All eyes on consultant advising Obama on cybersecurity engagement
Posted on | February 16, 2009 | 11 comments
All eyes in the Washington D.C. security and intelligence communities are riveted on Melissa Hathaway. Tech company executives, military leaders, lawmakers and senior White House officials who track cybersecurity matters are anxious to find out what the bright, young management consultant will advise President Obama to do about making the Internet safer.
“Protecting the public Internet … is a vital part of protecting America’s national security,” says Mike McCurry, co-chair of Arts+Labs, a lobbying group formed last September by Viacom, NBC Universal, AT&T, Microsoft, Cisco and the Songwriters Guild of America. “Cybercrime cost businesses an estimated $1 trillion worldwide in 2008, and some security experts believe the threat may be so bad that we may need to re-think our entire approach to the Internet.”
A born integrator
At the moment Hathaway, 40, has her hands on the fulcrum. She appears to be more than up to the task. In 15 years rising through the ranks at Booz Allen Hamilton’s Virginia office, she displayed a knack for lowering barriers between “stovepiped” military and intelligence organizations, says Booz Allen Senior Vice President Mark Gerencser, one of Hathaway’s mentors. Hathaway took to the emerging field of “info ops” — information warfare, including cyber raids and cyber defenses — like a fish to water.
“We were doing things to support information operations for the Army, Navy, the CIA and others, and her role was to integrate our collective thinking to benefit the clients,” says Gerencser. “She was an integrator. She knew were all the synergies were.”
Digital Pearl Harbor of intelligence
Fast forward to 2006. Cyberspies launch a non-stop onslaught against government and military networks in the U.S. and across Europe, reaching a feverish pitch in the fall of 2007. A hint at how deep intruders were penetrating U.S. government and military systems bubbled up in scattered news stories. Washington Post reporter Alan Sipress, wrote this October 6, 2006 story, about how hackers using Chinese Internet servers got deep inside computers of the Department of Commerce ‘s Bureau of Industry and Security. Hundreds of workstations had to be replaced and employees were blocked from using the Internet for more than a month.
Sipress reported that the attacks had been going on since at least July 2006, as referenced in a series of e-mails sent out by Undersecretary of Commerce Mark Foulon. A chilling excerpt from Sipress’ story:
- In an August (2006) e-mail, Foulon reported that the bureau had “identified several successful attempts to attack unattended BIS workstations during the overnight hours.” Then, early last month, he wrote: “It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient.” A source familiar with the security breach said the hackers had penetrated the computers with a “rootkit” program, a stealthy form of software that allows attackers to mask their presence and then gain privileged access to the computer system. The attacks were traced to Web sites registered on Chinese Internet service providers, Commerce officials said. “We determined they were owned by the Chinese,” a senior Commerce official said.
Thereafter in 2006-2007, allegations flew that Chinese military hackers had cracked into the Navy War College and even infiltrated the Pentagon. The Chinese government perfunctorily denied responsibility. But the Financial Times of London surfaced a Pentagon report indicating Beijing has prepared a detailed plan to disable America’s aircraft battle carrier fleet with a cyber attack, as well as push for “electronic dominance” over the USA, Britain, Russia and South Korea by 2050.
“The U.S. government got whacked,” says James Andrew Lewis, Director and Senior Fellow at the Center for Strategic and International Studies. “We had a massive penetration of a number of critical agencies by unknown foreign powers usually alleged to be China. It was a major failure. We probably had our cyber Pearl Harbor, but it was an intelligence Pearl Harbor, not one where infrastructure blew up or failed. The administration realized they had this huge problem, and something had to be done.”
Keith Alexander, Director of National Security Agency, and Mike McConnell, Director of National Intelligence, persuaded President Bush to green light development of a 12-point plan later to be dubbed the “Comprehensive National Cybersecurity Initiatives,” or CNCI. (More on this below.) Bush ordered the $30 billion plan, which emphasized reducing connections to government networks and shoring up cyber defenses, to be classified a Top Secret project.
Getting the Beltway moving
In March 2007, McConnell, a former senior partner at Booze Allen, rang up his old firm and told them to send over Hathaway, by now a master integrator. But she faced what many Beltway wags viewed as an impossible task, says Alan Paller, research director of The SANS Institute.
“The only sensible survival strategy for senior bureaucrats in the Bush-Cheney Washington was to keep your head down and avoid starting anything or doing anything that would make you visible,” says Paller. “Innovation was a four letter word. Initiative was considered antagonistic to the common good. There were wonderful exceptions, but they were rare.”
Enter Hathaway. After helping top administration officials refine the 12-point cyber plan, she spent most of 2008 rallying appointed officials and entrenched career bureaucrats at a cross section of large federal agencies to “step up, commit resources, re-prioritize and make things happen faster than they had ever done anything in their government lives,” says Paller. Within six months “every agency that needed to act was acting.”
Cold shoulder from Bush
Meanwhile, in the same time frame, but on a separate track, the bi-partisan CSIS commission, comprised of senators and security experts got rolling — and got a cold shoulder from the White House. “The Bush administration was afraid it was going to be criticized,” says Lewis. “They wanted to have their talking points in place. ‘We’ve taken the following steps to secure America,’ and then check all the right boxes. They were talking-point motivated.”
Even so, Lewis says Bush’s secret plan, put into motion with barely a year left in his presidency, did, in fact, make far-reaching in roads into locking down federal networks. “They were identifying the right problems. But this is where ideology hampered them and really crippled the initiatives,” he says. “They called it comprehensive, but it wasn’t really comprehensive.”
Bush’s plan just plain ignored the need to forge alliances with European nations undergoing similar attacks. And it only gave a token nod to partnering with — and regulating, if need be – private sector telecoms, ISPs and domain registrars that operate the backbone of the Internet. “It was good as far as it went, but it didn’t go far enough,” says Lewis. “Ultimately it is a single global network we’re talking about. Something that focuses on the DOD and the federal government won’t do. The Bush administration didn’t like regulations and wasn’t a big fan of international cooperation, and that was reflected in the CNCI. ”
By the fall of 2008, despite a cold shoulder from the White House, the bi-partisan CSIS commission had hammered out extensive recommendations and rationale calling for Bush’s successor to go beyond locking down government systems, and to directly engage the private sector and foreign allies. The commission’s recommendations under went heavy vetting, including Congressional hearings, like this one.
Ideally suited
Then once the 44th president was elected, Hathaway quickly surfaced on the Obama transition team’s radar. “We wanted somebody who had a full grasp and understanding, so she was ideally suited for it. (conducting the 60-day cybersecurity review),” a senior White House official told me. “I was very impressed with her understanding, her scope, and the fact that she didn’t have any type of parochial view about who should be doing what. She’s a very smart person who has a lot of familiarity, not just with the issues, but also with the people involved, and the different type of capabilities that reside in the different departments and agencies.”
Desipte some confusing press coverage last week that alluded to Hathaway as the nation’s new cyber czar, she is probably not on a track to be named to any position like that. If she reiterates the CSIS recommendation calling for Obama to appoint a White House cybersecurity adviser, reporting directly to the president, that appointee will likely be a bigger name. CSIS commission member Paul Kurtz has a great resume, and is probably the front runner. And serial entrepreneur Rod Beckstrom, author of the The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations is a darkhorse, according to this Forbes story.
Tags: CSIS > cybersecurity > cyber_czar > info_ops > obama
Comments
11 Comments »
RSS feed for comments on this post.
Hathaway certainly as a full plate!
Comment by eric johnson — 2/17/2009 @ 4:15 pm
Sounds like censorship in a silverlining. the questions is going to Watch Big Brother while they are watching you.
Comment by Jacob Riggan — 2/17/2009 @ 4:27 pm
A huge job and much too late, but it is necessary that the initiative is there. Our state data is, and always has been, one of the most important entities to protect.
The act of protecting and monitoring data and data access for the entire government is going to be a big task. Perhaps it’ll kill two birds with one stone and create some more jobs too!
Comment by Brent — 2/17/2009 @ 5:36 pm
The Obama Administration is entering a world that is more interconnected than ever before, and one effect of this connectedness is a real threat to all types of data. By wisely taking a holistic approach to data — involving ISPs, carriers, governmental bodies and private corporations — the Administration will cast a wide security net. The reality, however, is that data breaches will still occur. In this new global environment, the Administration can been seen to be taking a lead in creating standardized approaches after a breach has occurred – the EU needs to follow the US (California and many other states) in this respect. What the past two years have shown — with Hannaford, TJX, Heartland, etc. — is that notification laws vary and the consumer is often the last priority. The Administration needs to put notification at the center of its cybersecurity strategy, so that consumers and others are not left guessing and piecing together important parts of their personal histories after a breach has occurred.
Comment by Paul Davie — 2/18/2009 @ 1:00 pm
Protecting the information that is stored and transmitted online by both the government and private enterprises, especially in the worst economy since the Great Depression, is an issue that must be moved from the back to front burner.
Since 2005, we have been barraged with reports of database compromises which grow more sophisticated (monster.com) and larger (Heartland Payment Systems – perhaps the largest in history) by the day, and are examples of what does happen when adequate steps aren’t taken to protect data and the Internet. Identity Theft 911, of which I am Co-Founder and Chairman, recently released a report titled “The Perfect Storm†which predicts that data breaches and identity theft will increase dramatically as the economy continues to decline, a stance that has since been supported by a Javelin Strategy and Research report.
From my position, I have firsthand knowledge of how compromised data can turn into identity theft cases costing untold amounts in lost time, resources and money. For companies it can range into the tens of millions of dollars; for governments it can result in the loss of state secrets and large payouts (see the VA breach); for individuals it can result in permanent lost savings and damaged credit that could take years to restore.
The first step in averting identity theft is protecting information. The Obama administration has, seemingly, made a step in the right direction with Melissa Hathaway. However, there are many more steps that must be taken, some of which are outlined in “The Perfect Storm.†(You can find the report at http://identitytheft911.org/newsletters/index.htm).
Data breaches and identity theft are already severely out of hand. Yet, I believe we have only seen the tip of the iceberg. With over 252 million records improperly exposed since 2005 (and only 2-3 percent of the people on those databases experiencing personal compromises), one can only wonder who might have access to the information of the 97 percent who have not yet had an identity theft issue and ponder – in light of 9/11 – what plans the ill intentioned have for the rest of us. Undoubtedly, now is the time for industry leaders and resources to come together to develop and implement a true solution.
Best,
Adam Levin
Co-Founder and Chairman
Identity Theft 911
Comment by Adam Levin — 2/19/2009 @ 3:15 pm
I think Melissa Hathaway seems like a good choice. You need a thoughtful person who is
not entrenched in their position. Security
in depth is the key. One solution doesn’t solve
everything. If hosts keep getting compromised,
we will keep getting bots. If we don’t educate
the public, social engineering attacks will
keep happening. We need somebody who can understand the gamut of solutions, and then pick the right mix of solutions.
The problem is hard and daunting. Good luck
Melissa!
Comment by Somesh Jha — 2/20/2009 @ 4:09 pm
I am posting this as news of another processor breach is emerging. Obama has a unique opportunity to drive through political changes nationally and internationally to raise the security bar here. At a corporate level, he could tighten up disclosure rules – making them faster, with fewer loopholes. At an individual transaction level, he could also bring US credit card handling up to European levels, where cards contain chips which are read for customer present transactions and where the security code on the back is ALWAYS required when not present. The US should be taking a world lead on these issues and he has a golden opportunity to make this happen.
Comment by Paul Davie — 2/24/2009 @ 9:41 am
After well over 500 phone calls letters, emails to the Bush Bunker, DOD, Etc. Even a Cease & Desist letter from Senator Lieberman’s Chair of the DHC . This was at the bequest of his Chief of Staff & Counsel.That email was blown up and hangs over my desk. Lastly my own Senator Schumer of the TSA Committee.
Now for the good news, on February 12, I called the Peoples House asked for General Jones Chief of Staff, told him that our govt might be interested in our system that “ACTUALLY PREVENTS MOST CYBER BREACHES” and that the Canadian Govt Dept of Public Safety (DHS) had been a satisfied client for the past 26 months. He then said even if I have to trip him running to and from meetings, you will hear from us within 48 hours. They were also very respectful & it was a good feeling knowing that this Country has a real leader and A team working at the pace they are. The process was respectful, they didn’t need a paper trail, & I would be contacted in 48 Hours. Allowing for Presidents day, they met there commitment when Ms. Hathaway ccalled me.30 minutes later she said that the President Cyber Report had a higher priority but we still commence a review but don’t expect an answer soon.
Congratulations America, we are finally in good hands.
Be pleased to dialog with anyone personally:.
continuump@gmail.com
Comment by Bob Pollock,CEO Continuum Partners — 3/13/2009 @ 10:37 am
+1
Comment by merko — 8/7/2009 @ 2:09 pm
All eyes in the Washington D.C. security and intelligence communities are riveted on Melissa Hathaway.
Comment by Indira Rousseau — 10/3/2012 @ 1:43 am
What’s Happening i’m new to thіs, I ѕtumblеd upon
this Ӏ have discovered It absоlutеly useful and іt has helped
me out loаԁѕ. I hope to cοntribute & help othег cuѕtomeгs lіkе its hеlped me.
Greаt job.
Alѕo ѵіѕit my ωеbsіte:
tw24.pl
Comment by tw24.pl — 4/9/2013 @ 10:08 pm