Plan for cybersecurity review draws praise

Interagency assessment is aimed at improving collaboration and determining if resources are adequate.

The review of federal cybersecurity activities ordered by President Obama represents an important step toward better protecting federal computer networks, according to lawmakers and observers outside government.

"I am encouraged that the president is coordinating activities among military intelligence and civilian agencies," said Sen. Thomas Carper, D-Del., chairman of the Senate Homeland Security and Governmental Affairs Federal Financial Management Subcommittee. The subcommittee will scrutinize cybersecurity efforts to ensure that taxpayer dollars are spent wisely, he said.

The White House on Monday confirmed a report that Melissa Hathaway, who has served as cyber coordination executive at the Office of the Director of National Intelligence, will lead a 60-day interagency assessment of cybersecurity plans, programs and activities. Hathaway will be acting senior director for cyberspace for the National Security and Homeland Security councils during the review period, Obama announced. He did not address reports that she could be offered the highly anticipated position of cyber czar after the analysis is completed.

"It's a good start, and Hathaway is the right person to lead this," said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "A new strategic framework is exactly what we need. But the review needs to lead to real action and a new approach if we want to get anywhere in improving cybersecurity."

The review team will develop a strategic framework to ensure that "cybersecurity initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector," the White House stated.

"It is important that Congress has the opportunity to weigh in with [Hathaway's] office as this review proceeds," said Rep. Jim Langevin, D-R.I., who is a member of the House Armed Services Committee and the Permanent Select Committee on Intelligence. "I am hopeful that the Obama administration will not follow the actions of the previous administration, but will instead give this critical national security issue the level of attention it deserves in order to fully protect our nation from emerging cyber threats."

In particular, the review must identify ways to better protect the energy, transportation and chemical sectors, Langevin said. Better safeguards are needed for sensitive information on Defense Department networks as well, he said.

Langevin pointed to December 2008 recommendations by the CSIS Commission on Cybersecurity for the 44th Presidency, which emphasized that a high-level official must oversee cybersecurity efforts.

"The nation needs a national cyber coordinator that reports directly to the president and who has the appropriate budget and policy authorities to oversee a federal cybersecurity mission," he said.

Greg Garcia, former assistant secretary of cybersecurity and telecommunications at the Homeland Security Department, agreed such a cyber czar would be valuable, but disputed claims that the Bush administration was any less engaged in cyber efforts than the Obama team promises to be.

"The fact is, in the last year of the Bush administration, [the cyber security program] was [coordinated out of] the White House," he said. "People overlook that."

More than a dozen government organizations were engaged in the Bush effort, said Garcia, who now runs a consulting company, Garcia Strategies.

"The president had the advice and good council of many, and at the staff level, it was coordinated pretty damn well," he added. "Was it perfect? No. Can it be improved? Yes. And it will be."

The Obama administration's cyber czar will be effective if his or her primary responsibility is coordinating agency efforts, according to Garcia.

"Cybersecurity is too complex to be handled unilaterally out of the White House," he said. "The cyber czar needs to keep the discipline -- make clear who owns what and who's accountable, so that agencies recognize that they have enough to do without trying to fill some [role] outside of their lane. Otherwise it becomes a rice bowl effect. If the administration can do that, they'll make progress."