Cyber leader powers still unknown
President Barack Obama received widespread praise for his recent decision to create a cybersecurity coordinator, but some observers say it remains to be seen whether the position has enough authority.
It's common for presidents to appoint a single powerful coordinator, sometimes informally called a czar, to oversee efforts on a specific issue. However, not all of those positions are equal, and experts say it remains to be seen whether President Barack Obama’s yet-to-be-named cybersecurity coordinator will be able to make the comprehensive cybersecurity improvements that many say are needed.
Industry officials, lawmakers and cybersecurity experts said they were generally pleased with Obama’s announcement that he would name someone to lead a new White House cybersecurity office to integrate cybersecurity policies.
Although Obama’s announcement ended one debate about bureaucratic structure, it also started speculation about what comes next. Since his announcement May 29, observers have been pondering who Obama will name as coordinator, how much access that person will have to Obama, and how the official will differ from previous government cybersecurity coordinators.
“As many folks who have spent time in the White House know, proximity and access to the president matter,” said Amit Yoran, chief executive officer of network security company NetWitness and former director of the Homeland Security Department's National Cybersecurity Division.
Obama said he would personally choose the new official and depend on him or her in all matters relating to cybersecurity. In addition, the coordinator “will have my full support and regular access to me as we confront these challenges,” Obama said, adding that the official would be a staff member of the White House’s National Security Staff and National Economic Council.
Dale Meyerrose, former chief information officer at the Office of the Director of National Intelligence and now vice president and general manager of cyber programs at Harris, said the cybersecurity coordinator should be someone with a national reputation in government and industry. Meyerrose said the administration hasn’t proven this position is different than previous cybersecurity positions, but he hopes it will do so. He also said it’s important for the new official to have access to Obama.
“The further away you get from being the person who has the president’s ear, the harder it is to entice a person of note to accept that challenge,” Meyerrose said.
Yoran said he thinks the eventual holder of the office will have an opportunity to succeed because Obama is sending a clear message that cybersecurity matters. He also said Obama's decision to have the coordinator work with White House security and economic advisers is a positive sign because of the cross-cutting nature of cybersecurity.
However, James Lewis, director of CSIS’ Technology and Public Policy Program and of the CSIS cybersecurity commission, said although the announcement that there would be a top White House cybersecurity official was a good, questions about the new official need to be answered before it can be assessed. For example, Lewis said it remains to be determined what the new official’s lines of authority will be. "We can’t assess this until we know who will do it and what authority they will have," Lewis said.
Obama also released a report May 29 that details the findings of the administration’s 60-day review of cybersecurity policy. He said the report outlines actions the administration would take to develop a new comprehensive strategy, ensure an organized response to future cyber incidents, foster public/private partnerships, continue to invest in cutting-edge research and development, and start a national educational campaign.
The report states that the new White House cybersecurity coordinator shouldn’t have operational responsibilities, but the operational cybersecurity authorities of different agencies — which often overlap — needed to be coordinated. However, the report didn’t state which agencies should have specific cybersecurity responsibilities, leaving questions about the roles different agencies and departments will play.
“You can see the seeds of bureaucracy or the possibility of this can be something different, and the administration has to prove which it is, and they need to do so in pretty quick order,” Meyerrose said. “There are seeds of failure and seeds of success both present here, so let’s hope we water the correct ones.”