Jim Lewis

GCN AWARDS | Industry Executive of the Year

Behind the scenes, James Lewis helped bring cybersecurity to the fore

Project director's work kept the high-profile Commission on Cybersecurity focused

When President Barack Obama announced May 29 that he would appoint a White House coordinator for cybersecurity, he commended the work of the Commission on Cybersecurity for the 44th Presidency.

See all of the 2009 Executives of the Year

Visit the 2009 GCN Awards home page

The commission, a group of more than 50 leaders and information technology experts in government, industry and academia, had asked the president to make a strong statement about the importance of cyberspace to the nation’s defense. In his announcement, Obama not only thanked them, but echoed their words.

The moment might never have come without the skilled, patient leadership of the commission’s project director, James A. Lewis.

As senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS) in Washington, Lewis championed the commission’s establishment in August 2007. As its facilitator, the former State Department negotiator politely rode herd on strong-willed high achievers whose particular interests almost fractured the group before it could issue its report in December 2008.

“He has been a key voice, raising awareness about our nation’s cyber vulnerabilities as well as the best practices we should employ to secure our networks,” said Rep. James Langevin (D-R.I.), who co-chairs the commission with Rep. Michael McCaul (R-Texas).

“From the beginning, he created a work environment for people with varied views and backgrounds to thrive and collaborate,” Langevin said. “He was able to keep this diverse team of experts focused and moving forward, while at the same time soliciting the very best ideas and feedback.”

IT on hold

Although Lewis was fascinated with computers as a child and took courses in graduate school, he spent most of his years in the federal government as a military analyst. “I didn’t think that I would get to use it again,” he said of his computer training. “I had been intrigued by information technology for a long time and didn’t expect it to be a big part of my work when I grew up. Everyone makes mistakes.”

He joined the State Department in the Foreign Service in 1984, eventually rising to become deputy director of the Office of Defense Trade Policy. During the administration of President George H.W. Bush, Lewis worked in the Bureau of Politico-Military Affairs under Assistant Secretary Richard Clarke, a counterterrorism expert perhaps best known for criticizing pre-9/11 intelligence.

Lewis wryly described the abruptness of his debut in IT policy, thanks to a push from Clarke. “One day, I was walking down the hall and he says to me, ‘You know something about computer programming, don’t you?’ I said, yeah, and he said, ‘Good. You have to go up to [the National Security Agency] and talk to them.’ ”

Lewis later directed the Commerce Department’s Office of Strategic Trade and Foreign Policy, where he worked with the FBI and NSA to develop a consensus on encryption standards. Nine years ago, he arrived at CSIS.

Off the ground

The impetus for the commission was a series of serious cyberattacks in 2007 that Lewis called an espionage “disaster.” He began talking to other experts, including CSIS President John Hamre and Paul Kurtz, who had also worked in the Clinton administration. He was advised to approach Langevin’s office about setting up a commission.

When he showed how CSIS could manage one at a fraction of the estimated cost, and independent of political bias, the commission was off and running by August. Its goal was to produce concrete recommendations on cybersecurity that a new administration could act on quickly.

People jumped at the chance to join. “Usually, you have to beg people to be on these things," Lewis said.

He praised the caliber of the members, among them the other two co-chairmen, Microsoft’s Scott Charney (another former government official), and retired Air Force Lt. Gen. Harry Raduege. Lewis said Raduege and Marine Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, were extremely helpful in setting up key briefings with the Defense Department. He also shared much of the credit with his congressional co-chairs. “They saved our bacon a couple of times,” he said. “We would get stuck on the commission, and they would say, ‘This is how it has to be.’ It was very helpful.”

Lewis attributed the commission’s success to its members’ realistic expectations and willingness to forgo turf battles for the greater good, something that had not happened with an earlier commission he had been involved with. “We thought, we don’t have a dog in this fight,” he said. “Let’s just write what we think is best for the country.”

Commission member Kurtz, formerly of the White House National Security Council (NSC) and now a partner with Clarke at Good Harbor Consulting -- and whose position on Obama’s transition team helped raise the commission’s profile -- lauded Lewis’ ability to attract diverse and talented people to the table and get them to cooperate, all while juggling their schedules.

Kurtz said the two became acquainted at State in the early 1990s, where he worked in nonproliferation and Lewis was handling technology and security. “Jim is really to be commended for everything he has done to try and get people on the same page for cybersecurity,” Kurtz said.

The commission might have faltered without Lewis’s personal manner and impressive communication skills, according to Kurtz. “He’s modest about himself,” he said. “He’s able to poke fun at himself and was able to poke fun at others in a way that is not too personal. It keeps everybody at the table.” Lewis also had a way of letting members vent strong opinions, then suggest ways to say them more palatably, Kurtz said.

“Everyone comes to the table with a little bit of baggage,” such as a pet project or corporate bias, he said. Lewis was adept at keeping corporate party lines out of the commission’s work, then writing a report Kurtz called “crisp, clear, and easy to read. There’s not many people at all that can produce along those lines.”

Many others in similar positions might have been tempted by the limelight and too quick to run to the press. “He’s done it through hard work and keeping in touch with people,” Kurtz said.

When asked to explain his influence on cybersecurity policy, Lewis mentioned the reputation CSIS has for thorough, nonpartisan research. Having good connections and repeating a consistent message also helps. “It’s like being the lookout on the Titanic,” he said. “You don’t want to just make one phone call.”

Keeping watch

The cybersecurity commission is an exception in a town quick to form committees that often fail to find consensus, or spit out reports that sit unread on shelves, Lewis said. About 45,000 copies of its report, released in December 2008, have been purchased or downloaded. “It’s just amazing for a think tank,” he said. Numerous government agencies, some overseas, have taken it to heart. “It’s kind of a blueprint they’re measuring themselves by.”

Lewis said the administration is implementing several of the report’s recommendations, including setting up a cybersecurity office in the NSC and absorbing related functions of the Homeland Security Council and boosting research funding.

The commission, which remains intact, is preparing a follow-up report that Lewis said is aimed at focusing the administration on the hardest issues in the first report, including developing a national strategy for authentication of identity, which might require threading the needle on initiatives that raise civil liberties concerns, such as reinvigorating the controversial Real ID plan.

Besides his youthful fascination with computers, Lewis cited his passion for good government as a prime motivator in his work. “I don’t like seeing the U.S. come out in second or third place,” he said. “That’s where we are in cyberspace, and that drives me nuts.”

About the Author

David Essex is a freelance technology writer based in Peterborough, N.H.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.