Delays in appointing a cybersecurity czar cast doubt on the position.
As candidate for president, Barack Obama said he would appoint a national cyber adviser who would report directly to him and oversee the security of federal networks. Two months after he took office, President Obama announced Melissa Hathaway, the top cybersecurity adviser to the Director of National Intelligence, would spearhead a 60-day review to benchmark the security of federal networks and to determine what would be needed to shore up the systems.
Then in May, during a speech at Purdue University to release the results of the review, Obama confirmed that he would personally select a cyber coordinator. Government security specialists said such an announcement, issued by a sitting president, shined a spotlight on what had been an often overlooked, yet significant, issue of national security.
But as of mid-November, seven months after Obama's historic speech at Purdue, federal managers and the IT industry still were waiting for someone to fill the cyber post, and the White House continued to issue vague statements about the appointment.
Hathaway, considered the front-runner for the post, resigned from the acting role in August. Then Frank Kramer, an assistant Defense secretary in the Clinton administration, emerged as the lead candidate, but the Obama team remained mum.
The delay tested the patience of Republicans, and even Democrats. In September, Reps. James Langevin, D-R.I., and Michael McCaul, R-Texas, co-chairmen of the House Cybersecurity Caucus, sent a letter to Obama saying the continued absence of a cybersecurity coordinator "impedes the ability of federal agencies to move forward in updating and strengthening their aging cyber policies."
A former intelligence official is more candid with his frustration. "It's become one of the big disappointments for me in the administration," says the official, who asked to not be identified. "I don't envy Obama. He's launched a lot of interesting and important initiatives, and he's determined to see them through. But at the end of the day, there are times when you're better off making a move, getting people engaged and managing the consequences."
Talk in the federal IT community indicated the White House had a short list of qualified candidates, but many asked to have their names removed when news broke that the position would report to the National Security and Homeland Security Advisory councils-not to the president. Security professionals argue that reporting structure buries the position under bureaucratic layers, and they have sympathy for anyone in the job. The coordinator will come on board "after the ship has been shot full of holes," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, during a September panel discussion. "It's easier to herd cats on Day One than it is to herd them on Day 112."
Although some say the delay has slowed the effort to secure government networks, Congress and some agencies have moved ahead with security initiatives. Bills have been introduced in the Senate and the House to improve information security controls for networks and systems connected to those that operate the nation's critical infrastructure, such as energy and transportation facilities. In May, Defense Secretary Robert Gates ordered the military to create a U.S. Cyber Command to oversee cyber operations across the Defense Department and intelligence agencies.
The Homeland Security Department, which protects civilian networks, announced it would move its cyber responsibility to the deputy undersecretary for its National Protection and Programs Directorate, Philip Reitinger. The shift includes the National Cybersecurity and Communications Integration Center. The department also began organizing its third large-scale cybersecurity exercise, called Cyber Storm III, which it plans to kick off in September 2010 to test the White House strategy for responding to a nationwide cyberattack. In addition, numerous agencies have announced plans to recruit cybersecurity specialists.
"It's a mistake to think that because the [cyber coordinator] position is not in place, nothing is happening," Reitinger said during an October panel discussion to kick off National Cybersecurity Awareness Month. "We're moving forward."
Leadership from the top is sorely needed if cybersecurity is going to be taken seriously, says Daniel Mintz, former chief information officer at the Transportation Department. Trying to create an overall strategy for information security was one of Mintz's biggest challenges as CIO because executives at the top seemed "more interested in notions than policy, and policy than implementation," he says.
But that disinterest seems to be fading. "DHS has really asserted itself in that space since the new administration took office," he said. "There's much more clarity in terms of leadership." Mintz is now chief technology officer for the civil and health services group at the federal consulting firm CSC.
If so much can be accomplished without a top cyber executive, it begs the question: Why appoint one? Many believe the Obama administration already is too crowded with figureheads.
Not necessarily, says Alan Balutis, director of the business solutions group at Cisco Systems. "No matter how you structure this, there will always be coordination problems," because cybersecurity issues extend beyond any one agency or even the government, he says. "Having someone senior at the White House level provides a strong platform to work across all the entities and groups that need to be a part of any national strategy."
According to Balutis, the delay in filling the position isn't an indication that the government's networks have gone unprotected. "There are a lot of important jobs in the administration that remain vacant. I don't know that it makes sense to single out this job to say delays will hurt," he says. "Let's see who's appointed and what he or she makes of the position."
As is the case for most senior positions, it's the individual's leadership skills that will mean success or failure. That is more important than when the appointment is made, says Samuel Visner, vice president of strategy and business development for CSC's enforcement, security and intelligence division. Hiring the right person will quell criticisms about the time lag, he says, comparing it with the delay of a rocket launch. People only remember whether the astronauts came back safely or the rocket blew up on the pad, Visner says. They don't remember whether the launch happened on time.
Others wonder whether the rocket will be powerful enough to complete its mission.
"Once someone is appointed, I am sure the agencies will sit up and be prepared to fall in," says Gregory Garcia, head of the information security consulting firm Garcia Strategies. "But clearly, the delay is an indication of indecision. Indecision creates inertia, and inertia creates frustration. The position is slowly withering on the vine."