There was no way Melissa Hathaway was going to steal Pres. Obama’s thunder at the RSA Conference on security in San Francisco last week. Expectations ran high that Hathaway would divulge details from the exhaustive 60-day review of cybersecurity policy she just recently delivered to senior White House officials.
But her report remains under review by Obama. Hathaway, nonetheless, gamely took to the stage Wednesday afternoon, April 22, in front of several thousand tech industry executives, software engineers, computer scientists, analysts and reporters at the RSA Conference on security. The audience arrived early to jockey for good seats. Compensating, somewhat, for the meager steak she would deliver, Hathaway opened with some Hollywood sizzle.
As Hathaway arrived at the podium, the theme from Mission Impossible blared over the over PA.
Dum; dum, dum, dum. Dum; dum, dum, dum . . .
Hathaway stepped back and looked up at the giant video screens. Images appeared correlating to instructions from a disembodied voice:
Good afternoon Melissa Hathaway. The digital infrastructure shown here supports critical public services and is vital to the global economy . . . Criminals, terrorists and foreign adversaries have devised plans to use flaws in the infrastructure to hold the economy hostage, disrupt our government and threaten public safety. Your mission, Melissa, should you decide to accept it, is to assemble a team of experts, engage every possible stakeholder group and devise a strategy to work together for the common good . . . Please begin immediately. This Blackberry will self destruct in 60 days. Good luck.
Beginning of the beginning
After joking about which of her three Blackberries might blow up, Hathaway for the next 30 minutes stood stiff behind the podium, reading word-for-word from her prepared statement, which you can see here. She did call for “a White House organizational structure that can effectively address cyberspace-related issues, ” and noted that her recommendations to the president include “an action plan,” derived from 40 meetings with “stakeholder groups” and a review of more than 100 reports.
“When the report is made public you will see that there is a lot of work for us to do together and an ambitious action plan to accomplish our goals,” she said. “Sixty days’ work is just the beginning of the beginning.”
She concluded by issuing a rallying cry for a “holistic approach” to stemming rising cyber threats. “We need to sow the seeds for a national dialogue, nurture them, even see them in our dreams, to help this critical conversation grow,” she said.
Hathaway, who is 40, has two sons, 8 and 9. She took no questions from the audience.
As the crowd filed out of the massive main auditorium at Moscone Convention Center, I definitely heard some grumbling about lack of substance in her speech. But protocals tied Hathaway’s hands. I spoke to three Hathaway admirers who’ve actually worked with her. One was Rod Beckstrom, who resigned last month as a top cybersecurity official in the Department of Homeland Security. Beckstrom credited Hathaway for delivering a “very professional speech,” noting that he was encouraged by the “values of collaboration that were espoused, particularly working with international partners, which I think is critical.”
Beckstrom, who resigned in protest to being marginalized by the National Security Agency, received a small measure of vindication when NSA Director Lt. Gen. Keith B. Alexander said in an earlier RSA keynote that the NSA does not want to run cybersecurity for the U.S. government.
“It was nice to see the messaging changing,” say Beckstrom.
Another Hathaway fan: Dennis P. Gilbert, a principal from Booz Allen Hamilton’s Herndon, Virg. offices. Hathaway spent 15 years at Booz Allen building her reputation as a management consultant with an uncanny knack for getting military and intelligence policy wonks to collaborate. Gilbert told me he first encountered Hathaway in 1999 when he was was an Air Force Lt. Col., and Hathaway was an up-and-coming consultant on information warfare.
Gilbert recalls Hathaway as “resilient and determined” — and a political agnostic. To this day, he says, he doesn’t know if she’s a Democrat or Republican. “We worked with combatant commanders, and all the joint forces commanders, and with a lot of the special agencies to come up with our recommendations. And basically all of them were implemented, and a lot of them turned into programs that are funded today, 10 years later,” says Gilbert.
The projects Gilbert and Hathaway tackled generally involved integrating massive amounts of data from multiple sources and turning the data into something useful. “One of the things we looked at was second and third order of effects, the notion that everything was connected through the Internet, and when you do something, everything is affected,” recalled Gilbert. “We looked at what the ripple effect would be across the DoD, across government, maybe even across the private sector.”
Sound familiar? “Ten years ago we found everything is integrated, beyond sometimes what we even understood,” says Gilbert . “We had to look at things holistically to solve the problem. You can see how those types of themes are in the problem set that we have today. Everything is interconnected. I definitely see the parallel.”
Yoda of cybersecurity
The skills Hathaway demonstrated in getting bull-headed military brass and intelligence officials to play nice ultimately got her called up to the big leagues of presidential politics. In March 2007, she was recruited to do the grunt work of marshaling support for President Bush’s then-top secret Comprehensive National Cyber Security Initiative. This required getting big bureaucracies and the military branches to buy into Bush’s secretive $30 billion plan to keep foreign cyberspies from continuing to clean out government databases.
Meanwhile, in the same time frame, but on a separate track, a bi-partisan collection of 60 tech industry executives, military officials and a handful of lawmakers formed a special commission to hammer out a consensus view of what U.S. cybersecurity policy should look like. The commission, convened by the Center for Strategic and International Studies (CSIS), ultimately delivered this stack of recommendations, titled “Securing Cyberspace for the 44th President,” to Obama last December. The CSIS report has since been downloaded more than 35,000 times.
Hathaway became and something of an ad hoc member of the CSIS commission; she debriefed the commissioners regularly about what Bush was up to, and continued doing so as Obama’s go-to cybersecurity expert. CSIS commissioner, Tom Kellermann, has worked closely with Hathaway over the course of the past year and a half.
After hearing Hathaway’s Mission Impossible keynote at RSA, Kellermann, Vice-President of Security Awareness at Core Security Techonologies, had this to say: “I have utmost faith in her holistic vision and I have utmost faith in her leadership style.”
Kellerman says that the appointment of a cabinet-level cybersecurity adviser to lead the holistic charge, appears to still be on the table, despite Obama already having named a White House CTO and CSO.
What’s more, Kellermann believes the White House is giving Hathaway serious consideration as a darkhorse candidate for the nation’s top cybersecurity job; she’s said to be vying against two, and possibly three, longtime Beltway power brokers. If it were up to Kellermann, Hathaway would be the slam dunk choice for cybersecurity czar.
“I worked with Melissa Hathaway and her team for a year and a half while we produced the presidential commission report. I’ve had the privilege of sharing a cup of coffee with Melissa Hathaway. I think she’s by far one of the most wise person to tackle this issue that I’ve seen in years,” says Kellermann. “Her style is very in depth, but also very holistic. She takes copious notes, and she reads heavily. That’s not a common phenomenon in Washington D.C., I must say.”
According to Kellerman, Hathaway appears to be a student of Sun Tzu, author of The Art of War. “One of the things she says all the time is, ‘offense will inform defense,’ ” he says. “She is constantly looking at the questions of ‘How do we coalesce policy, procedure, technologies and authority to create something that could stand the test of time and win this fight?’
“I really have a lot of faith in her. She’s so wise, she’s like the Yoda of cyber, because of all that research and all that background work she’s done. And also, to be honest with you, I think a woman’s perfect for this. Psychologically men are reactive, period. Women are proactive.”
By Byron Acohido
Photo: Hathaway gets her assignment at RSA Conference 2009. (Byron Acohido photo)