Network News

X My Profile
View More Activity

Obama's Cyber Czar Offers Few Details on Govt. Strategy

Those who were hoping to hear details today about how the Obama administration plans to revamp the government's approach to cyber security threats may have to wait a little while longer.

In a much-anticipated speech at the RSA security conference in San Francisco today, Melissa Hathaway, the White House's top cyber official, instead highlighted all of the meetings, studies, and recommendations that have informed the administration's 60-day cyberspace policy review, which was completed last week. But details about how the administration might seek to organize and streamline the government's cyber efforts were lacking.

Much of the coverage of the administration's cyber review has focused on the power struggle on cyber underway between the Department of Homeland Security and the National Security Agency. The Obama administration also is finalizing plans for a new Pentagon command to coordinate the security of military computer networks and to develop new offensive cyber weapons. Meanwhile, civil liberty advocates are concerned that the government's effort to define cyber security in broad economic and national security terms could sweep virtually every aspect of American life into the mix.

Hathaway seemed to acknowledge this tension in her speech:

Previous attempts to deal with cyber security in isolation have failed, in no small part, because they were perceived to be in conflict with the broader societal goals of progress and innovation, civil liberties and privacy rights. However, cyber security only succeeds in the context of broader economic progress. At times, it was a destination in itself, rather than a compass that guides us toward our objective. If treated in a broader context, cyber security will enable higher and far reaching national goals, have better acceptance, and as a result, a greater chance for success. Our goals depend on trust, and trust cannot be achieved if people believe that they are vulnerable to fraud and theft or if they cannot depend upon the resources (infrastructure services, i.e., water, power, telephone service) being available when needed most. At the same time, security has no meaning if the application that serves society no longer is practical or usable. Stated differently, progress and security must not viewed in a zero-sum fashion.

Hathaway did say more about the economic aspects of cyber (in)security than I've heard recently from a top government official, which is encouraging. The government's usual approach in discussing the nation's cyber threats is to couch the issue in cyber terrorism dimensions. However, early in her keynote, Hathaway made an apparent reference to a data breach last year at payment processor RBS Worldpay. In that complex, multi-stage attack, hackers were able to inflate the dollar value of stolen payroll cards that were then used by a small army of hired hands who made coordinated withdrawals of millions of dollars from ATMs around the world.

"One recent example from November 2008 illustrates both the speed and the scope of these challenges. In a single 30-minute period, 130 automated teller machines in 49 cities around the world were illicitly emptied. These and other risks have the potential to undermine our confidence in the information systems that underlie our economic and
national security interests."

A copy of Hathaway's prepared remarks is available here (PDF).

By Brian Krebs  |  April 22, 2009; 7:55 PM ET
Categories:  U.S. Government  | Tags: cyber security review, melissa hathaway, obama  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Congress Investigating P2P Data Breaches
Next: IRS Awards Tax Payment Contract to RBS Worldpay

Comments

60 days to write that drivel? Makes feel warm and fuzzy that this dim light will organize my medical records. Can't we at least opt out?

Posted by: georgejones5 | April 22, 2009 10:09 PM | Report abuse

Brian,

I know Mrs. Hathaway has been referred to as the Obama Administration's Cyber Czar, but doesn't she currently work for Booze Allen? I'm pretty sure she is a contractor, which probably explains why her speech didn't have much detail.

The problem with the govt's past approach to developing a national strategy is that DHS has used contractors to develop their policy instead of actually employees. Unfortunately, contractors are viewed with skepticism by stakeholders, because there always is a question on where their loyalty lies - the government, or their employer(the entity that actually pays them). In addition, contractors don't tend to have the same institutional knowledge and relationships government employees tend to develop over time.

Whether or not there actually is a loyalty conflict is not relevant. The problem is those who are critical to the process of helping formulate cyber security policy - government agencies, corporations and other organizations don't trust contractors to truly represent the government's view.

In my experience, key stakeholders are not willing to provide contractors with the whole store or the key information needed to draft a truly effective strategy or policy review.

Posted by: cattexmd | April 23, 2009 9:05 AM | Report abuse

Agreed with two previous posts. This is still early, but thus far uncharacteristic of President Obama's other chiefs - most of whom can turn out real plans with reachable milestones. The govt needs steps to take and proper oversight to ensure those steps are implmented correctly and accountably.

Posted by: free-donny | April 23, 2009 11:58 AM | Report abuse

Cyber Czar. What a joke!

This is National Defense priority that needs to be addressed by billions of dollars and we have a Cyber Czar.

Key private systems can be accessed and changed over the internet.

Defense systems are accessed over the internet with download of data.

Major American financial systems are at risk since foreign programmers have all of the code of these systems and can add any code that they want. For a few million dollars in bribes a foreign government can probably have whatever code they want entered on the systems of the major American banks.

Large American computer providers like IBM are shipping even more American systems to be worked on by foreign programmers.

Americans lead in the computer sciences has been abandoned and the thousands of Americans that would be required for computer security will not be available. In five years we will have to use foreign programmers for defense systems and foreign computer experts to provide security for any American system that has not already been sent overseas.

The problem has been allowed to deteriorate to such a point that we need something on the level of the Manhattan Project to address it. No one may like the NSA but currently that is the only agency with the capability to address the problem.

Posted by: bsallamack | April 23, 2009 7:34 PM | Report abuse

Oops.

I forgot to mention that now that the source of computers themselves are from foreign sources there are also dangers that the chips can be modified. It may say Intel on the little decal but that does not mean that a knockoff chip with modifications is not actually inside the computer.

Of course modifying the preloaded operating system would be a simple matter.

Posted by: bsallamack | April 23, 2009 7:58 PM | Report abuse

General James L. Jones is building a security empire. He wants anything that deals with security to funnel through the NSA.

Posted by: jepysdad | April 24, 2009 12:32 AM | Report abuse


It's about time that _someone_ paid some serious attention to hardening essential systems.

Then again, they need to look into the staffing at a lot of government facilities. I can't be the only person who remembers the near-miss sabotage attempt by a foreign national UNIX system administrator who left a logic bomb that would have wipes all of the records of Freddie Mac/Sallie Mae at the height of the housing-bubble collapse.

First, we need to hire loyal Americans who are competent at their work, which is to say most recent graduates in information technologies. There are far too many unemployed top-notch computer scientists, and far too many insufficiently protected high-value assets, to keep hiring H-1B workers from competitor nations and trusting to off-the-shelf commercial security software and operating systems such as Windows(tm), which ships broken and uses millions of consumers as their unwitting beta-testers.

Posted by: thardman | April 24, 2009 1:01 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company