I had the privilege last week of attending a joint meeting of the Internet Security Alliance, U.S. Chamber of Commerce, Business Software Alliance, and TechAmerica. The guest of honor was Melissa Hathaway who was appointed Acting Senior Director of Cybersecurity by President Obama last month. Her brief is to conduct a 60 day review to, as the press release put it;
“… develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.”
Most recently Ms. Hathaway served in the Bush administration under National Intelligence Director Mike McConnell.
Speaking in an open forum is a pretty significant context switch for Ms. Hathaway. Until very late in the Bush administration, she was only allowed to speak in classified settings. As she pointed out, it’s nearly unprecedented for an NSC director to speak publicly about current projects. It’s just one sign of the new openness for which President Obama wants his administration known. The three primary areas for which the President has asked for recommendations are:
- Organization meaning governance and operating structure within the executive branch and the interfaces with state and local government agencies
- Norms of Behavior for private and public sector enterprises
There are a couple of other minor areas, but these three will receive the bulk of Hathaway’s and her team’s attention. It was apparent from her remarks and the CSIS report released in January that the organizational question is the most politically sensitive. Currently the responsibility for protecting Americans from cyberthreats is shared amongst the National Security Council, Homeland Security Council (part of DHS), the Office of Management & Budget, and a half-dozen other national policy and law enforcement agencies. It’s a commonly accepted tenet at this point that a significant consolidation of responsibility is required to make any real progress. Any time a president attempts a reorganization of this nature, it becomes a political issue with all agencies (and the congressional oversight committees) attempting to protect what turf they can.
One of Ms. Hathaway’s key deliverables is compelling examples of the limitations of the current structure. She only cited one last week, but it’s a doozy. It turns out that when you try to determine which federal agency is responsible for protecting the private sector from a cyberattack by a foreign nation-state, there isn’t one. The Department of Defense obviously has responsibility for protecting the private sector and its production assets from physical attack and a variety of agencies are chartered with capturing and prosecuting civilians (foreign and domestic) that attack the nation’s Internet assets. However, no agency, or at least no agency with any assets suitable to the task, is responsible for protecting the infrastructure that essentially carries all of the nation’s commercial transactions from attack by a foreign government.
As far as new standards are concerned, it would appear that the approach will be more normative than prescriptive as everyone involved well understands what happens when government starts dictating answers to questions that evolve far faster than any government process can track. Ms. Hathaway mentioned identity management and privacy specifically, but there’s clearly a long list of things required here.
The “Norms and Behaviors” work will focus first on standardizing basic terminology. For example, there is no commonly accepted standard of just what comprises a “cyber attack”. There are likewise no standards on how public and private enterprises should respond when attacked. Statutes like SB 1386 nibble around the edges of this issue, but this is clearly an area in which you want federal, not state, standards establishing expectations for behavior. I’d like to think that it is this thread of work that will drive the creation of a federal breach disclosure law to harmonize the 44 state laws we currently have.
One of the first tasks executed by Hathaway’s team was to catalog and cross reference the more than 280 cybersecurity requirements that have already been imposed on the federal bureaucracy by presidents starting with Bush 41. If you think about how much the Internet and threat models have evolved since George H.W. Bush was president, you get some idea of the challenge we have just in updating and standardizing existing cybersecurity policies, let alone upgrading them to cope with the current threats.
A few of the core tenets of the overall project cited by Hathaway include:
- The President has specifically instructed that any new cybersecurity policy must balance security, privacy, and civil rights in equal measure
- New cybersecurity policy initiatives must comprehend both defensive and offensive strategies
- The work of Hathaway’s team will be carried out primarily in public view as it was today. The intention is for the vast majority of her final report to be unclassified. There will obviously be portions of it dealing with the military and intelligence agencies that will be classified, but the President’s stated preference for openness, candor, and accountability are evident in Hathaway’s approach.
The White House is posting periodic updates on the progress of the project on the White House blog site. The first one is here. It doesn’t really say all that much, but it’s encouraging that they’re at least making an effort to keep the public up to date on their progress.