Obama raises stakes for cybersecurity

America's economic prosperity in the 21st century will depend on effective cybersecurity, President Obama said Friday as he announced a new comprehensive approach to the issue and promised to appoint a White House cybersecurity czar.

During a 16-minute speech to announce the release of a 60-day review of cybersecurity by Melissa Hathaway, acting senior director for cyberspace at the National Security Council, Obama emphasized the importance of safeguarding the nation's digital infrastructure, which he called "the backbone that underpins a prosperous economy and a strong military, and an open and efficient government."

"Cyberspace is real. And so are the risks that come with it," Obama said. He revealed that between August and October 2008 hackers penetrated his campaign's computer systems and gained access to e-mails and files, including travel plans and policy position papers. "I know how it feels to have privacy violated because it has happened to me and the people around me," the president said.

Obama plans to personally select a new national cybersecurity coordinator to head the office at the White House. He promised to treat networks and computers as a strategic national asset and said protecting them will be a national security priority.

"Our technological advantage is a key to America's military dominance. But our defense and military networks are under constant attack," Obama said, noting that al Qaeda and other terrorist groups have threatened to unleash cyberattacks on the United States. "Indeed, in today's world, acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer -- a weapon of mass disruption."

Computer security experts hailed the speech.

"I'm delighted to see the emphasis on cybersecurity," said Ed Amoroso, chief security officer for AT&T. "[The report] establishes some credibility, not just for Hathaway but for this branch of government demonstrating that 'we get it.' "

Alan Paller, director of the SANS Institute, which provides computer security research and training, said elevating control of cybersecurity from the Homeland Security Department to the White House will make it easier to secure industry cooperation. Paller also praised Obama for saying the cybersecurity coordinator would work closely with recently appointed federal chief information officer Vivek Kundra and chief technology officer Aneesh Chopra. That puts the power of the Office of Management and Budget behind the coordinator -- which, Paller said, should provide "real value."

Those expecting Obama to name his cybersecurity czar on Friday were disappointed. Speculation has centered on Hathaway as the likely choice. The president also did not offer details on how the new cybersecurity office would be structured, though he said it will include an official "specifically dedicated to safeguarding the privacy and civil liberties of the American people."

Obama pledged that his administration would not monitor private networks or Internet traffic in pursuit of cybersecurity. "We will preserve and protect the personal privacy and civil liberties that we cherish as Americans," he said.

Some industry watchers expressed disappointment with the level of detail in the report, noting that it does not contain specifics on how the government plans to secure networks.

"It's frustrating to some extent for everybody trying to look forward to the future to not have more detail," said Mark Cohn, vice president of integrated security programs at Unisys Federal Systems. Cohn said the administration likely doesn't want to call attention to the military side of the equation, which would involve the capability to launch offensive cyberattacks. "Self-defense to some extent requires you to have offensive capability," he said.

Paller said critics of the report might have been expecting too much. He said the most important step the administration promised is a plan to use procurement dollars to provide incentives for software vendors and systems integrators to build security into their products upfront. He said agency chief information officers will be responsible for ensuring new systems and software are secure, but the policy change will significantly improve cybersecurity.

"I'm excited," Paller said. "This is one of the great days."