Obama's cybersecurity chief resigns, signals disarray

The White House acknowledged this afternoon that Melissa Hathaway -- chosen by the President last February to lead the nation's cybersecurity review, and the person seen as most likely to be appointed to the "Cybersecurity czar" post -- will instead resign her appointment on August 21, letting someone else fill the post.

In an e-mail obtained yesterday by Federal Computer Week, White House spokesperson Nick Shapiro credited Hathaway for her contribution to the federal cybersecurity effort, including spearheading the 60-day review of the nation's security status ordered by President Obama. Hathaway, previously a Bush administration appointee, had been reporting to the Director of National Intelligence, though she was expected to be elevated to a "czar" style post (the term having originally been coined by then-Senator Joe Biden) that would report to Mr. Obama, by way of both the National Security Council and the National Economic Council.

Although as first reported in The Wall Street Journal this morning, Hathaway acted professionally and cited "personal reasons" as driving her decision, she also gave strong indications that the fact that a search for a full-time appointment to the cybersecurity post remained "under way" meant that she may not have been on the short list after all.

As our Angela Gunn reported in June, Hathaway's final report echoed many of the suggestions she had been receiving from existing government organizations and academia -- but not commercial interests -- in essentially calling for an improved system of education. Such a system, Hathaway implied, would counteract the temptation of young people to go maliciously hacking into governments' computers. If people were better educated, in other words, they wouldn't be hackers.

Hathaway also repeated her call for better cooperation between the public and private sectors, in creating a plan of action for improved global cybersecurity for both groups. But that creation calls for a plan of action in itself; and as the WSJ article pointed out, it would begin with some sort of coordination between the NSC and the NEC. That coordination would presumably lead to the czar's appointment, but such coordination requires the czar to pre-exist...and thus the conundrum.

One of the agencies Hathaway consulted with in the production of the 60-day cybersecurity review was the Information Technology Sector Coordinating Council. In its March response to her office (PDF available here), the ITSCC suggested right up front that for government to be effective in responding to cybersecurity issues, it should reduce the number of agencies with involvement or oversight authority to just those that would be responsible for the response.

"The government and industry need to come to an agreement and adopt a philosophy on what constitutes as an incident that reaches the magnitude for triggering a mechanism for a joint response (i.e., a cyber incident of national significance). Once that is defined, we believe that during a cyber incident requiring a joint response, Government should...facilitate incident management of the event by a single Government entity with involvement of only those organizations that are directly involved in responding to and resolving the incident."

But as the WSJ has been reporting since last May, almost immediately after such suggestions were raised by the ITSCC and others, Treasury Secretary Lawrence Summers openly suggested that his agency should "co-lead" the cybersecurity division, along with the NSC. The White House officially records that Summers was present last May, along with NSC Advisor Gen. James Jones, for the unveiling of the final 60-day review.

Summers has the backing of Democrats in Congress including Sen. Jay Rockefeller (D - W.V.), who is the principal sponsor of cybersecurity legislation. In unveiling the first draft of that legislation on the same day of Summers' appearance at the 60-day review ceremony, Sen. Rockefeller stated, "As members of both the Senate Commerce Committee and the Senate Intelligence Committee, we meet at the legislative crossroads between our national security and economic security. Cybersecurity is an integrated matter of intelligence and economic viability and our policies must reflect this connectivity."

In his own remarks at the unveiling ceremony, Pres. Obama first pointed out that overlapping authorities were at the root of the current cybersecurity problem: "No single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge. Indeed, when it comes to cybersecurity, federal agencies have overlapping missions and don't coordinate and communicate nearly as well as they should -- with each other or with the private sector. We saw this in the disorganized response to Conficker, the Internet worm that in recent months has infected millions of computers around the world. This status quo is no longer acceptable -- not when there's so much at stake. We can and we must do better."

But later in the very same speech, he announced the following: "To ensure that federal cyber policies enhance our security and our prosperity, my Cybersecurity Coordinator will be a member of the National Security Staff as well as the staff of my National Economic Council."

Melissa Hathaway may possibly return to her former role as a high-level security consultant at the prestigious Washington firm Booz Allen Hamilton.