All eyes on consultant advising Obama on cybersecurity engagement

February 16th, 2009

obamamugAll eyes in the Washington D.C. security and intelligence communities are riveted on Melissa Hathaway. Tech company executives, military leaders, lawmakers and senior White House officials who track cybersecurity matters are anxious to find out what the bright, young management consultant will advise President Obama to do about making the Internet safer.

“Protecting the public Internet … is a vital part of protecting America’s national security,” says Mike McCurry, co-chair of Arts+Labs, a lobbying group formed last September by Viacom, NBC Universal, AT&T, Microsoft, Cisco and the Songwriters Guild of America. “Cybercrime cost businesses an estimated $1 trillion worldwide in 2008, and some security experts believe the threat may be so bad that we may need to re-think our entire approach to the Internet.”

A born integrator

At the moment Hathaway, 40, has her hands on the fulcrum. She appears to be more than up to the task. In 15 years rising through the ranks at Booz Allen Hamilton’s Virginia office, she displayed a knack for lowering barriers between “stovepiped” military and intelligence organizations, says Booz Allen Senior Vice President Mark Gerencser, one of Hathaway’s mentors. Hathaway took to the emerging field of “info ops” — information warfare, including cyber raids and cyber defenses — like a fish to water.

“We were doing things to support information operations for the Army, Navy, the CIA and others, and her role was to integrate our collective thinking to benefit the clients,” says Gerencser. “She was an integrator. She knew were all the synergies were.”

Digital Pearl Harbor of intelligence

pearharborxlarge1Fast forward to 2006. Cyberspies launch a non-stop onslaught against  government and military networks in the U.S. and across Europe, reaching a feverish pitch in the fall of 2007. A hint at how deep intruders were penetrating U.S. government and military systems bubbled up in scattered news stories.  Washington Post reporter Alan Sipress, wrote this October 6, 2006 story, about how hackers using  Chinese Internet servers got deep inside  computers of the Department of  Commerce ‘s Bureau of Industry and Security. Hundreds of  workstations had to be replaced and employees were blocked from using the Internet for more than a month.

Sipress reported that the attacks had been going on since at least July 2006, as referenced in a  series of e-mails sent out by  Undersecretary of Commerce Mark Foulon.  A chilling  excerpt from Sipress’ story:

  • In an August (2006) e-mail, Foulon reported that the bureau had “identified several successful attempts to attack unattended BIS workstations during the overnight hours.” Then, early last month, he wrote: “It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient.” A source familiar with the security breach said the hackers had penetrated the computers with a “rootkit” program, a stealthy form of software that allows attackers to mask their presence and then gain privileged access to the computer system. The attacks were traced to Web sites registered on Chinese Internet service providers, Commerce officials said. “We determined they were owned by the Chinese,” a senior Commerce official said.

Thereafter  in 2006-2007, allegations flew that  Chinese military hackers had  cracked into the Navy War College and even infiltrated the Pentagon. The Chinese government perfunctorily denied responsibility. But the Financial Times of London surfaced a Pentagon report indicating Beijing  has prepared a detailed plan to disable America’s aircraft battle carrier fleet with a cyber attack, as well as  push for  “electronic dominance” over the USA, Britain, Russia and South Korea by 2050.

“The U.S. government got whacked,” says James Andrew Lewis, Director and Senior Fellow at the Center for Strategic and International Studies. “We had a massive penetration of a number of critical agencies by unknown foreign powers usually alleged to be China. It was a major failure. We probably had our cyber Pearl Harbor, but it was an intelligence Pearl Harbor, not one where infrastructure blew up or failed. The administration realized they had this huge problem, and something had to be done.”

Keith Alexander, Director of National Security Agency, and Mike McConnell, Director of National Intelligence, persuaded President Bush to green light development of a 12-point plan later to be dubbed the “Comprehensive National Cybersecurity Initiatives,” or CNCI. (More on this below.) Bush ordered the $30 billion plan, which emphasized reducing connections to government networks and shoring up cyber defenses, to be classified a Top Secret project.

Getting the Beltway moving

In March 2007, McConnell, a former senior partner at Booze Allen, rang up his old firm and told them to send over Hathaway, by now a master integrator. But she faced what many Beltway wags viewed as an impossible task, says Alan Paller, research director of The SANS Institute.

“The only sensible survival strategy for senior bureaucrats in the Bush-Cheney Washington was to keep your head down and avoid starting anything or doing anything that would make you visible,” says Paller. “Innovation was a four letter word. Initiative was considered antagonistic to the common good. There were wonderful exceptions, but they were rare.”

Enter Hathaway. After helping top administration officials refine the 12-point cyber plan, she spent most of 2008 rallying appointed officials and entrenched career bureaucrats at a cross section of large federal agencies to “step up, commit resources, re-prioritize and make things happen faster than they had ever done anything in their government lives,” says Paller. Within six months “every agency that needed to act was acting.”

Cold shoulder from Bush

Meanwhile, in the same time frame, but on a separate track, the bi-partisan CSIS commission, comprised of senators and security experts  got rolling — and got a cold shoulder from the White House.  “The Bush administration was afraid it was going to be criticized,” says Lewis. “They wanted to have their talking points in place. ‘We’ve taken the following steps to secure America,’ and then check all the right boxes.  They were talking-point motivated.”

Even so, Lewis says Bush’s secret plan, put into motion with barely a year left in his presidency,  did, in fact,  make far-reaching in roads into locking down federal networks. “They were identifying the right problems. But this is where ideology hampered them and really crippled the initiatives,” he says. “They called it comprehensive, but it wasn’t really  comprehensive.”

Bush’s plan just plain ignored the  need to forge alliances with European nations undergoing similar attacks. And it only gave a token nod to partnering with — and regulating, if need be –  private sector telecoms, ISPs and domain registrars that operate the backbone of the Internet. “It was good as far as it went, but it didn’t go far enough,” says Lewis. “Ultimately it is a single global network we’re talking about.  Something that focuses on the DOD and the federal government won’t do. The Bush administration didn’t like regulations and wasn’t a big fan of international cooperation, and that was reflected in the CNCI. ”

By the fall of 2008, despite a cold shoulder from the White House, the bi-partisan CSIS commission had hammered out extensive recommendations and rationale calling for Bush’s successor to go beyond locking down government systems, and to directly engage the private sector and foreign allies. The commission’s recommendations under went heavy vetting, including Congressional hearings, like this one.

Ideally suited

Then once the 44th president was elected, Hathaway quickly surfaced on the Obama transition team’s radar. “We wanted somebody who had a full grasp and understanding, so she was ideally suited for it. (conducting the 60-day cybersecurity review),” a senior White House official told me. “I was very impressed with her understanding, her scope, and the fact that she didn’t have any type of parochial view about who should be doing what. She’s a very smart person who has a lot of familiarity, not just with the issues, but also with the people involved, and the different type of capabilities that reside in the different departments and agencies.”

Desipte some confusing press coverage last week that alluded to  Hathaway as the nation’s new cyber czar,  she  is  probably not on a track to be named to any position like that.  If she reiterates the CSIS recommendation calling for Obama to appoint a White House cybersecurity adviser, reporting directly to the president, that appointee will likely be a  bigger name. CSIS commission member Paul Kurtz has a great resume, and is probably the front runner. And serial entrepreneur Rod Beckstrom, author of the The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations is a darkhorse,  according to this Forbes story.