President’s cybersecurity review covers a lot of ground, but doesn't plow deeply
- By William Jackson
- Apr 13, 2009
The 60-day review of the country’s cybersecurity posture that President Barack Obama ordered in February is expected to be wrapped up this week. So far, the effort has received good reviews, but do not expect it to result in a detailed road map for securing our information infrastructure.
The results will yield a high-level strategic plan that just scratches the surface of the challenges we face, administration officials said in a background briefing on the project. But a critical question about cybersecurity policy that has frustrated officials in government and the private sector for years has been answered. That question was: Who’s in charge? The answer is: the White House.
It will be up to agencies to execute the plans, but the White House will be the anchor for policy going forward, the officials said.
Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security councils, is leading the review. Under the Bush administration, she was chairwoman of the National Cyber Study Group that was instrumental in developing President Bush’s Comprehensive National Cybersecurity Initiative. The goal of the current review was to start with a clean slate rather than pick up where the previous administration left off.
The effort has covered a lot of ground. It began with an inventory of policy directives, executive orders, strategies and earlier studies, and identified more than 250 cybersecurity policy requirements among them. Reviewers have met with 40 stakeholders in the private sector, representatives of more than 50 universities that have cybersecurity research programs, 10 congressional committees, state and local homeland security officials, chief information officers, and some foreign officials. They have also talked with civil liberties and privacy advocates, including the American Civil Liberties Union, the American Library Association and the Center for Democracy and Technology. They have even looked at the historical development of laws and policies for earlier technologies such as the telephone and telegraph.
The review has identified four key areas of concern:
Governance — how to organize for policy coordination.
Architecture — the performance, cost and security characteristics of the infrastructure.
Behavior — such as laws and treaties.
Capacity building — using research, education and strategy development.
One thing the review is not doing: It is not working with Congress on the development of cybersecurity legislation. A recent bill introduced in the Senate, based in part on the recommendations of a study commissioned by the Center for Strategic and International Studies, would create an executive branch office to oversee cybersecurity and mandate development of infrastructure protection plans.
Although the executive and legislative branches have the same security objectives, the review is working for the president, officials said. Congress will do its job independently.
Whatever the review’s conclusions, it will not offer a finished product or a comprehensive strategy. Instead, it will be a springboard for cybersecurity activities for years to come. But with the issue identified as one of critical importance in the Obama administration, it also might be a foundation for a coherent, integrated policy that embraces the security requirements of the public and private sectors.
William Jackson is freelance writer and the author of the CyberEye blog.