Overview

When then-candidate Barack Obama was running for President of the United States, he pledged to make cybersecurity improvement and management a priority in his administration.  Upon winning the election and taking office, President Obama began to follow through on this promise by commissioning a Cyberspace Policy Review led by Melissa Hathaway in February of this year.

With the publication of the report in May 2009, the President held a press conference to outline the report’s findings.  One key weakness pointed out in the report was how the government is organized around cybersecurity.  The report states:

The Federal government is not organized to address this growing problem effectively now or in the future.  Responsibilities for cybersecurity are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way.  The government needs to integrate competing interests to derive a holistic vision and plan to address the cybersecurity-related issues confronting the United States.  The Nation needs to develop the policies, processes, people and technology required to mitigate cybersecurity-related threats.[1]

To overcome these issues, the number one item specified in the near-term action plan recommended that the President was to:

Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and NEC, to coordinate interagency development of the cybersecurity-related strategy and policy.[2]

The Cybersecurity Coordinator’s To-Do List

While the President stated that he would quickly follow this recommendation, the “cybersecurity coordinator” role remains vacant as of this writing.  This opening has become a point of contention for cybersecurity professionals and leading voices for cybersecurity on Capitol Hill.  In early September, House Cybersecurity Caucus Co-Chairs Jim Langevin (D, RI) and Mike McCaul (R, TX) sent a letter to the President urging that he move quickly to fill this crucial position.

While it certainly appears that filling this position has been difficult and may have taken a back seat to health care reform, it is likely that the President will heed the advice of the cybersecurity community and appoint a qualified individual to this important role soon.  When this person finally arrives, there will be little time for on-the-job training—ESG believes that the state of cybersecurity today demands immediate action.

Based upon months of cybersecurity research, ESG recommends that the new cybersecurity coordinator prioritize the federal government’s efforts in the following areas:

1. Emergency response. According to a GAO report of May 25, 2009 titled “Cybersecurity, Continued Federal Efforts are Needed to Protect Critical Systems and Information,” the Department of Homeland Security (DHS) and US-CERT  suffer from several critical deficiencies in their abilities to baseline technical IT assets, distribute critical cybersecurity information, and dedicate ample resources in response to a major cyber attack.  The report goes on to conclude that, “without fully implementing the key attributes, US-CERT did not have the full complement of cyber analysis and warning capabilities essential to effectively perform its national mission.”  This point cannot be overstated.  According to GAO, the Federal government is not prepared to detect, isolate, or respond to a major multi-faceted cyber attack.  The cybersecurity coordinator must work with GAO, NSA, and others to further define gaps in US-CERT capabilities—and close them as soon as possible.  This may mean outsourcing some major emergency response activities in the short term while the Feds gets its act together.
2. Training the public. To protect citizens and national assets, the federal government readily supports public service campaigns for public health, law enforcement, and the environment.  The same types of resources and guidance must be applied to cybersecurity.  Many research studies show that typical computer users don’t understand good security behavior; a large percentage of users don’t even run security software.  These unsafe computing habits lead to cybercrime and growing numbers of dangerous botnets.  The cybersecurity coordinator must find the funds to start a public service campaign for cybersecurity ASAP.  Cybersecurity education should also extend to K-12, college, and continuing education programs for more hand-on training.
3. Championing a national ID program. This issue is too dicey for politicians worried about their next election.  Since the cybersecurity coordinator is a political appointment and not an elected official, he or she should be willing to quarterback this controversial program as it could really help improve security and identity protection.  Yes, it is imperative that the cybersecurity coordinator demonstrate that a national ID program can be accomplished while protecting privacy, but the cybersecurity coordinator should also seek to sell this program based upon other benefits.  For example, studies show that a national ID program could improve health care data sharing and kickstart a lot of high value/low cost e-government services.  The cybersecurity coordinator should lobby for federal dollars, recruit the states for support, and explore an opt-in program for citizens.
4. Acting as a cybersecurity watchdog. It is critically important that cybersecurity programs are dedicated to fixing problems and improving policies, procedures, and defenses rather than becoming the next round of pork and special interest projects.  This political assessment should include existing programs that may be unnecessary, exceptionally costly, or inefficient.  The cybersecurity coordinator must keep legislators honest by publicly exposing those that seek to benefit from cybersecurity spending for personal or political gains.  Likewise, the cybersecurity coordinator must strive for a balance between military/intelligence and civilian agencies.  If the public believes that cybersecurity is controlled by NSA and DOD, it will remain mistrustful and uncooperative.
5. Fixing the cybersecurity personnel problem. According to a recent report published by the Partnership for Public Service titled, “Cyber Insecurity,” the federal government is way behind in IT skills development, recruiting, and competing for talent with the private sector.  Unless these human resources issues are addressed, federal cybersecurity programs will continue to be anchored by expensive government integrators at the taxpayer’s expense.  The new cybersecurity coordinator must work with the Office of Personnel Management and other agencies to streamline recruiting, bolster training, develop the cybersecurity career path, and create personnel strategies to give the Feds a fighting chance against the private sector.
6. Pushing through FISMA 2.0. The FISMA 2.0 process is taking far longer than it should.  It is pretty clear that FISMA doesn’t work; it is too focused on compliance check-off boxes rather than real business and security risk.  The cybersecurity coordinator should work with OMB, the Federal CIO Council, agency Inspector Generals, and legislators to wrap this up by the end of the year.   The cybersecurity coordinator should also find the best federal security talent available and create a “tiger team” that can be dropped into agencies found to have an unacceptable level of risk to provide immediate help
7. 7. Pushing for federal data privacy standards. As of this writing, 45 U.S. states and territories deal with varying data privacy laws, not to mention federal statutes like GLBA, HIPAA, and SOX.  Interpreting these laws, developing controls, and preparing for audits are extremely cumbersome and expensive for today’s organizations.  The cybersecurity coordinator should work with legislators like Senator Diane Feinstein (D, CA) to supersede these tactical laws with overarching federal privacy legislation.  To build upon existing state efforts, federal legislation should be at least as strong as the strongest privacy law in existence today. 
8. Lobbying for security compliance incentives for the private sector. The private sector has been suffering from a chronic case of “compliance fatigue” for the past few years.  Further efforts to bolster security through new legislation must be built around the carrot and the stick.  Organizations that meet existing or new federal security regulations could be rewarded with tax credits or a priority status for new federal contracts.  For example, the federal government could create a list of requirements for secure software development and then offer incentives to vendors that can meet compliance deadlines.  These incentives should more than pay for themselves by lowering risks associated with security attacks and data breaches.
9. Unifying cybersecurity communications. With so many agencies involved in cybersecurity, the private sector can’t keep up with of all the federal cybersecurity programs, acronyms, activities.  This is a big weakness, since most critical infrastructure is owned and operated outside of the federal government’s purview.  The cybersecurity coordinator must use web tools, education, and outreach programs to simplify cybersecurity government-speak, provide detailed organizational roles and responsibilities, and educate the private sector so it can keep abreast of what the federal government is doing and what it needs to do.  This will be a difficult challenge where the cybersecurity coordinator may have to battle cries of “top secret” and “national security” from DOD and NSA, but he or she must be resolute and persistent.  If the Feds can’t communicate with the private sector in plain English, nothing will get done.
10. Becoming the cybersecurity face of the United States to the rest of the world. The cybersecurity coordinator must push for law enforcement standards and cooperation with other nations around the world.  This will be done in concert with other agencies, like the Department of State and the Department of Commerce, using tools like diplomacy and economic incentives.  This particular task will likely take a long time, but the cybersecurity coordinator must get involved early and often to make sure that cybersecurity concerns are on the table with friend and foe alike.

The Bigger Truth

The cybersecurity coordinator’s job will not be easy. He or she will have to navigate skillfully across political, military, intelligence, and business agendas; step on a few toes; and continuously push the federal government away from political and process distractions—all in the name of improved security.  Whoever accepts this job will have to “hit the ground running.”  ESG believes that the priorities outlined above will help this individual establish a baseline, map out strategic plans, measure progress, and establish a leadership role within the federal government and with the private sector.  National security depends upon it.

[2] Ibid.

• Share