Obama to appoint cybersecurity coordinator, update national cybersecurity policy

Find opportunities — and win them.

President Obama will appoint a cybersecurity coordinator who will anchor a suite of initiatives recommended in the findings of the 60-day review of the nation’s cybersecurity posture.

Declaring that, “the status quo no longer is acceptable, we can and must do better,” President Barack Obama today announced creation of the position of a cybersecurity coordinator who will direct national cybersecurity policy from the White House.

The coordinator, who will be hand-picked by the president, will be a member of the National Security Council and National Economic Council, the president said Friday. As the name implies, the coordinator will work with other agencies and departments, including the Office of Management and Budget and the Homeland Security Department. Although details were not immediately available, operational aspects of securing government networks are expected to remain at the agency level.

The announcement coincided with the release of the findings of a comprehensive review of the nation’s cybersecurity policy ordered in February by the president. That 60-day review, conducted by Melissa Hathaway, was completed in April. The coordinator will anchor a suite of initiatives recommended in the review. The other initiatives include:

  • A public outreach and education program that would include a drive, similar to that in the late 1950s and 1960s after the Russian launch of the Sputnik satellite, to emphasize and improve science education in the United States.
  • Creating a stronger partnership between the U.S. government, its allies and the private sector to monitor and secure digital assets.
  • Creating an effective information sharing and incident response capability both within the government and the privately owned infrastructure.
  • Encouraging research and development to ensure security and reliability in future generations of information technology.

Outlining the growing importance of the Internet and associated technologies to the nation’s economic well-being and national security, the president said some progress has been made in cybersecurity but that the nation is not as prepared as it should be for the threats it faces.

“We have failed to invest in the security of our digital infrastructure,” he said. He said his administration will treat infrastructure as a national asset whose security will be a national priority.

Obama’s presidential campaign last year gained notice with its effective use of new media and online technology, and he underlined the importance of cybersecurity by saying that from August to October of last year hackers gained access to his campaign organization’s e-mail and online files. He said the campaign worked with the FBI and Secret Service to investigate the breach and hired a security consultant.

The Cyberspace Policy Review concluded that “the architecture of the nation’s digital infrastructure is not secure or resilient,” and that without significant advances, “it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations.”

The federal government is not organized to address these issues, the report said. Cybersecurity policy to date has been reactive and defensive, and it has not provided a comprehensive, proactive approach to risk management ensuring the robustness and resiliency of the infrastructure. Putting a senior official in charge of policy in the White House sends a message to the private sector and the rest of the world that the United States is serious about improving cybersecurity.

The initiatives announced Friday follow closely many of the recommendations made last year by the Commission for Securing Cyberspace for the 44th Presidency, which was created by the Center for Strategic and International Studies. The president cited the report as an important source in the final recommendations from the 60-day review.

"What was really important was the president saying that cybersecurity is an issue that impacts our strategic national assets,” said Jim Lewis director of the CSIS Technology and Public Policy Program. “That's an immense break through."

Obama said the coordinator also would work closely with the new federal Chief Technology Officer Aneesh Chopra, and with Chief Information Officer Vivek Kundra.

"The president was very clear that as this is a national security and an economic issue,” Chopra said. “Building a secure, reliable internet can actually be a catalyst for economic growth.”

Chopra said he believed that he, Kundra and other leaders are "well positioned to set up innovation platforms for agencies to consider" in building more reliable approaches to using the Internet.

In outlining the developing policies of the new administration, the president was clear to point out what the policies would not include.

“It will not include monitoring private-sector networks for Internet threats,” and will not impinge on civil liberties he said.

Those were encouraging words to Bob Dix, vice president of government affairs and critical infrastructure protection for Juniper Networks Inc. “I was glad to hear that the administration did not intend to dictate, but to collaborate,” he said.

Jeff Moss, director of Black Hat, which produces the Black Hat Briefing cybersecurity conferences, also was happy with that approach.

“I’m glad they are not calling the position a ‘cyber czar’,” he said. “That’s not what it should be about.” He said the position should be about coordinating efforts across agencies and sectors, not dictating policies and technology.

“The president made a lot of the right noises,” Moss said. “A lot will depend on the follow-through.”

He did say he was concerned about the promise not to monitor or control privately owned infrastructure while at the same time protecting it as a national asset.

“I think he will find he is in a bind,” Moss said. “I don’t see how you do one without the other. I think the reality of the situation will come out at a later date.”

The next step is an aggressive implementation program, Dix said. “This is not the end, but a beginning.”