intelligence official is more candid with his frustration. "It's become one of the big disappointments for me in the administration," says the official, who asked to not be identified. "I don't envy Obama. He's launched a lot of interesting and important initiatives, and he's determined to see them through. But at the end of the day, there are times when you're better off making a move, getting people engaged and managing the consequences."

Talk in the federal IT community indicated the White House had a short list of qualified candidates, but many asked to have their names removed when news broke that the position would report to the National Security and Homeland Security Advisory councils-not to the president. Security professionals argue that reporting structure buries the position under bureaucratic layers, and they have sympathy for anyone in the job. The coordinator will come on board "after the ship has been shot full of holes," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, during a September panel discussion. "It's easier to herd cats on Day One than it is to herd them on Day 112."

Although some say the delay has slowed the effort to secure government networks, Congress and some agencies have moved ahead with security initiatives. Bills have been introduced in the Senate and the House to improve information security controls for networks and systems connected to those that operate the nation's critical infrastructure, such as energy and transportation facilities. In May, Defense Secretary Robert Gates ordered the military to create a U.S. Cyber Command to oversee cyber operations across the Defense Department and intelligence agencies.

The Homeland Security Department, which protects civilian networks, announced it would move its cyber responsibility to the deputy undersecretary for its National Protection and Programs Directorate, Philip Reitinger. The shift includes the National Cybersecurity and Communications Integration Center. The department also began organizing its third large-scale cybersecurity exercise, called Cyber Storm III, which it plans to kick off in September 2010 to test the White House strategy for responding to a nationwide cyberattack. In addition, numerous agencies have announced plans to recruit cybersecurity specialists.

"It's a mistake to think that because the [cyber coordinator] position is not in place, nothing is happening," Reitinger said during an October panel discussion to kick off National Cybersecurity Awareness Month. "We're moving forward."

Leadership from the top is sorely needed if cybersecurity is going to be taken seriously, says Daniel Mintz, former chief information officer at the Transportation Department. Trying to create an overall strategy for information security was one of Mintz's biggest challenges as CIO because executives at the top seemed "more interested in notions than policy, and policy than implementation," he says.

But that disinterest seems to be fading. "DHS has really asserted itself in that space since the new administration took office," he said. "There's much more clarity in terms of leadership." Mintz is now chief technology officer for the civil and health services group at the federal consulting firm CSC.

If so much can be accomplished without a top cyber executive, it begs the question: Why appoint one? Many believe the Obama administration already is too crowded with figureheads.

Not necessarily, says Alan Balutis, director of the business solutions group at Cisco Systems. "No matter how you structure this, there will always be coordination problems," because cybersecurity issues extend beyond any one agency or even the government, he says. "Having someone senior at the White House level provides a strong platform to work across all the entities and groups that need to be a part of any national strategy."

According to Balutis, the delay in filling the position isn't an indication that the government's networks have gone unprotected. "There are a lot of important jobs in the administration that remain vacant. I don't know that it makes sense to single out this job to say delays will hurt," he says. "Let's see who's appointed and what he or she makes of the position."

As is the case for most senior positions, it's the individual's leadership skills that will mean success or failure. That is more important than when the appointment is made, says Samuel Visner, vice president of strategy and business development for CSC's enforcement, security and intelligence division. Hiring the right person will quell criticisms about the time lag, he says, comparing it with the delay of a rocket launch. People only remember whether the astronauts came back safely or the rocket blew up on the pad, Visner says. They don't remember whether the launch happened on time.

Others wonder whether the rocket will be powerful enough to complete its mission.

"Once someone is appointed, I am sure the agencies will sit up and be prepared to fall in," says Gregory Garcia, head of the information security consulting firm Garcia Strategies. "But clearly, the delay is an indication of indecision. Indecision creates inertia, and inertia creates frustration. The position is slowly withering on the vine."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

    Download
  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

    Download
  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

    Download
  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

    Download
  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

    Download

When you download a report, your information may be shared with the underwriters of that document.