After Slow Start, the Cybersecurity Coordinator Appears to be Gaining Momentum

It was very encouraging to hear the updates from Howard Schmidt, the White House Cybersecurity Coordinator as reported from the meeting held at the White House on July 14.  The meeting was obviously designed to show progress on the cybersecurity issue and demonstrate that the White house still intended to take a leadership role.  Homeland Security Secretary Janet Napolitano and Commerce Secretary Gary Locke attended the meeting as did IT Security leaders from the DoD, NSA, FBI, and several other agencies.  Most importantly, the President himself made an appearance to provide his support, which was a key visual for Mr. Schmidt as he continues to get his hands around the role.

This blog has been consistently critical of the large gap between the announcement of the role of Cybersecurity Coordinator and the appointment of Mr. Schmidt.  However, there are very promising signs that progress is being made and that Mr. Schmidt is a good fit for the role.  I have been to numerous events where Mr. Schmidt has spoken, and he is obviously eager to take the cybersecurity masses to the public and be accessible.

I had the unique opportunity to speak briefly with Enrique Salem, the CEO of Symantec at a reception following Symantec’s Government Symposium last month and Mr. Salem is an enthusiastic supporter of Mr, Schmidt.  This is consistent with the overwhelmingly positive feedback from everyone I have encountered in the industry that knows Mr. Schmidt or has firsthand experience working with him.  He seems to be the right person for doing a delicate and challenging job.

When I worked at webMethods, CEO Phillip Merrick often used the metaphor of the railroad junction approach employed by the Union army in the Civil War.  It was an important tactic of the Union to divide and attack the Confederacy by controlling important railroad junctions.  Merrick was speaking toward controlling important junction points in electronic commerce, but I was reminded of the metaphor when thinking of the criticality between the defense of our country and cyber security.

The railroad junction approach is a representative tactic to a broader strategy of warfare: targeting all of the things that enable an enemy to wage war, thereby weakening that enemy and forcing a more rapid conclusion to hostilities.  The United States has based much of our ability to wage war on our ability to effectively network information.  That makes these networks a logical attack point for our adversaries, and we must do all that we can to prepare for that scenario and protect against such incursions.  This is not limited to just the systems supporting the DoD – it is our financial systems, infrastructure, and transportation that are also at risk.

Progress relies on someone to lead policy as well as become an effective facilitator between the government and the industry.  By all indications, Mr. Schmidt is that person, and by appearing at last week’s meeting the President continues to demonstrate that cybersecurity is a priority to the country and that Mr. Schmidt has his support.

As the saying goes, it is not about how you start but how you finish.  We may not have agreed to the slow start regarding the appointment of the Cybersecurity Coordinator, but we like the early indications of the direction of the role under Mr. Schmidt.  And we are hopeful for continued progress.

A Condensed Guide to the Security Fails of 2009

The past several weeks I have been posting a series I called the Security Fails of 2009.  It was designed to be a look at stories that illustrated the challenges faced in IT security as well as some of the broader issues shaping the industry. 

For your convenience, here is a recap with links:

12/10 – The Marine One Breach – illustrates the threats created by unauthorized applications.

12/14 – The Strange Case of the Missing Cyber Czar – a look at the seven months that had passed since the announcement of the position in May.  Obviously the position has been subsequently filled.  Coincidence?

12/16 – Conficker Becomes a Media Darling.

12/18 – Adobe Takes the Exploit Crown from Microsoft.

12/21 – The Heartland Payment Systems Breach – Lessons learned form the largest breach of customer data to-date.

Cyber Czar Announcement Slipped Under the Door – What Does That Say?

Today it was announced that Howard Schmidt was appointed to the White House Cybersecurity Coordinator position otherwise known as the cyber czar.  Much has been written in our blog about this position since it was announced, and the timing and approach to the announcement has done nothing to eliminate the concerns previously expressed.  I have much reading to do before I comment directly on Mr. Schmidt, but I do have very strong impressions from the way it has been handled.

The position was originally announced at a press conference in late May on the Friday before Memorial Day.  Not exactly a day and time that you would select for something of importance or to maximize the impact.  Months passed as candidates not only turned down the position, but candidates like Melissa Hathaway left the government for the private sector. 

And now we get an announcement stating the position has been filled on the Tuesday of Christmas week, in a city where most of the government is closed because of a record setting snowstorm.  The announcement gets a mention on the White House blog with a picture of the President shaking hands with his new Cybersecurity Coordinator in what appears to be a hallway.  No press conference, no fanfare, no President standing at the side of the new Czar as a show of support to the position and a commitment to the idea of cyber security. 

I went to the White House press page at 11:00 am EST and there is no formal announcement.  There is news about the Enactment of the Airline Flight Crew Technical Corrections Act, something about agencies cutting spending by $19B, and some nominations that were sent to the Senate, but nothing about this position. 

I am sure there will be Obama acolytes that will line up to applaud the announcement, but I find myself angry today as I weigh what I see from the White House.  I have the somewhat unique perspective of being a marketing person in cyber security.  That means that cyber security is important to me and I have a taste of the threat against our country.  As a marketing person, I see the not so subtle signals being sent by the White House regarding this subject.  Put this in context of the amount of energy thrown at other items such as the Chicago Olympic bid, and it is reasonable to draw the conclusion that the White House is not committed to cyber security and this role.  

I would be a lot angrier if I had not spent the last year working with people at NIST, the NSA, the intelligence community and the DoD who are proactively and energetically looking for new and innovative ways to protect our government from malicious attacks.  Best of all, these groups are working together to share data and knowledge in a way that would make taxpayers happy and proud.  So I’ve seen real, actionable progress taking place long before Mr. Schmidt assumed this role.   

To be clear, I never viewed the cyber czar as some sort of mythical figure that could solve our cyber security problems with a wave of the hand, but I was hopeful that the role would serve as a way to focus attention on the problem and help create a sense of urgency toward progress.  And if that person was seen as having the “full faith and credit” of the President, it would give that person some authority to be something other than a figurehead. But that is exactly how I view this position today – a campaign promised fulfilled in the least effective way possible and with minimal authority, buried in slow press days.

This week we got news that our military drones had been hacked with $26 software, a plea was entered in the Heartland breach by the same person who pulled off the TJX breach (who used a simplistic and well known SQL injection technique to penetrate Heartland), and that Twitter was disabled completely by a DNS attack.  And we get a tepid announcement the Tuesday before Christmas on a position that it took them seven months to fill.  I’d hate to see what type of catastrophic, IT security based incident it would take to make the White House treat the problem with the seriousness it deserves.

Security Fails of 2009 – The Strange Case of the Missing Cyber Czar

Today is the second in the series on the Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

2009 began with the inauguration of a new President who had made the need for improved cyber security a prominent part of his campaign agenda.  Once in office, President Obama asked Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils (fit that on a business card) Melissa Hathaway to assess the state of cyber security and create recommendations for going forward.  It was widely believed that the recommendations would include the creation of a National Cyber Advisor or “Cyber Czar” position that would oversee and coordinate cyber security efforts in the federal government and influence private enterprise. 

In late May on the Friday before the Memorial Day weekend, a press conference was held to announce the release of the final version of the study called the White House Cybersecurity Policy Review.  As predicted, the study recommended the creation of the cyber czar position which was reiterated at the podium at the press conference.   The WHite House had numerous industry luminaries aligned to sing the praises of the announcement, but many like our CEO, John Prisco, were underwhelmed.

And then…silence.

Nearly seven months later and there has been no further word on a candidate for the position.  I pointed out that the timing of the announcement was odd – a Friday before a holiday – which smacked of an administration looking to slip by a story with as little notice and coverage as possible.  Since then there have been rumors of candidates but these rumors quickly fade back into…silence. 

Theories abound as to the lack of progress.  Is the position so poorly defined that it is doomed for failure and potential candidates are too savvy to take on such a role? Is it because a candidate would have to have a working knowledge of security, the security industry, and be adroit at navigating the federal landscape, making the population of qualified candidates too small?  Or was the administration simply looking to check off a box from the campaign agenda by addressing the problem superficially and hoping the attention would wane so no further action was needed?

What is clear is that the excitement about the position and its ability to affect cyber security policy and progress has passed as has valuable time.  Without a visible front person to keep the ideas presented in the Policy Review document in the public view, the hard work behind the document has been essentially wasted.  It seems that pressing matters like getting the Olympics for Chicago have taken precedent.

Given the timing of the announcement and the lack of subsequent activity, the administration has sent a clear signal that this topic is not viewed as critical.  I don’t believe that a new Cyber Czar will have a dramatic influence on cyber policy – it is the lack of attantion given to it by the administration that causes me concern.  And that is why I am including the cyber czar misadventure as a security fail for 2009.

Luckily there are others working to fill the void.  I had the opportunity to speak at the NIST Security Automation Conference in October and was encouraged by the progress I see being made by NIST, the NSA, and others.  As a resident of the Washington D.C. area you learn quickly that there are those who do and those who step into spotlights and they are rarely the same person.  Given the progress of others and the time that has passed since the announcement, I wonder if this ship has sailed and that anyone named to the position now would simply be too neutered to be successful.  I also wonder if such a person would now hold back those who are making progress behind the scenes.  

And finally, I wonder if all of this was orchestrated by the same PR genius at the White House that talked the President into posing with Tiger Woods on the cover of Golf Digest.  It would explain a lot.

Four Months Later and the Best the White House Gives Us is “Practice Safe Computing”

I happened to glance at the morning news to see President Obama fervently pitching the Chicago bid for the 2016 Olympics in Copenhagen with the First Lady.  Clearly the President’s priority has shifted from cyber security to more important matters.  In fairness, the President did seem to find time between appearances on David Lettermen and other important media exposures to declare October National Cybersecurity Awareness Month

Four months have now passed since the original announcement of the cyber czar position in late May, and we have an awareness month with no cyber security leader to preside over the proceedings.  But we have a proclamation from the White House urging all of to “practice safe computing”.  Is it just me or does this sound like “just say no to malware”?  Now we have the cyber criminals on the run!

We need to share information and we need to focus on the greater good, so that we can stop the next cyber attack.  The longer this post remains vacant, the longer the government’s security efforts continue to lack a unified approach.  A September 27 article in the MIT Technology Review indicates that there are now 18 separate bills introduced in Congress to “give federal authorities the power to protect the country in the event of a massive cyberattack.”  There are 18 bills because others are moving to fill the void that exists because four months after the position was announced there still is no leadership.

Our President acknowledged months ago that we need to make a change, but to date the biggest change continues to get delayed.  Maybe it is because no one wants it, because the role has not been positioned to succeed.  Regardless of the reason, we need a cyber security leader now, and we need the president to make this a priority again.

In the official proclamation, President Obama makes calls “upon the people of the United States to recognize the importance of cybersecurity”.  Good advice indeed, Mr. President.  Perhaps you would like to lead by example and fill the position you promised four months ago.

Does the Hathaway Resignation Signal Movement Toward a Cyber Czar?

Yesterday I posted about the two-month anniversary of the May 29 announcement by the White House regarding the creation of the Cyber Czar position and the subsequent lack of progress in finding someone to fill that position.  The proverbial plot thickened that afternoon when it was announced that Melissa Hathaway, acting cyberspace director for the White House National Security and Homeland Security councils, had resigned from her post.

I do not know Ms. Hathaway nor do I claim to be close to the process of selecting the Cyber Czar, so at best what I can do is engage in a well worn tradition here in the Washington D.C. area and speculate.   Numerous reports have said that Ms. Hathaway was interested in the role as she was the lead in creating the Cyberspace Policy Review that defined this new position.  In my view, logic and reason would indicate that if she were going to be the Cyber Czar they would have appointed her at the announcement in May rather than have this uncomfortable and undefined gap we are living with today.  So while reports say she withdrew her name two weeks ago, I suspect that the realization that she was not the administration’s choice came much earlier.  Regardless, the work done on the review was broad and extensive, and she should be recognized for helping to move the dialogue about IT security forward.   I wish her the best in her new endeavors.

I am hopeful that Ms. Hathaway’s departure is an indication that the administration is close to having a name for the position and her exit was designed to make the transition more seamless.   I do not question her stated motives, but having her voluntarily leave prior to the announcement of the cyber czar makes for a much cleaner transition for the President and eliminates the need to orchestrate what could have been an awkward departure.   If the administration is not close to having a candidate, then her resignation will likely have the effect of forcing the administration to accelerate the process as her departure eliminates the safety net that existed with her in the role, albeit as a lame duck.   Or we are faced with the third scenario that the administration is really not that committed to cyber security and that all of this has been fanfare and flag waving with no real sense of urgency.   I sincerely hope that this is not the case, but the administration can only blame itself for creating lingering doubts with the two months of post-May 29 silence.

The next several days should be telling.  If the administration indeed has their person for the job, then I suspect they will give the Hathaway resignation a couple of days to recede from the public consciousness and then make the announcement.  Or we will go back to the awkward silence that, in my opinion, shouts volumes.  Let us hope this marks the way forward.

It is August, and the White House has Thrown Out More First Pitches Than Cyber Czar Nominees

Here we are at the last Friday of the month, marking the two month anniversary of the announcement by the White House of the creation of a Cyber Czar to help centralize the cyber security activities of the federal government and build bridges to the private sector.   And in those two months the President has thrown out more first pitches to baseball games than names for the position. 

As a CEO, I am expected to be right more times than I am wrong, but this is one case where I had hoped not to be right.  When you balance the lack of forward movement with stories such as the one by Brian Krebs of the Washington Post on how much sensitive data has been leaked because of peer-to-peer applications, the outlook is not good.  We were already in a game of catch up, and valuable time has been lost while the gap grows larger.

In this case, actions do speak louder than words, and every day that passes (with no announcement) makes the proclamations of May 29 seem increasingly empty.  After two months it is fair to ask the administration about the next steps and when we will see them.  If no one is interested in the post, then the administration must see that as a clear indicator that the post has not been properly defined and empowered and make the changes necessary to move forward.  The alternative is to find a gamer who will take the job as currently defined only to face a certainly difficult climb to success.

I applaud your stated objective to make cyber security a priority, Mr. President.  But after two months, we need to hear something instead of silence so we know that the initiative is moving forward.