This is leadership? US cybersecurity is a revolving door of exiting officials
Personally, I never understood what got people so excited about Barack Obama. But back in 2008 people were positively gooey about him, and one of the lesser reasons was "cybersecurity". Obama "got it". He understood the deadly seriousness of this business.
In July, 2008 then-Senator Obama told a gathering at Purdue University: "As President, I'll make cybersecurity the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information - from the networks that power the federal government, to the networks that you use in your personal lives".
It wasn't long before the importance of it all to the President started to fade, even as the problem grew worse. It was almost a year before he appointed Howard Schmidt (the guy who had done the same job in the Bush administration) as National Cyber Advisor, but he doesn't report directly to the President. Since then Schmidt has carried on the traditional job of senior government cybersecurity advisors by issuing long reports describing the importance of the problem and making vague proposals for addressing it, while being careful not to threaten too many interests too specifically. Schmidt's great accomplishment so far has been the CNCI (Comprehensive National Cybersecurity Initiative), a series of 12 initiatives announced in May of 2010 and which had actually begun in the Bush administration. I don't recall hearing anything about the CNCI since.
This must be the way they like it in Washington, because Schmidt is one of the few top cybersecurity officials still standing, as described by Microsoft's Terry Zink recently. Zink's commentary also demonstrates how fragmented authority in this area remains, a problem which can only be solved by solid leadership that has been lacking.
The high-level defections started with Rod Beckström, the Department of Homeland Security's cyber-security chief in March 2009. At the time Wired described the atmosphere as one of "power grabs and bureaucratic infighting". Beckström complained in his resignation letter that his group had been without funds or support from the department.
In August of 2009 Melissa Hathaway, the interim White House cybersecurity czar who had just finished the Obama administration's cybersecurity review, resigned "for personal reasons" according to the Wall Street Journal: "People familiar with the matter said Ms. Hathaway has been "spinning her wheels" in the White House, where the president's economic advisers sought to marginalize her politically". In the end Obama decided that the National Cyber Advisor would report to both the National Security Council and the National Economic Council, although "detractors said it would require the new official to please too many masters and would accomplish little".
The next resignation was in May of this year when Phil Reitinger, the Department of Homeland Security's top cyber and computer crimes official, quit "to spend the summer with his family" according to the National Journal.
"Since DHS was given the responsibility to protect the homeland from cyber threats, as well as direct authority to protect dot.gov domains from intrusions, it has competed for resources and attention with the Department of Defense, which stood up an entire cyber command and has the mighty computers of the National Security Agency at its fingertips". I can certainly appreciate wanting to spend summer with your family, but Reitinger had been appointed just two years before and continuity counts for something in these matters.
The next official to head for the door, just last Friday, was Randy Vickers, director of the US Computer Emergency Readiness Team. No offense to the other three officials, but I always thought their missions and positions as somewhat nebulous, but CERT does important work. There was no explanation given for Vickers' departure.
Who's in charge here? I think it's fair to say that there's as much dejection in the industry now as there was bright-eyed optimism 3 years ago at the dawn of the Obama era. One of those in attendance at the Perdue address was the well-known and respected Eugene Spafford, head of Purdue's Center for Education and Research in Information Assurance and Security. Spafford was specifically mentioned by Obama and Spafford followed up with a blog about the event which gushes about the candidate. But already by June 2009 he was expressing concern about the job being done by the administration. From what I can see, 'Spaf' (as he's known) has been quiet on the matter since. I suspect he'd like to have some good news to write about.
But there is no real good news on the matter. This is absolutely a tough job for the government for many reasons and it will take energy, courage and leadership to get us on a positive footing. We're just not there or even headed there. I blame the guy at the top of the org chart.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.