Homeland Security Watch

News and analysis of critical issues in homeland security

August 10, 2009

Cybersecurity –

Filed under: Cybersecurity — by Jessica Herrera-Flanigan on August 10, 2009

On Friday, I wrote a quick blurb noting that Mischel Kwon, the director of the U.S. Computer Emergency Readiness Team at the Department of Homeland Security (DHS) had announced her departure.  Her exit from the government cybersecurity realm marked the second in a week, following the highly-covered resignation of Melissa Hathaway, the White House’s Cybersecurity Advisor/Coordinator, earlier in the week.

In both cases,  many politicos and pundits have pondered why our federal cybersecurity efforts seem to be in such disarray.   Kwon was the fourth director of US CERT in five years.  Hathaway was the acting “cyber czar,” though the Administration prefers to call it “coordinator,” a position announced by the President eight weeks ago that few cybersecurity gurus have been interested in taking.

Things, however, may be bad but not be as bad as they appear.  DHS has filled its two (or three, depending on you count) political cybersecurity spots with experienced and smart experts.  Phil Reitinger is the Deputy Under Security for the National Protection & Programs Directorate, overseeing the agency’s cybersecurity efforts.  He is dual-hatted as the Director of the National Cybersecurity Center (NCSC), a position created in 2008 amid internal squabbling that has been duplicative of the agency’s efforts, as well as under appreciated, as demonstrated by Rod Beckstrom’s very public resignation from that position earlier this year.  In consolidating the two positions, Secretary Napolitano has created one point person to strategize and lead the Department’s efforts on a macro level.

In addition, the new Assistant Secretary for Cybersecurity & Communications, Greg Schaffer, is well-versed in the cybersecurity space.  Both Phil and Greg have worked together in the past and have private sector and government experience in the operational and legal sides of cybersecurity – something which is much needed at the agency. Hopefully, by working together in a concerted effort, there will be some progress at DHS on the cybersecurity front.  That’s not to say there is not a lot of work to be done and it is a nearly-impossible task, but having some gameplan and a team effort will be critical.

Over at the Department of Defense Secretary Robert Gates created a “Cyber Command” to be headed by  the director of the National Security Agency.  When announcing the new Command in June, Gates issued a memo noting that the new effort will have synchronize “warfighting efforts across the global security environment.”  While there has been some concerns that the New Cyber Command will usurp civilian efforts, its creation is an important step in streamlining and synchronizing our military’s offensive and defense capabilities.  In addition, its creation may help thwart what has been seen as increasing competition between the branches to be responsible for DoD’s cybersecurity efforts.

Which brings us back to the so-called Cyber czar vacancy.  It is important to remember that the White House Cybersecurity Coordinator is a policy position — not an operational one.  The nuts and bolts of protecting government civilian, military, and private sector systems remains with the agencies above, as well as with several others tasked with specific elements of cybersecurity (i.e. Department of Justice with prosecuting cybercrimes, FBI and Secret Service with investigations, countless CIO offices with securing specific agency computers, NIST with standards).  The cyberczar will report both to the National Security Council and the National Economic Council, which suggests that the individual will attempt to balance between homeland security and economic concerns. That dichotomy, however, is not as prevalent as it may have been 10 years ago when Dick Clarke served as czar.  It could change if Congress enacted legislation that was strong on regulation in cyber space.  What is not clear from the creation of the cyberczar is whether that individual will have the authority to direct all the agencies should a cyber-crisis occur.

The inability to fill the “cyberczar” spot, whether it sits in DHS, DoD, the White House, or the Office of Management and Budget, is long-standing.  In the 2002-2004 timeframe, much attention was given to DHS’ efforts on the cybersecurity front and the fact that the cyberczar had gone from being in the White House to the Director of the National Cyber Security Division, a spot buried within the agency’s bureaucracy.   The first Director, Amit Yoran, lasted a little more than a year before leaving,  in part, because of the lack of authority.

Going forward, regardless of what you call the positions or how they are filled, it is essential that there be long-term planning and staffing on the cybersecurity front.  As DHS and DoD get their operational efforts in order,  their successes will be measured on whether their cyber leaders have the authority to do their jobs AND whether they stay for longer than a year or two.   At the same time, when and if the cyber czar position is filled, it will be critical that the chosen person be one who puts supporting  DHS, DoD, and other agencies efforts first and not one who, taken by the czar title, is overly-interested in leaving their personal mark.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn

4 Comments »

Comment by William R. Cumming

August 10, 2009 @ 9:38 am

OKay let’ skip NSA whose funding and staffing is secret. I recommend that they be pulled out from under DOD and report directly to the President. Many reasons and won’t go into it here.
What would be of interest is to track cyber security effort, staffing and expenditures post Y2 effort which was huge and not just government wide but also national in scope!

Perhaps this would give some indications of whether we (US) is putting our funding and staffing where our mouth is with respect to cyber. I think that because the underlying platforms heavily implicate the private sector and its interests the real battle is not over who does it but who pays for cyber security because likely to be expensive. As CSIS reported last December it really is different that CIP generally and HS. Perhaps at the same time a review of the entirety of the federal telecommunications effort would be appropriate. There used to be a Telecommunications Adminsitration in Commerce and not sure if it is still there. The FCC is involved and so are other organizations like the NCS which is part of the NPPD in DHS. My point is that we don’t still have a really good baseline even though I would argue that IT and telecommunications are now as large a sector of GDP as autos if not larger. Only two agencies opposed the AT&T consent order in 1982, DOD and FEMA. I think the 1996 Telecommunications Act did not understand the cyber world developing and the PCCIP report did not get issued until the fall of 1997. I think the whole arena of Cyber Security needs a massive upgrade and is much more important that certain other well staffed and well funded federal efforts. And in DOD I see a totally new force (purple suits) running for all the ARMED FORCES cyber and IT through safety and security to R&D. Hey if we grow enough purple forces maybe we will not need the former uniformed services. Except for boots on the ground of course. Nuclear surety, safety and command and control should also be totally purple suited.

Comment by christopher tingus

August 11, 2009 @ 4:57 am

The color purple embodies the stimulation of red and the calm of blue and is indeed appropriate in the 21st century.

While it may indeed not be the favorite color of the majority of participants, purple denotes mystical qualities, nobility, intellect, pervaded with spirituality inherent to a “Cyber Command” having a broad, yet specific objective in defending the honor of this great nation and most charitable people!

Mr. & Mrs. Citizen Joe hopes that those entrusted to have the keen insight into the ever evolving cyber world as portrayed by the levels of complexities will be addressed with urtgency for after all we worry at our infancy in competency, but still utilize firewall and other secuity of on simple laptop.

While we thought our government leadership on both sides of the aisle would have identified long ago the necessity to be not one, but ten or more “levels” ahead of those intent to commit “cyberblackmail” or worse….

The competent leadership replacements mentioned herein are much welcomed.

Their invaluable insight are most needed as we ratchet up the numbers of Cyber Security Command and challenge the “KGB Putinites” for they, too are getting the notion that their men in black should be “cyber savvy” as I refer to the “Purple Command” though it is the more than capable pan-Asian computer literacy which already has far reaching affects….

Let’s get a move on all this and prioritize the the well respected – purple people – for they are integral to the team if we wish to deter those that are onbviously seeking our demise 24×7.

Again, all hats off to the folks especially at NSA and others in other agencies who each and every day are committed to the strategy and intellect required to obliterate the opponent at every level of mastery.

With all the DS Lites walking around the malls these days, I have much confidence that if we can keep the WMD out of the hands of those wishing to swipe the WMDs in Pakistan from our sight, the little purple people playing Wii and other will be a formidable force and serve our great nation with the strength depicted by Red Power Ranger and the confidence and calmness often associated with the Blue Power Ranger!

Christopher Tingus
Harwich, MA 02645 USA
chris.tingus@gmail.com

Comment by Sam Clovis

August 11, 2009 @ 12:53 pm

I find this blog one of the most useful, thoughtful and informative venues for gaining insight into the incredibly complex homeland security policy arena. I do, however, want to bring to the attention of readers something to think about as we contemplate the direction of the nation.

My concern is not with the fact that we cannot find anyone to fill the cyber “czar” position. I am more concerned with the fact that we need a czar at all. The Czar construct of governance is very disturbing to me. This form of governance feeds an expansion of power in the Executive Branch that is outside the Constitutional guarantees afforded through the explicit checks and balances codified in our Founding Document.

The Senate of the United States Congress, as is written into the Constitution, is to provide “advice and consent” on “principal officers” that are to work in the Executive Branch. Czars are not vetted through this process. Similarly, there is no official oversight of the Czars or their operations anywhere in the Congress. These officers have policy-making authority without constraint. Thus, an extra-constitutional governance structure is established that is not subject to Constitutional scrutiny.

If one were to examine the 34 Czars established by this administration, one would see that there is a great deal of redundancy with existing Executive Branch departments. In fact, one does not have to work very hard to assign the Czars to departments. Why, then, would the President of the United States think it necessary to establish such a governance structure?

President Reagan established one Czar and in the intervening administrations there have been 8 more czars appointed. There are 34 czars established by this administration. These structural modifications to the executive branch are wholly inappropriate if there are no checks and balances that protect the integrity of Constitutional government and, to the ultimate end of popular sovereignty, that the government not operate at the behest of those governed.

The Constitution is the codification of a solumn agreement between the people and those charged to govern prudently, wisely and cautiously. Any governance structure that circumvents checks and balances and that operates without an ear for the voice of the people should be viewed with concern. For me, the government outlined in the Constitution is good enough.

Comment by William R. Cumming

August 18, 2009 @ 8:40 am

Agree completely with Sam’s comment above. I knew we were in excess of 20 Czars and Czarinas but good to know they are now in excess of 30!

Perhaps SECTION 301 of the US Code should be modified to require delegation only to those positions requiring Advise and Consent by the Senate. In an early case (180-3) the SCOTUS held that anyone dealing with a government official (clerk?) was entitled to know their position and what authority they had been delegated. Perhaps the Imperial Presidency needs some trimming of its royal perogatives if our democracy (republic) is to be preserved.

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>