At 10:55 this morning, President Obama will announce the long-awaited plans for dealing with cyber security in his White House. A cyber czar, albeit at a level lower than desired (special assistant), will be supported by a new cyber directorate within the National Security Council. That person will also report to the National Economic Council. Expect the announcement will be broad in scope and discuss goals for dealing with the global threat of cyber security, as well as address such issues as a public awareness campaign for the challenges of cyber security and the need for a strengthened technology workforce in the U.S.
The 60 day review (that ended approx 30 days) ago, led by Melissa Hathaway, is the fourth attempt in the last 12 or so years to address cyber security. In late 1996, President Clinton created the Presidential Commission for Critical Infrastructure Protection (PCCIP) that issued a report on its findings in 1997. That effort led to the 1998 Presidential Directive-63, the emergence of ISACs, and the creation of the National Infrastructure Protection Center (NIPC) at the FBI and the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce, among other organizations at various agencies. Those two are worth noting as we continue, a decade later, to see a tension, as evidenced by the dual NEC and NSC reporting announcement expected today, between law enforcement/security and economic/commerce interests in cyber security. Interestingly enough, the term “cyber czar” originated during that time – Dick Clarke in the White House.
In 2003, President Bush released the Clarke-led National Strategy to Secure Cyberspace which provided recommendations for “government-industry” cooperation. Soon thereafter Clarke left the government. The strategy laid a framework for how the federal government would try to address cyber issues and promoted public-private partnerships. DHS’ leadership on the issue was laid out about this time with the merger of most of the major cyber functions (NIPC, CIAO, FedCert, etc) into a new National Cyber Security Division. These efforts led to the creation of sector coordinating councils and the National Infrastructure Protection Plan (NIPP). There was wide-spread criticism that the Director of the NCSD was buried too far into DHS and the nation needed a WH czar. Congress responded by creating an Assistant Secretary position at DHS.
Round three happened in 2008. President Bush initiated the Comprehensive National Cyber Security Initiative. The CNCI, officially established in January 2008 (though rumored as early as Sept 2007) by National Security Presidential Directive 54/Homeland Security Presidential Directive 23 was a multi-agency, multi-year plan laying out twelve steps to securing the federal government’s cyber security networks. DHS would have the lead (mostly) on civilian systems while DoD would take the lead on .mil systems. The role of NSA and the DNI was questioned, though hard for most to pen down given the classified nature of the program. By this point, the White House had a Special Assistant to the President and Senior Director for Cybersecurity and Information Sharing Policy, Neill Sciarrone, and a multi-agency task force headed by Melissa Hathaway leading the CNCI efforts. DHS, meanwhile, also created a Deputy Undersecretary for cyber at the National Protection and Programs Directorate – a role fulfilled by Scott Charbo in the Bush Administration and by Phil Reitinger in the Obama Administration. Silicon Valley guru Rod Beckstrom was brought in as the First Director of the National Cyber Security Center. He left several months ago, claiming that the NSA and intelligence agencies were taking too much of a leading role in the cyber efforts.
That leads us to today’s announcement in a few hours. While in a condensed timeframe, there is much history in the nation’s cyber security efforts. Today’s efforts will set a framework – even if broadly- for how we are going to tackle round four. The real question will be whether we can advance our efforts or will we be repeating this exercise in a few years. Stay tuned for a more in-depth analysis of the cyber security analysis this afternoon.
Also worth noting – after the cyber announcement, the President will attend a hurricane preparedness meeting at FEMA headquarters. Hurricane season is only a weekend away so FEMA’s preparedness efforts and posture are critical.