When U.S. President Barack Obama announced in May that he was establishing a White House office for cybersecurity, the news was widely welcomed as a sign of the administration’s willingness to recognize cyberthreats as a national security issue.
The need for such a role had been espoused by many in the security industry, including Obama’s acting cybersecurity chief, Melissa Hathaway, who announced her resignation this week, and a 40-member commission that had developed cybersecurity recommendations for the Obama administration.
The idea was to create a central role that would be responsible for developing and enforcing a national strategy for defending the country’s government and commercial interests in cyberspace.
But eight weeks after the President’s announcement, and with no one named to the post yet, some have begun wondering if the delay is because there are few takers for the job as outlined. Far from being the game-changing role that some had hoped it would be, the new position is increasingly being seen as one that has been watered down to the point of inconsequence.
Hathaway, who was considered a contender for the role given her past experience as a cybersecurity executive for the Office of the Director of National Intelligence, alluded to such issues in an interview with the Washington Post this week. She suggested to the Post the reason she had quit was because she “wasn’t willing to continue to wait any longer because I’m not empowered right now to continue to drive the change.” About 30 people have been interviewed for the job so far, the report said.
Among those who turned down the position were former Virginia Sen. Tom Davis, Microsoft Corp.’s Scott Charney, Paul Kurtz of Good Harbor Consulting LLC, and Good Harbor executive Paul Kurtz, who is a former senior director for critical infrastructure protection on the White House’s Homeland Security team, Forbes reported last month.
In announcing her resignation, Hathaway told the White House that she did not wish to be considered for the cybersecurity role, the Wall Street Journal reported.
Tom Kellerman, vice-president of security awareness at Core Security Technologies, said her decision leaves a dangerous leadership void on the cybersecurity front and highlights the challenges the White House is facing in attracting the right talent to the job. Kellerman was a part of a 40-person team led by the Center for Strategic and International Studies that delivered a set of cybersecurity recommendations to the president in January.
“The position just isn’t high enough in the White House food chain to attract the most qualified people,” Kellerman said. It is only by elevating the position to the rank of a special adviser that it will have the clout and decision-making capabilities to enforce cybersecurity change across government, he said.
As currently defined, Obama’s cybersecurity coordinator will be required to report both to the National Security Council and the National Economic Council. That itself makes the job more consultative and bureaucratic in nature than anything else, say many.
Additionally, leaders at the National Security Council and the National Economic Council are apparently reluctant to vest the new cybersecurity official with too much authority, said Alan Paller, director of research at the SANS Institute. “The National Security Adviser thinks cyber is very important — but not more important than other threats like nuclear,” Paller said.
Meanwhile, the National Economic Adviser’s office has apparently taken the stance that too much emphasis on cybersecurity will hamper economic growth, Paller said. “That means that the President’s two most powerful advisers are not supportive of a strong cyber-czar,” he said.
Several factors appear to have contributed to a “neutering” of the White House cybersecurity role, Kellerman said. Like Paller, Kellerman believes that there has been a strong effort by corporate interests to keep the White House from getting too involved in implementing major cybersecurity changes.
The argument appears to be that too many security requirements will result in new operational costs, hurt growth and limit efficiency and accessibility of services and data, Kellerman said.
Many also don’t want the government setting standards and regulations that could end up putting U.S. companies and multinationals at odds with international standards, Kellerman said. Though such arguments are totally misplaced and shortsighted, they nevertheless seem to have influenced the job definition for Obama’s cybersecurity coordinator, he said.
Obama’s preoccupation with other major issues, such as health-care reform and the economy, has meant also that cybersecurity affairs have been pushed back for the timebeing at least, Paller said.
In a blog post, John Prisco, CEO of security vendor Triumfant Inc., noted wryly that in the past two months Obama has “thrown out more first pitches to baseball games than names for the position.”
After two months with no announcement it is fair to ask the administration what its next move will be, Prisco said. “If no one is interested in the post, then the administration must see that as a clear indicator that the post has not been properly defined and empowered and make the changes necessary to move forward,” he said.
