On Friday, I wrote a quick blurb noting that Mischel Kwon, the director of the U.S. Computer Emergency Readiness Team at the Department of Homeland Security (DHS) had announced her departure. Her exit from the government cybersecurity realm marked the second in a week, following the highly-covered resignation of Melissa Hathaway, the White House’s Cybersecurity Advisor/Coordinator, earlier in the week.
In both cases, many politicos and pundits have pondered why our federal cybersecurity efforts seem to be in such disarray. Kwon was the fourth director of US CERT in five years. Hathaway was the acting “cyber czar,” though the Administration prefers to call it “coordinator,” a position announced by the President eight weeks ago that few cybersecurity gurus have been interested in taking.
Things, however, may be bad but not be as bad as they appear. DHS has filled its two (or three, depending on you count) political cybersecurity spots with experienced and smart experts. Phil Reitinger is the Deputy Under Security for the National Protection & Programs Directorate, overseeing the agency’s cybersecurity efforts. He is dual-hatted as the Director of the National Cybersecurity Center (NCSC), a position created in 2008 amid internal squabbling that has been duplicative of the agency’s efforts, as well as under appreciated, as demonstrated by Rod Beckstrom’s very public resignation from that position earlier this year. In consolidating the two positions, Secretary Napolitano has created one point person to strategize and lead the Department’s efforts on a macro level.
In addition, the new Assistant Secretary for Cybersecurity & Communications, Greg Schaffer, is well-versed in the cybersecurity space. Both Phil and Greg have worked together in the past and have private sector and government experience in the operational and legal sides of cybersecurity – something which is much needed at the agency. Hopefully, by working together in a concerted effort, there will be some progress at DHS on the cybersecurity front. That’s not to say there is not a lot of work to be done and it is a nearly-impossible task, but having some gameplan and a team effort will be critical.
Over at the Department of Defense Secretary Robert Gates created a “Cyber Command” to be headed by the director of the National Security Agency. When announcing the new Command in June, Gates issued a memo noting that the new effort will have synchronize “warfighting efforts across the global security environment.” While there has been some concerns that the New Cyber Command will usurp civilian efforts, its creation is an important step in streamlining and synchronizing our military’s offensive and defense capabilities. In addition, its creation may help thwart what has been seen as increasing competition between the branches to be responsible for DoD’s cybersecurity efforts.
Which brings us back to the so-called Cyber czar vacancy. It is important to remember that the White House Cybersecurity Coordinator is a policy position — not an operational one. The nuts and bolts of protecting government civilian, military, and private sector systems remains with the agencies above, as well as with several others tasked with specific elements of cybersecurity (i.e. Department of Justice with prosecuting cybercrimes, FBI and Secret Service with investigations, countless CIO offices with securing specific agency computers, NIST with standards). The cyberczar will report both to the National Security Council and the National Economic Council, which suggests that the individual will attempt to balance between homeland security and economic concerns. That dichotomy, however, is not as prevalent as it may have been 10 years ago when Dick Clarke served as czar. It could change if Congress enacted legislation that was strong on regulation in cyber space. What is not clear from the creation of the cyberczar is whether that individual will have the authority to direct all the agencies should a cyber-crisis occur.
The inability to fill the “cyberczar” spot, whether it sits in DHS, DoD, the White House, or the Office of Management and Budget, is long-standing. In the 2002-2004 timeframe, much attention was given to DHS’ efforts on the cybersecurity front and the fact that the cyberczar had gone from being in the White House to the Director of the National Cyber Security Division, a spot buried within the agency’s bureaucracy. The first Director, Amit Yoran, lasted a little more than a year before leaving, in part, because of the lack of authority.
Going forward, regardless of what you call the positions or how they are filled, it is essential that there be long-term planning and staffing on the cybersecurity front. As DHS and DoD get their operational efforts in order, their successes will be measured on whether their cyber leaders have the authority to do their jobs AND whether they stay for longer than a year or two. At the same time, when and if the cyber czar position is filled, it will be critical that the chosen person be one who puts supporting DHS, DoD, and other agencies efforts first and not one who, taken by the czar title, is overly-interested in leaving their personal mark.