William Jackson | Ultimately, the cybersecurity buck stops with Obama
- By William Jackson
- Jun 15, 2009
Public and industry reaction to President Barack Obama's decision to create a cybersecurity coordinator has generally been positive. It has been hailed as game-changing, a breakthrough, historic — or at least a step in the right direction.
Will it improve the nation’s cybersecurity posture? Obviously, it is too early to say. The newly created office still is vacant, and the job description has not been fleshed out. Many observers, even the optimists, are taking a wait-and-see attitude.
“The president made a lot of the right noises,” said Jeff Moss, director of the Black Hat Briefings, who has made a career poking at the insecure underbelly of information technology. “A lot will depend on the follow through.”
Two of the most frequently voiced concerns are that the coordinator apparently will neither control any purse strings nor report directly to the president. Without budget authority, the office will not wield real authority, the argument goes, and an office buried too deeply in the national security hierarchy will not be effective. The president addressed both of those concerns when he outlined his vision for the new position.
The Office of Management and Budget already has taken a lead in cybersecurity by virtue of its budget authority, and it does not make sense to carve out portions of agency budgets and put them under the control of a new office. Responsibility for cybersecurity already is fragmented, and stand-alone security ultimately does not work.
One of the ways to improve security is to do a better job of integrating it into each agency’s overall mission, which has been one of the strengths of OMB’s approach. The new coordinator will likely aim to build on OMB’s efforts. Obama said in announcing the position that the coordinator will work closely with OMB to ensure that agency budgets reflect the administration’s security priorities.
The new coordinator will be a part of the National Security Council and National Economic Council. He or she will not be reporting directly to the president, but the position still is high up in the White House pecking order, and the president has promised access.
“Because of the critical importance of this work, I will personally select this official,” he said. “I’ll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me.”
The success of the cybersecurity coordinator ultimately will depend on how well the president keeps this pledge. Success will depend not on the coordinator’s authority but on the clout that comes from having the president understand the issues and incorporate advice in executive policy. Cybersecurity will improve to the extent that the president takes a direct interest in it, regardless of the title of his adviser.
Will the new coordinator get all the presidential face time that he or she would like? Given the demands on the president’s time, probably not. I doubt that anyone in the White House, including the first lady, gets all the attention he or she would like. But the president has been consistent in showing an interest in this issue and treating it seriously. He has a first-hand appreciation of the power of IT and appears to appreciate the importance of securing it.