A Cynic’s Take on Cyber Czars and 60-day Reports

Page Content

Share:

Today, and Before

On July 17, 2008, (then) Senator Barack Obama held a town hall meeting on national security at Purdue University. He and his panel covered issues of nuclear, biological and cyber security. (I blogged about the event here and here.) As part of his remarks at the event, Senator Obama stated:

Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.

As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information — from the networks that power the federal government, to the networks that you use in your personal lives.

That was a pretty exciting statement to hear!

On February 9, 2009, (now) President Obama appointed Melissa Hathaway as Acting Senior Director for Cyberspace and charged her with performing a comprehensive review of national cyberspace security in 60 days. I interacted with Ms. Hathaway and members of her team during those 60 days (as well as before and after). From my point of view, it was a top-notch team of professionals approaching the review with a great deal of existing expertise and open minds. I saw them make a sincere effort to reach out to every possible community for input.

If you're keeping count, the report was delivered on or about April 10. Then, mostly silence to those of us on the outside. Several rumors were circulated in blogs and news articles, and there was a presentation at the RSA conference that didn't really say much.

Until today: May 29th.

Shortly after 11am EDT, President Obama gave some prepared remarks and his office released the report. In keeping with his July 2008 statement, the President did declare that "our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset." However, he did not appoint someone as a National Cyber Advisor. Instead, he announced the position of a "Cybersecurity Coordinator" that will be at a lower level in the Executive Office of the White House. No appointment to that position was announced today, either. (I have heard rumor from several sources that a few high-profile candidates have turned down offers of the position already. Those are only rumors, however.)

The President outlined the general responsibilities and duties of this new position. It apparently will be within the National Security Staff, reporting to the NSC, but also reporting to OMB and the National Economic Council, and working with the Federal CIO, CTO and the Office of Science and Technology Policy.

The new Coordinator will be charged with

  1. helping develop (yet another) strategy to secure cyberspace. This will include metrics and performance milestones;
  2. coordinating with state and local governments, and with the private sector, "to ensure an organized and unified response to future cyber incidents."
  3. to strengthen ties with the private sector, with an explicit mandate to not set security standards for industry.
  4. to continue to invest in cyber (although the examples he gave were not about research or security
  5. to begin a national campaign to increase awareness and cyber literacy.

The President also made it clear that privacy was important, and that monitoring of private networks would not occur.

Reading Between the Lines

There were a number of things that weren't stated that are also interesting, as well as understanding implications of what was stated.

First of all, the new position is rather like a glorified cheerleader: there is no authority for budget or policy, and the seniority is such that it may be difficult to get the attention of cabinet secretaries, agency heads and CEOs. The position reports to several entities, presumably with veto power (more on that below). Although the President said the appointee will have "regular access" to him, that is not the same as an advisor -- and this is a difference that can mean a lot in Washington circles. Although it is rumor that several high-profile people have already turned down the position, I am not surprised given this circumstance. (And this may be why it has been two months since the report was delivered before this event — they've been trying to find someone to take the job.)

The last time someone was in a role like this with no real authority -- was in 2001 when Howard Schmidt was special adviser for cyberspace security to President G.W.Bush. Howard didn't stay very long, probably because he wasn't able to accomplish anything meaningful beyond coordinating (another) National Plan to Secure Cyberspace. It was a waste of his time and talents. Of course, this President knows the difference between "phishing" and "fission" and has actually used email, but still...

Second, the position reports to the National Economic Council and OMB. If we look back at our problems in cyber security (and I have blogged about them extensively over the last few years, and spoken about them for two decades), many of them are traceable to false economies: management deciding that short-term cost savings were more important than protecting against long-term risk. Given the current stress in the economy I don't expect any meaningful actions to be put forth that cost anything; we will still have the mindset that "cheapest must be best."

Third, there was no mention of new resources. In particular, no new resources for educational initiatives or research. We can pump billions of dollars into the bank accounts of greedy financiers on Wall Street, but no significant money is available for cyber security and defense. No surprise, really, but it is important to note the "follow the money" line -- the NEC has veto power over this position, and no money is available for new initiatives outside their experience.

Fourth, there was absolutely no mention made of bolstering our law enforcement community efforts. We already have laws in place and mechanisms that could be deployed if we simply had the resources and will to deploy them. No mention was made at all about anything active such as this -- all the focus was on defensive measures. Similarly, there was no mention of national-level responses to some of the havens of cyber criminals, nor of the pending changes in the Department of Defense that are being planned.

Fifth, the President stated "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic." I suspect that was more than intended to reassure the privacy advocates -- I believe it was "code" for "We will not put the NSA in charge of domestic cyber security." Maybe I'm trying to read too much into it, but this has been a touchy issue in many different communities over the last few months.

There are certainly other things that might be noted about the report, but we should also note some positive aspects: the declaration that cyber is indeed a strategic national asset, that the problems are large and growing, that the existing structures don't work, that privacy is important, and that education is crucial to making the most of cyber going forward.

Of course, Congress ("pro is to con as Progress is to Congress") is an important player in all this, and can either help define a better or solution or stand in the way of what needs to be done. Thus, naming a Cyberspace Coordinator is hardly the last word on what might happen.

But with the perspective I have, I find it difficult to get too excited about the overall announcement. We shall see what actually happens.

The Report

I've read the report through twice, and read some news articles commenting on it. These comments are "off the top" and not necessarily how I'll view all this in a week or two. But what's the role of blogging if I need to think about it for a month, first? cheese

It is important to note that the President's remarks were not the same as the report, although its issuance was certainly endorsed by the White House. The reason I note the difference is that the report identifies many problems that the President's statement does not address (in any way), and includes many "should"s that cannot be addressed by a "coordinator" who has no budget or policy authority.

What is both interesting and sad is how much the new report resembles the largely-inconsequential National Plan to Secure Cyberspace issued under the Bush Administration (be sure to see the article at the link). That isn't a slam on this report -- as I wrote earlier, I think it is a good effort by a talented and dedicated team. What I mean to imply is that the earlier National Plan had some strong points too, but nothing came of it because of cost and prioritization and lack of authority.

There are a number of excellent points made in this report: the international aspects, the possibility of increased liability for poor security products and pratices, the need for involvement of the private sector and local governments, the need for more education, the problems of privacy with security, and more.

I was struck by a few things missing from the report.

First, there was no mention of the need for more long-term, less applied research and resources to support it. This is a critical issue, as I have described here before and has been documented time and again. To its credit, the report does mention a need for better technology transfer, although this is hardly the first time that has been observed; the 2005 PITAC report "Cyber Security: A Crisis of Prioritization" included all of this (and also had minimal impact).

The report had almost nothing to say about increasing resources and support for law enforcement and prosecution. This continues to puzzle me, as we have laws in place and systems that could make an impact if we only made it a priority.

There is no discussion about why some previous attempts and structures -- notably DHS -- have failed to make any meaningful progress, and sometimes have actually hindered better cyber security. Maybe that would be expecting too much in this report (trying not to point fingers), but one can't help but wonder. Perhaps it is simply enough to note that no recommendations are made to locate any of the cyber responsibilities in DHS.

There is some discussion of harmonizing regulations, but nothing really about reviewing the crazy-quilt laws we have covering security, privacy and response. There is one sentence in the report that suggests that seeking new legislation could make things worse, and that is true but odd to see.

As an aside, I bet the discussion about thinking about liability changes for poor security practices and products -- a very reasonable suggestion -- caused a few of the economic advisors to achieve low Earth orbit. That may have been enough to set off the chain of events leading to reporting to the NEC, actually. However, it is a legitimate issue to raise, and one that works in other markets. Some of us have been suggesting for decades that it be considered, yet everyone in business wants to be held blameless for their bad decisions. Look at what has played out with the financial meltdown and TARP and you'll see the same: The businessmen and economists can destroy the country, but shouldn't be held at fault. mad

There is discussion of the supply-chain issue but the proposed solution is basically to ensure US leadership in production -- a laudable goal, but not achievable given the current global economy. We're going to need to change some of our purchasing and vetting habits to really achieve more trustworthy systems — but that won't go over with the economists, either.

There is no good discussion about defining roles among law enforcement, the military, the intelligence community, and private industry in responding to the problems. Yes, that is a snake pit and will take more than this report to describe, but the depth of the challenges could have been conveyed.

As David Wagner noted in email to an USACM committee, there is no prioritization given to help a reader understand which items are critical, which items are important, and which are merely desirable. We do not have the resources to tackle all the problems first, and there is no guidance here on how to proceed.

Summary

I didn't intend for this to be a long, critical post about the report and the announcement. I think that this topic is receiving Presidential attention is great. The report is really a good summary of the state of cybersecurity and needs, produced by some talented and dedicated Federal employees. However, the cynic in me fears that it will go the way of all the other fine reports -- many of which I contributed to -- including the PITAC report and the various CSTB reports; that is, it will make a small splash and then fade into the background as other issues come to the fore.

Basically, I think the President had the right intentions when all this started, but the realpolitik of the White House and current events have watered them down, resulting in action that basically endorses only a slight change from the status quo.

I could be wrong. I hope I'm wrong. But experience has shown that it is almost impossible to be too cynical in this area. In a year or so we can look back at this and we'll all know. But what we heard today certainly isn't what Candidate Obama promised last July.

(And as I noted in a previous post, Demotivators seem to capture so much of this space. Here's one that almost fits.)

Comments

The President is in a precarious position with cybersecurity.  He knows that securing ‘cyberspace’ is necessary to continue its transformational role in the world.  He has made benefited greatly from social networks accessed through the Internet and he has tied his efforts to open the government to public scrutiny to Internet access.  Add to this recent experiences (or the perceptions of experiences) with power system vulnerabilities, threats to commerce and massive data breaches.  Something needs to be done but how can he go about it?

If he moves aggressively there are a number of possible downsides.  Attempting to more directly control Internet governance would upset the precarious political balance that leaves DNS roots in US Government hands.  Attempting to regulate to enforce better security may stifle innovation, both in Internet services and security development.  Turning cybersecurity over to secret management by NSA is anethema to his stated goals of openness and transparency and likely counterproductive.  Command and control edicts simply won’t work.

To do nothing is not tenable.  To be frank a cybersecurity czar position is political theater.  Czars look good as a concept, appear to be decisive action but have no real power to affect change.  I liken them to the Surgeon General, the power of the office rests solely on the ability of the person appointed to influence those with the power to change.  C. Everett Coop was a great Surgeon General but his successors are largely forgetable.

So what can he do?  Well, the art of politics is compromise.  What he can do is improve the current situation and lay a framework to continue improvement. 

The first improvement is he raised the visibility of the cybersecurity problem.  There are alot of problems in implementing a Federal cybersecurity governance and/or enforcement function.  None of the problems will be solved by the report.  But the report can highlight some of the problems and get people thinking about possible solutions.

The second big thing is making an effort at using what he has to do what he wants.  He can’t vote for resources to create his new cybersecurity position, that’s Congress’ job.  So he creates a placeholder position and waits for either S. 778/773 or S. 921 to create a more substantive position with an actual budget and authority.  Whether it’s Office of the National Cybersecurity Advisor or National Office for Cyberspace both will have greater powers than those proposed so far.

The third big improvement is he made the process significantly more transparent.  Gone is the Bush appointed cabal and depth of secrecy that lead to and implemented CNCI.  Now we have an announced review, the process of issuing a public report and some high visibility backing from the President when the report is issued.

The fourth improvement is he delineated an important boundary on the power of the government in cybersecurity.  I love this line from his speech, “Our pursuit of cybersecurity will not—I repeat, will not include—monitoring private sector networks or Internet traffic.  We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.  Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be—open and free.”  No spying on citizens.  Let’s hope that this is a message that some in the Intelligence Community receive as the directive it is. 

None of this is enough.  It’s just like everything else in DC, a political compromise.  And political compromise is a good thing.  It means balance is being achieved even if in our guts we want simple solutions to complex problems.

Posted by Dan Philpott on Tuesday, June 2, 2009 at 03:27 PM

Spafford’s Law of Security, “If you have responsibility for security, but no authority to make changes, then you’re just there to take the blame when something goes wrong.”

It hasn’t changed in the 15+ years since you wrote it…

=======

Wow, I wish I had thought of that when I was writing the blog post!

Yeah, that goes back almost 20 years.

—spaf

Posted by Ron W on Wednesday, June 3, 2009 at 04:50 PM

Hello My name is Dan Shaw and I worked alongside Adam Hammer in the Mathematics dept (2000-2006)
I added a copy of an email I sent to Michael Vatis and Jim Lehrer News Hours
==================================================
SUBJECT: Your KCET viewing on cybersecurity

Hello Micheal and Jim,
I just watched you on KCET and unfortunately you are not correct about security issues unable to be resolved.
REF: http://www.pbs.org/newshour/bb/politics/jan-june09/cybersecurity_05-29.html
This statement you made…
“There are vulnerabilities in the infrastructure of the Internet. There are vulnerabilities in the computer systems of the critical infrastructures tied to the Internet, of the banking systems, communication systems, energy systems.” But this is common knowledge why do you think we get so many “attacks” or attempts to intrude on institutions in this country.

Here are my comments:

There are and has been the technology in place to secure our networks and data.
What you did state correctly is that from the governmental side there is so much in fighting that nothing gets done to resolve security issues.
We have known about break ins to government agencies since and before the book “The Cuckoo’s Egg” by Clifford Stoll and that was in the 60s
One thing the Bush Administration did was pass the Sarbanes-Oxley Act of 2002.  Now granted this is a weak Act because there is no real enforcement.  An example of this is the last company I worked for had holdings upwards of a trillion dollars and they still use clear text over the wire technology such as telnet and ftp to access their servers .  Now it is internal access but when you have 8000+ employees world wide I’m not going to trust all of them or the people they know or the equipment they may lose, etc.  Always error on the side of caution or when it comes to securing servers, networks and data.  So that means firewall, secure, encrypt, harden, and test for vulnerabilities always all the time.

So with the following policies HIPAA, GLBA, SOX, DoD 8100.2 & Enterprise Policy there are numerous ways to ensure the security of our networks and data.
Including 3 tier data centers (not applications) for ultra high volatile data. So when it comes to corporate non-compliance it squarely rests on their shoulders and their non-action to embrace and change the infrastructure to become secure.

As to Individual identity theft… unfortunately this action can be seen much like a mugger on the street.  Muggers or robbery will unfortunately always be in our society but that being said I do understand Identity Theft, at this time, could be a little more volatile in regards to personal records.  But much like protecting yourself from a mugger their are actions one takes to prevent this from happening.  This is educating yourself about what to look for when you are on the computer. Don’t respond to email asking for you information from a foreign country. Do not purchase items on an unsecured website, etc.

As to attacks from other countries which could be someone in our back yard if its done right.  There will always be attempts to break in, get in, inject, etc places like the pentagon and other government and financial institutions so what do we do.  There are many solutions here and the most important is knowledge and educating those who should be in compliance. And enforcing that compliance.  But in this day and age I find it very difficult that anyone in the IT industry with some history and knowledge does not at least know about basic security and some of its challenges.

Sorry, I tried to keep this part out but it just seem to flow.
To me this is just another example of lax and weary attitude we have up hold the rule of law and policies.  It is happening in all areas of American life this is just another example.  And what do we do instead of educating our society and up holding the the law and policies.  We analyze the the crude out of it while nothing gets done.  I wish my Mom was President. Everyone would be in jail that either broke the law without exception and everyone would do their job (public servants) and if you didn’t know how you would learn or go find another one.  Their would be no favoritisms and politicking. The American people would decide and vote on what they needed or want to get done in this country not the few representatives in office.

I hope others that watched the show extracted the “scary” parts of your dialog and will use the useful parts to become compliant.

Thank you,
Daniel P. Shaw

Posted by Daniel Shaw on Saturday, June 6, 2009 at 07:17 PM

Leave a comment

Commenting is not available in this section entry.