Homeland Security Watch

News and analysis of critical issues in homeland security

May 29, 2009

Long-Awaited Cybersecurity Announcement and FEMA visit

Filed under: Cybersecurity,Infrastructure Protection,Preparedness and Response,State and Local HLS — by Jessica Herrera-Flanigan on May 29, 2009

At 10:55 this morning, President Obama will announce the long-awaited plans  for dealing with cyber security in his White House.  A cyber czar, albeit at a level lower than desired (special assistant), will be supported by a new cyber directorate within the National Security Council.  That person will also report to the National Economic Council. Expect the announcement will be broad in scope and discuss goals for dealing with the global threat of cyber security, as well as address such issues as a public awareness campaign for the challenges of cyber security and the need for a strengthened technology workforce in the U.S.

The 60 day review (that ended approx 30 days) ago, led by Melissa Hathaway, is the fourth attempt in the last 12 or so years to address cyber security.  In late 1996, President Clinton created the Presidential Commission for Critical Infrastructure Protection (PCCIP) that issued a report on its findings in 1997. That effort led to the 1998 Presidential Directive-63, the emergence of ISACs, and the creation of the National Infrastructure Protection Center (NIPC) at the FBI and the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce, among other organizations at various agencies.  Those two are worth noting as we continue, a decade later, to see a tension, as evidenced by the dual NEC and NSC reporting announcement expected today, between law enforcement/security and economic/commerce interests in cyber security.   Interestingly enough, the term “cyber czar” originated during that time – Dick Clarke in the White House.

In 2003, President Bush released the Clarke-led National Strategy to Secure Cyberspace which provided recommendations for “government-industry” cooperation.   Soon thereafter Clarke left the government. The strategy laid a framework for how the federal government would try to address cyber issues and promoted public-private partnerships.  DHS’ leadership on the issue was laid out about this time with the merger of most of the major cyber functions (NIPC, CIAO, FedCert, etc) into a new National Cyber Security Division. These efforts led to the creation of sector coordinating councils and the National Infrastructure Protection Plan (NIPP).   There was wide-spread criticism that the Director of the NCSD was buried too far into DHS and the nation needed a WH czar. Congress responded by creating an Assistant Secretary position at DHS.

Round three happened in 2008. President Bush initiated the Comprehensive National Cyber Security Initiative.   The CNCI, officially established in January 2008 (though rumored as early as Sept 2007) by National Security Presidential Directive 54/Homeland Security Presidential Directive 23 was a multi-agency, multi-year plan laying out twelve steps to securing the federal government’s cyber security networks.  DHS would have the lead (mostly) on civilian systems while DoD would take the lead on .mil systems.  The role of NSA and the DNI was questioned, though hard for most to pen down given the classified nature of the program. By this point, the White House had a  Special Assistant to the President and Senior Director for Cybersecurity and Information Sharing Policy, Neill Sciarrone, and a multi-agency task force headed by Melissa Hathaway leading the CNCI efforts.  DHS, meanwhile, also created a Deputy Undersecretary for cyber at the National Protection and Programs Directorate – a role fulfilled by Scott Charbo in the Bush Administration and by Phil Reitinger in the Obama Administration.   Silicon Valley guru Rod Beckstrom was brought in as the First Director of the National Cyber Security Center.  He left several months ago, claiming that the NSA and intelligence agencies were taking too much of a leading role in the cyber efforts.

That leads us to today’s announcement in a few hours.  While in a condensed timeframe, there is much history in the nation’s cyber security efforts. Today’s efforts will set a framework – even if broadly- for how we are going to tackle round four.  The real question will be whether we can advance our efforts or will we be repeating this exercise in a few years.  Stay tuned for a more in-depth analysis of the cyber security analysis this afternoon.

Also worth noting – after the cyber announcement,  the President will attend a hurricane preparedness meeting at FEMA headquarters.  Hurricane season is only a weekend away so FEMA’s preparedness efforts and posture are critical.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn


Comment by William R. Cumming

May 29, 2009 @ 10:01 am

A few notes and if incorrect please correct? First Clinton did technically create the PCCIP in 1996 by Executive Order but his hand was forced by Congress which had mandated such a commission (often referred to as the “Marsh” Commission.) The leaders in the mandate were Senator’s Jon Kyle and Bennett, the later being a former Assistant Secretary of Commerce. Kyle and Bennett were assisted through backdoor contacts with a huge retinue of civil servants and of course eventually the $350 Billion y2k federal effort somewhat overshadowed direct cyber security. This still is and will be for some time IMO the largest preparedness effort ever undertaken in the Executive Branch outside of perhaps DOD and of course this also included DOD which had the largest y2k failure for failure to reprogram a key NRO satellite out for over 12 days.
Actually issued in 1998, PD-63 was a hurried NSC staff led effort to protect Clinton’s flanks on critical infrastructure protection but really had little to do with cyber. Richard Clarke did become cyber czar of sorts and prepared the strategy and worked hard at alerting on cyber. His book “Against All Enemies” has interesting discussion of his conversion to cyber czar.
Finally, Congress actually mandated a White House Cyber Czar position but never filled under Bush because they made the position an “advise and consent” position that would be subject to Congressional demands during hearings.
Eventually, the “Big One” of cyber will happen and really hoping someone competent takes time and effort to update this magnificant piece of history you have captured.
Where do I stand? I would reduce much of the expenditures on physical security in the country and devote or transfer that to cyber! But I would also empower some Executive Branch organization to have the full gamut of authority through standard setting and rulemaking on cyber security to promote resilience, redundancy, interoperability, and security. Hey but what do I know I am on AOL dial up in the hinterlands.

Comment by Jessica Herrera-Flanigan

May 29, 2009 @ 7:31 pm

On PCCIP – it was created in 96, with its report issued in 97. The Commission itself grew out of a recommendation by the Critical Infrastructure Working Group (CIWG), led by then Deputy AG Jamie Gorelick, that new vulnerabilities in the nation’s infrastructure be studied and addressed. CIWG came in response to the OK City bombing. This was separate and apart from the Bennett-Kyl Y2K efforts that were occuring at the same time (though both participated in rigorous oversight of both).

Congress actually never mandated a White House Cyber Czar post 9/11 (though Senators Rockefeller and Carper are now pushing for something similar). Proposals circulated and there was much discussion but the resulting legislation that actually was enacted into law created the Assistant Secretary for Cybersecurity & Telecommunications at the Department of Homeland Security.

Comment by William R. Cumming

May 30, 2009 @ 5:42 am

DOJ had some rudimentary interest in cyber crime enforcement going back to the Reagan Adminstration. Only the arrival of Gorelick and personnel like Michael Vatis got DOJ thinking more broadly.
Thanks Jessica for the corrections. I do know that prior to the PCCIP report in all the meetings I was in physical security was the primary driver on CIP and interesting in drafting EO 12656 which developed lead and support roles for “National Seccurity Emergencies” a term first used in EO 12472 and undefined until EO 12656, and that latter EO revoked old EO 10421 which dealt with physical security. DOJ was in favor of revocation of that order because the first Director of FEMA under President Reagan was using it to hammer DOJ on a variety of issues including law enforcement during the 1984 Olympics leading to some efforts to abolish FEMA and certainly curtail its national security policy focus, rudimentary as that was at the time. See NSDD-188. None-the-less, DOJ while not wanting FEMA to have the lead of Executive Branch civil physical security issues, did not want the lead themselves so that they drafted a supporting role for themselves on physical security and also on terrorism. EO 12656 was issued after the 1988 elections on November 18, 1988, and is still extant although filled with odd problems caused by its subsequent amendment, some of which were duplications, and should be totally revised.
My point is simple, as of November 18, 1988, DOJ was thinking only vaguely of cyber crime and not sure how much amendment of Title 18 had occurred to deal with even that issue. I do know that in one of the four or five drafting sessions for PD-63 I suggested that the crime of “Sabotage” be updated for cyber and was looked at with askance by most in the room. That drafting was led by NSC staff that acted somewhat bored over the whole thing as though they had better things to be doing. So much for cyber security before Richard Clarke’s orchestration of the issue with Jamie Gorelick full attention in the mid-90’s!
This whole history really is important to pin down before the great witch hunt that will occur after the first major cyber security failure impacting the US economy and national security. Although may that has already occurred and been classified. I rank the top threats from China, Russia, India as nation-states, and of course the sub-state actors are probably already making off with goodies in virtual form.

Comment by Christopher Tingus

May 30, 2009 @ 6:47 am

As all seemingly recognize the importance of subject Cyber-Czar post assignment and indepth focus and commitment in national security prerequisite, it is the rogue and self-imposed dictators and the fundamentalist organizations that we should be very leary of as they enjoin legions of willing participants to do their utmost to muster an impressive attack on the global community as well as of course our USA national interests as after all if it were not for America, everyone would be speaking German and have no rights!

Imagining sitting as today’s “hacker” at his/her computer with their acknowledged intellect and proven skill sets, though perverse in their quest to find challenging conquests that cause fear and anxiety as they attain expertise from level to level, it would be the transportation industry that I would focus on disrupting here in the States as well as a coordinated attack on major EU hubs as all were impressed on how quickly the evil deeds of terrorists grounded the very busy skies on 911. It was truly a marvel at how quickly so many aircraft landed. Kudos to the flight controllers….

Whether it be the vulnerable electric grid system or other, the apparent enlightenment by you Mr. President as voiced yesterday in your speech depicting an administration which understands this priority, we, Mr. & Mrs. Joe Citizen who buy security packages to protect our simple laptops from the maliciousness of individuals trying to infect our small systems with little intent other than to amuse themselves, welcome the administration’s broad and detailed establishment of a “command post” readied to utilize our very resourcesful and available “geek power” to continue to thwart the ever-increasing enlightened attempts to bring us to an abrupt shut-down.

While Ms. Jessica Herrera-Flanigan and Mr. William R. Cumming, well versed in this security sector with very specific perspectives which should be valued inside the beltway and in industry, we here on the street doing what little we can with our security programs and firewalls can only assume that our infrastructure is “hit on” daily with increasing frequency.

We all look forward to much topic discussion and many of you reading this important Hls.watch are urged to comment as the hours are passing and our national security issues need an immediate, organized and proactive ambition to safeguard us and our neigbors.

Not knowing what present Cyber-security memorandums in understanding have been shared among all nations as I assume treaties of sorts, however the global comunity should already have in place what I refer to as “CyberSecGlobal” Agreements with one another that if signatories of this Agreement are found and proven to have been engaged in an cyber-attack, it would be considered an act of War!

I am saying that new rules of engagement have hopefully already been signed and established clearly understood by the global commnity.

All must be done to follow the money and encouraged to – think out of the box – never underestimating those that seek to focus their efforts and prioritize while employing a parallel and related strategy to distract us from their real objective in lust of Cyber power!

Coupled with our Homeland Security color coded warning system, we should employ a “Cyber Level Alert” system for the nation or would it always be at the highest level!

We are under attack constantly and all should be applauded at NSA and other agencies as well you Mr. President and your administration and Congressional members who are being briefed by our “geeks” as to brevity of the issues we face as a nation and throughout the global community….

Christopher Tingus
GPS location:
Harwich (Cape Cod), MA 02645 USA

the severity of fare only begoi

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>