As everyone prepares to examine the results of the Obama Administration’s cyber-security review, one of the largest issues in play remains to what extent the White House will embrace recommendations to create a Cabinet-level position to address the matter or some role superior to today’s “cyber czar” post.
Having participated in the CSIS Commission on Cyber Security for the 44th Presidency, it won’t surprise you that I support that concept, as one of the major recommendations suggested by the Commission – constituted of stakeholders from a wide range of public and private interests – was to do so.
As people scrutinize the recommendations the White House may recognize, it’s natural, even beneficial, that some observers – including influential members of the IT security community – question whether naming a more prominent government cyber-security chief will help improve the nation’s ability to deal with the critical challenges it faces.
In a recent interview with Threatpost news service, Bruce Schneier, an industry beacon and the Chief Security Technology Officer of BT, said it would be more effective for the U.S. government to operate without a “top-down hierarchy,” as “our economic and political systems work best when there isn't a dictator in charge.”
I’d propose that “dictator” might be a bit strong, given that all of our most important national interests are currently represented by leaders as in the case of the President’s Cabinet. However, I think it’s an unquestionably valid point that in many cases adding bureaucracy can get in the way of progress.
Schneier also suggests to Threatpost that the NSA, or any other individual agency, shouldn’t be granted a majority influence, and cites the fact that existing efforts to lead cyber-security under the cyber czar role have failed primarily based on insufficient funding.
With all due respect to thought leaders including Mr. Schneier – who it should be noted has testified before Congress on matters of cyber-security on multiple occasions and whose company remains an industry leader in both its adoption and delivery of IT security programs – I would submit that his opinions actually illustrate precisely why we presently require a more commanding U.S. cyber-security executive.
The shortcomings of the cyber czar post have been based on a lack of sufficient empowerment in directing the many federal agencies involved in this arena, and no directive, regardless of its importance or profile, can be realized without an adequate budget.
On the matters about which I had the honor of testifying before Congress about last month, which addressed the ability of cyber-security efforts operating under Homeland Security to meet the goals of their respective missions, I made extremely similar recommendations. These individual DHS teams have only fallen short in areas where they haven’t been furnished with the right level of jurisdiction and funding to do so.
If you look back at the CSIS report, there’s a good deal of explanation as to why the Commission, with its diverse experience in dealing with the cyber-security challenges faced by the U.S. government, reasoned that the systematic complexity that already exists across the federal sector in directing the nation’s approach to this problem has led to shortcomings in doing so, and commands new, more empowered executive leadership.
Perhaps like Washington’s original Secretary of War, the position occupied by a Secretary of Cyber-Security would eventually become subordinate to a more centralized leader, say, a Secretary of Information Technology and Electronic Infrastructure.
However, cyberspace is now a central element of American economic health and national security. Our national vision for cyberspace must utilize all available resources to transcend our current models of security and enable secure use to create new opportunities for everyone.
The government cannot manage the issues it faces around cyber-security in an ad hoc fashion any longer. The 44th Administration should reorganize to clarify responsibilities, ensure accountability, and increase transparency and collaboration to help manage the risks that have left the United States far too vulnerable.
Better organization – specifically revitalized leadership – will help our government become both more secure and more effective. We need a fundamental shift which enables the vision of a defensive-minded leader to strategically govern our IT evolution as a nation.
-Tom Kellermann, VP of Security Awareness