The sixty day cybersecurity review is past due. Melissa Hathaway made her deadline. But the document has been vetted, parsed, and edited… you know the drill. Someone, who claims to know, tells me the draft was finalized Saturday. (UPDATE: Not according to the Washington Post.)
A few days ago
Mark Armbinder played prophet regarding the Hathaway report, “It does appear that the governing authority for cyber security will rest within the White House, that the Department of Homeland Security will be tasked with creating, from the existing National Cyber Security Center, a large operational entity, and that NSA will play a significant support role. Various cyber security elements from across the government, with the notable exception of the Department of Defense, will be pulled into this new entity.”
Armbinder continues, “If this assemblage — a new White House chief overseeing patched-together government agencies not directly under his or her control — sounds familiar, it’s because it reminds many in the national security community of the process through which the Office of the Director of National Intelligence was created…” Just in case the implications of this prior experience are less than clear, Armbinder is explicit, “So — the fears, to put them more concretely, are: Congress will never give the cyber security person the authority she or he will need, won’t fund the agency properly, and various other government entities, like DoD’s cyber command and NSA, not to mention the various cyber security elements of Commerce, OSTP, etc. – will not play along. And since time is of the essence, the Defense Department (and the NSA) will simply assume much of the responsibility over time because they’re funded and equipped to handle it.”
But what about the private sector?
Even if the US military could be 100 percent cyber-secure — even if the entire federal enterprise was cyber-secure — the nation would remain vulnerable to catastrophic impacts on private networks. Fundamental aspects of national capacity held primarily by the private sector include telecommunications, the financial system, power grid, and a wide array of SCADA (supervisory control and data acquisition) tools across industry.
The cybersecurity review has prompted posturing and concern over who and what will be in charge. “Who’s in charge?” is often an entirely appropriate question. In terms of private sector cybersecurity, it is an absurd question. No one will be in charge.
To deal realistically with private sector cybersecurity we ought stop asking who’s in charge (or manuevering to be in charge) and begin networking, exploring, listening, proposing, and experimenting. The White House — and the nation — would be well-served to stop reading from the Commander-in-Chief playbook and, instead, apply the Obama campaign playbook.
The campaign was well-led, well-managed, and carefully organized. It also self-consciously depended on empowering free agents to act in a voluntarily coordinated way. It achieved this objective through clear communication, integration/acceleration of communications through technology, and listening.
The Obama campaign weaponized listening. Asking thoughtful questions, feeding back what was heard, and then shaping, amplifying, and organizing around what was being said, moved a very unlikely first term Senator into the White House.
This is the kind of campaign that private sector cybersecurity will need (and if Armbinder is right, maybe federal sector cybersecurity as well).
The Iowa caucus equivalent for a cybersecruity campaign could be a proposal being pushed by Business Executives for National Security. For several months BENS and others have been circulating a proposal for a new sort of public-private “co-laboratory” (my word, not theirs). Several leading private sector organizations – each heavily dependent on cyber capabilities – are ready to join-up.
But private sector leaders are waiting for a signal that the Commander-in-Chief has told his troops to listen rather than insist on leading. The private sector leaders are waiting for the Community-Organizer-in-Chief to remind his colleagues how listening — and even following — has been key to their success.
Both General Jones and Melissa Hathaway have met with the coalition behind the proposal. We will soon see if they read the memo on listening. If not, it may be time to reopen
Camp Obama.
