Posted on | April 15, 2009 | 6 comments
Word is that Melissa Hathaway’s 60-day review of U.S. cybersecurity policyÃ‚Â will hit President Obama’s desk this Friday, April 17. Precisely when the White House makes it public will be an indicator of how high a priority this is with Obama, who certainly has his plate full with a few other weighty matters.
A leak of the executive summary of Hathaway’s review sometime in the next 48 hours — in time to make the all-day Friday news cycle — wouldÃ‚Â mean one thing. Official White House release of the reviewÃ‚Â late Friday afternoon, when major news operations are winding down for the weekend, means another.
All eyes of the tech security community are on this thing. It will signal what approach Obama will take inÃ‚Â trying to stem rising cyberthreats. Obama has said he will make the Internet safer for all citizens and businesses, while playing catchup to China and Russia who are far ahead in the cyberwarfare arms race.
Obama’s big challenge
Getting ultra competitive tech security vendors, secretive corporations, convenience-addicted individuals and power-hording intelligence agencies on the same page about cybersecurity is a gargantuan challenge.
“We’re trying to do cybersecurity in a deomocracy,” says Leslie Harris, President and CEO of the Center for Democracy & Technolgy. “Doing cybersecurity in China, my guess, is a lot easier.”
CDT held a press briefing this morning at which it warned that a cybersecurity bill, introduced earlier this month by Sen. John Rockefeller D-W.Va and Sen Olympia Snowe R-Maine, is the first of several that likely will be proposed — once Hathaway’s review is out.
Harris said CDT agrees with a provision in the Rockefeller-Snowe bill that would create a cabinet-level cybersecurity adviser reporting directly to President Obama, but questions some of the extraordiary federal enforcement powers that could be created. CDT doesn’t want citizens’ civil liberties trampled upon.
High marks for transparency
CDT general counsel Greg Nojeim gave Hathaway high marks for keeping her review process relatively open, in contrast to the Bush Administration’s penchant for secrecy. “So far the White House review team gets high grades on transparency,” Nojeim said. Hathaway has kept her running shoes on. She has held closed briefings in the past several weeks with Congressional committees, industry groups and privacy organizations, said Nojeim.
“But the real test will be whether their recommendations reflect a commitment to transparency in the execution of the program,” said Nojeim.
Alluding to widespread criticism of Bush’s secrecy and lack of leadership on cybersecurity, Nojeim observed: “It has become clear from the lack of transparency in the cybersecurity initiatives from the last administration that a lack of transparency is an indicator that the program might not be successful,” said Nojeim. “Transparency builds trust both at the business level and at the public level.”
It will be a shocker, given rising consensusÃ‚Â support for a White House cybersecurity adviser, if Hathaway leaves open the option for Obama to follow Bush’s lead and give the secretive National Security Agency defacto control over implementing U.S. cybersecurity policy, in whatever form Obama shapes it into.
Will NSA get to stay in control?
NSA quite naturally is moving to consolidate its tight grip. A glimpse of this was disclosed when a top cybersecurity official at the Department of Homeland Security, Rod Beckstrom, suddenly resigned. Beckstrom contended in his letter of resignation that he was being marginalized by NSA.
CDT praised NSA’s technical knowledge, but called on NSA to share moreÃ‚Â with the Department of Homeland Security, which stands a much better chance of shaping necessary private-public partnerships, and gaining public support.
“People sometimes forget that DHS was staturtorily charged with protecting critical infrastructure,” said Nojeim. “And when you look at some of the criticisms of how DHS has fallen short of securing our infrastructure, a lot of the problems are fixable.”
Specifically, Nojeim suggested DHS could cull expert training from the NSA,Ã‚Â as well as bring in expertise from tech security vendors.
Harris noted that tech vendors complain endlessly about the NSA’s refusal to share “actionable information” that would be useful in shoring up gaping holes in the Internet.
“There has got to be somebody else making the decisions about what needs to be shared. NSA is not an agency designed, nor inclined, as a principle function to protect civil liberites,” said Harris. ” Somebody else has to be in charge. And we we think DHS is the right operational lead. And certainly having the White House in a coordinating, and bully pulpit, leadership role will be very important. We do anticiapte they will put a coordinating, and possibly a policy authority, in the White House.”