Former officials: White House cyber coordinator should have budget authority

A White House cyber chief should have budget authority for initiatives to protect computer networks and systems across all agencies to ensure the allocation of necessary resources, said former federal officials on Thursday.

Currently, Congress appropriates cybersecurity funds to agencies and departments, which then have varying degrees of flexibility in deciding how exactly the dollars are spent within a given program. This decentralized strategy hinders the administration's ability to develop and implement a governmentwide cybersecurity strategy, said a panel of former federal officials at the AFCEA Solutions cybersecurity conference in Leesburg, Va.

"Who controls the money? Until you have someone with the authority to move the money, you're never going to have anything but parochial [agency] intranets," said Nancy Brown, former director of command, control, communications and computer systems for the Joint Chiefs of Staff. "You're not going to be able to defend across government, and you're certainly not going to be able to attack.... We spend millions of dollars on black boxes, and those are not going to save us."

During development of the cyber review that Obama announced in May, budget dollars allocated for cybersecurity initiatives were tightly reviewed and monitored to help determine how roles and responsibilities should be managed, said Melissa Hathaway, president of Hathaway Global Strategies and former senior director for cyberspace for the National Security and the Homeland Security councils.

"Now that the money has been reallocated out to the agencies" with approval of the fiscal 2010 budget, "holding them accountable for what we planned for is more difficult," she said. "There needs to be a way to see when [agencies] don't use the money as it was intended, and there should be accountability."

The White House, specifically the yet-to-be appointed cyber coordinator, should do that kind of budget oversight, said both Brown and Hathaway. While the administration has confirmed that the coordinator will oversee implementation of cybersecurity initiatives by individual agencies, it has not provided any details regarding budget authority.

"You can't let every agency in the U.S. government do their own thing," said Bob Lentz, president and chief executive officer of Cybersecurity Strategies and former Defense deputy assistant secretary for information and identity assurance. "You need someone with the ability to reprogram to deal with contingencies all the time. Leadership has to get control of the budget process so it's not so bureaucratic."

Beyond having what he referred to as "a very strong, ruthless dictator at the White House level," Lentz suggested a national-level committee with both public and private sector leadership that would make strategic and sometimes tactical decisions about cybersecurity initiatives and, eventually, a separate department to manage information and communications across federal government. He also emphasized the need for a multiyear plan from President Obama that would outline specific milestones with costs and deadlines -- similar to strategies developed for the wars in Iraq and Afghanistan.

"We're about a year late, and every day we're going to find ourselves closer to a more serious situation," Lentz said. "On top of that, we're having all of our intellectual property stolen from us, which is eating us alive."