- The Washington Times - Thursday, May 7, 2009

A cybersecurity review commissioned by President Obama is urging the White House to take the lead in protecting government computers from spies, criminals and other hackers — a move that would displace the Department of Homeland Security as the lead agency.

“No single agency has a broad enough perspective to match the sweep of the challenges,” said Melissa Hathaway, a consultant and former intelligence official who worked on computer security in the Bush administration and led the review under Mr. Obama.

The issue, Ms. Hathaway told a recent meeting of private intelligence contractors, “transcends the jurisdictional purview of individual departments and agencies.”

She later told The Washington Times that the report’s release had been delayed because of the flu epidemic but that it would be issued in the coming days, with its recommendations posted on the Internet.

The White House declined to comment, and details are being closely held ahead of publication.

Moreover, Mr. Obama would have to sign off for the recommended organizational changes to take effect.

Although Ms. Hathaway declined to discuss details of the report with The Times, she has told private security experts who were consulted in preparing the review that the review aims to address “strategic vulnerabilities” in cyberspace.

Currently, Title II of the Homeland Security Act, the 2003 White House National Strategy to Secure Cyberspace, and Homeland Security Presidential Directive 7 published later that year make the Department of Homeland Security “the focal point for the federal government to manage cybersecurity.”

More recently, the question of how to organize U.S. government computer defenses has surfaced with reports of cyberraids by hackers in places such as China and Russia.

The issue raises many novel legal and policy issues. For example, when attackers strike anonymously across the Internet - and the line between vandalism, crime, espionage and war can be unclear - how can policymakers best respond?

“America’s cyberspace is constantly under attack,” Sen. Joe Lieberman, Connecticut independent and chairman of the Homeland Security and Governmental Affairs Committee, said at a recent hearing.

“The best that I can determine, our defenses to those attacks are inadequate,” said Mr. Lieberman, whose committee is considering its own cybersecurity legislation.

Ms. Hathaway echoed those sentiments in remarks last week to the Intelligence and National Security Alliance, a trade group representing government contractors in the national security field.

“The federal government is not organized appropriately to address this growing problem,” she said.

Sen. John D. Rockefeller IV, West Virginia Democrat and chairman of the Commerce, Science and Transportation Committee, and other members in both houses of Congress are also pushing their own bills. As a result, the legislative process looks to be complicated by the pull of turf and oversight responsibilities at both ends of Pennsylvania Avenue.

The Wall Street Journal reported recently that turf conflicts over the issue were emerging as the White House pondered the review’s recommendations, with economic and technology policy officials weighing in.

A big concern is that new regulations designed to make the Internet or government networks more secure might also stifle innovation or economic growth.

Several bills now circulating in Congress would establish a White House cybersecurity czar, but not all lawmakers agree with the idea.

“This new administration has shown a tendency to appoint special assistants and czars within the White House for virtually every important issue that we’re confronting,” Sen. Susan Collins, Maine Republican and ranking minority member of the Homeland Security and Governmental Affairs Committee, said at the hearing.

The creation of such posts “usually leads to conflicts, turf battles and confusing lines of authority,” she said.

Congress’ ability to effectively oversee activities directed from inside the White House is “severely limited” because its officials do not testify in Congress and “budget requests are presented with very limited detail,” Mrs. Collins said.

Ms. Hathaway herself, noting media speculation that she might be appointed to such a post, noted dryly: “There’s no glamour in being a czarina. The nobles hate them and the peasants kill them.”

“The devil is in the detail,” said one private-sector security specialist who was consulted by Ms. Hathaway’s team in preparing the report.

The real question is where the officeholder will be in the organization chart, said the specialist, who asked for anonymity to avoid upstaging the report’s release.

Ms. Hathaway last year launched and led the Bush administration’s cybersecurity effort, the Comprehensive National Cybersecurity Initiative, or CNCI.

She said the review completed for Mr. Obama would be transparent and that its recommendations - and the policy recommendations it received from others - would be posted on the Web.

Previous policy efforts like the CNCI “have failed, in no small part because they were perceived to be in conflict with the broader societal goals of progress and innovation, civil liberties and privacy rights,” she said.

Beyond the structure of the White House, the review is likely to contain a to-do list of issues that need to be addressed, or an “action plan,” as Ms. Hathaway calls it.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide