Homeland Security Watch

News and analysis of critical issues in homeland security

May 10, 2009

Cybersecurity: community organizing needed more than command and control

Filed under: Cybersecurity — by Philip J. Palin on May 10, 2009

The sixty day cybersecurity review is past due.  Melissa Hathaway made her deadline.  But the document has been vetted, parsed, and edited… you know the drill. Someone, who claims to know, tells me the draft was finalized Saturday. (UPDATE: Not according to the Washington Post.)

A few days ago Mark Armbinder played prophet regarding the Hathaway report, “It does appear that the governing authority for cyber security will rest within the White House, that the Department of Homeland Security will be tasked with creating, from the existing National Cyber Security Center, a large operational entity, and that NSA will play a significant support role. Various cyber security elements from across the government, with the notable exception of the Department of Defense, will be pulled into this new entity.”
Armbinder continues, “If this assemblage — a new White House chief overseeing patched-together government agencies not directly under his or her control — sounds familiar, it’s because it reminds many in the national security community of the process through which the Office of the Director of National Intelligence was created…” Just in case the implications of this prior experience are less than clear, Armbinder is explicit, “So — the fears, to put them more concretely, are: Congress will never give the cyber security person the authority she or he will need, won’t fund the agency properly, and various other government entities, like DoD’s cyber command and NSA, not to mention the various cyber security elements of Commerce, OSTP, etc. – will not play along. And since time is of the essence, the Defense Department (and the NSA) will simply assume much of the responsibility over time because they’re funded and equipped to handle it.”
The “it” in that last sentence is worth a pause.  Evidently “it” does not  include military CIKR (critical infrastructure and key resources). DOD is proceeding to strengthen its own capabilities. The head of the NSA, and likely pick for a new DOD cyber-command, says he’s ready to help secure the rest of the government.  There is certainly plenty to do just in the federal sector.  See a May 5 GAO report  for the details.
But what about the private sector?
Even if the US military could be 100 percent cyber-secure — even if the entire federal enterprise was cyber-secure — the nation would remain vulnerable to catastrophic impacts on  private networks. Fundamental aspects of national capacity held primarily by the private sector include telecommunications, the financial system, power grid, and a wide array of  SCADA (supervisory control and data acquisition) tools across industry.
The cybersecurity review has prompted posturing and concern over who and what will be in charge. “Who’s in charge?” is often an entirely appropriate question.  In terms of private sector cybersecurity, it is an absurd question. No one will be in charge.
To deal realistically with private sector cybersecurity we ought stop asking who’s in charge (or manuevering to be in charge) and begin networking, exploring, listening, proposing, and experimenting.  The White House — and the nation — would be well-served to stop reading from the Commander-in-Chief playbook and, instead, apply the Obama campaign playbook.
The campaign was well-led, well-managed, and carefully organized.  It also self-consciously depended on empowering free agents to act in a voluntarily coordinated way.  It achieved this objective through clear  communication, integration/acceleration of communications through technology, and listening.

The Obama campaign weaponized listening. Asking thoughtful questions, feeding back what was heard, and then shaping, amplifying, and organizing around what was being said, moved a very unlikely first term Senator into the White House.

This is the kind of campaign that private sector cybersecurity will need (and if Armbinder is right, maybe federal sector cybersecurity as well).

The Iowa caucus equivalent for a cybersecruity campaign could be a proposal being pushed by  Business Executives for National Security. For several months BENS and others have been circulating a proposal for a new sort of  public-private “co-laboratory” (my word, not theirs).  Several leading private sector organizations — each heavily dependent on cyber capabilities —  are ready to join-up.  

But  private sector leaders are waiting for a signal that the Commander-in-Chief has told his troops to listen rather than insist on leading.  The private sector leaders are waiting for the Community-Organizer-in-Chief to remind his colleagues how listening — and even following — has been key to their success.
Both General Jones and Melissa Hathaway have met with the coalition behind  the proposal.  We will soon see if they read the memo on listening. If not, it may be time to reopen Camp Obama.
Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn


Comment by William R. Cumming

May 11, 2009 @ 7:58 am

Great post. Agree almost to every word that I understand. Cyber Security has again been relegated to obscurity with the fundamental conumdrum of PD-63 issued in 1998 still unresolved. Congress is lobbied to prevent standards of security and resilience to be regulated or mandated. And the Executive Branch and DOD totally reliant on contractor support for cyber-security will go through the normal IT cycle of waste, fraud, and abuse on cyber-security. Really disheartening when you think of the Marsh Commsission effort reflected in its fall 1997 report (The President’s Commission on Critical Infrastructure Protection) splitting out cyber-security from physical security for the first time and then documenting it even then importance and more important future. Why does it always have to be DOD and its minions that are properly funded and supported while the civil agencies starve literally. Okay let’s see what the report actually states but let’s have a cyber-security budget that shows the totality of the Executive Branch effort, both DOD and Civil agencies. Is this going to be like the DOD and State Department effort where we spend billions for defense and almost nothing for our foreing relations efforts?

Comment by Arnold

May 11, 2009 @ 4:50 pm

“The White House — and the nation — would be well-served to stop reading from the Commander-in-Chief playbook and, instead, apply the Obama campaign playbook.”

Can I indulge in a moment of self-promotion? Because I strongly agree with the above statement:


Comment by Christopher Tingus

May 12, 2009 @ 7:16 am

Cyber-security must be given top priority!

There is no time for anything less than an organized, cohesive and substantial commitment supporting DoD and civil agencies.

Those close and far yonder are very much committed in their diligence to create calamity and from the ever increasing cyber attacks reported and from intelligence gathering, there is no doubt that we must commit to bring all the talent among us to thwart the efforts of those that seek our demise.

This is a serious matter requiring the good ‘ol boys on both sides to take off their suit jackets and roll their sleeves up and address the matter portrayed by conclusive decision-making depicting a nation of strength and the ambition to excel in confronting global participants who are well versed in their quest to patiently fine tune their skills from level to level until achieving superiority!

Let’s get to work.

The strategy employed by our side should be to utilize our youthful resources and remain more than one step ahead of the other geeks….who must be admired for the skills they have attained and the strategy they employ.

I have been over time involved with IT/software development “outsourcing” for US and Indian companies and I have a great deal of respect for those playing their DS Lite walking in the mall for many of them will someday be called upon to protect our infrastructure.

As an senior international new business development type, I have conferred with senior officials in India and China for instance with their pointing to the many graduating there with science and engineering backgrounds versus our graduating classes filled with lawyers….Keep a close eye of our Russian friends for they, too are quite skillful tapping the keyboard and understanding its far reach and affect!

The commitment from the beltway, overwhelmed with debt as a result of the “spend as we go without concern mentality” and willingness to turn a cheek to show line by line expenditures to the taxpayer, should be to print billions more in “fiat” dollars and use them as I refer to as “geek dollars” and help fund our nation’s educational programs related to computer programming and other….

Christopher Tingus
Harwich, MA USA

Comment by William R. Cumming

May 12, 2009 @ 8:24 am

Agree with Chris’ comments above. This AM Washington Times has an absolutely incredibly detailed article about Chinese efforts in cyber-warfare and in particular against the US. If the article is correct it makes meaningless the Obama 60 day review not yet complete which restates the need for a White House cyber czar and incredibly led by guess what a former White House Cyber Czar! Makes one wonder. What I do know is that this fall the passage of 12 years since the PCCIP focused on cyber security and little accomplished makes me really wonder who is creating roadblocks to progress or is it the normal US lack of preparedness until after the catastrophic event?onhc cho

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>