The departure last week of a senior civilian cybersecurity official just days
after a well-publicized denial-of-service attack has increased jitters
about the whether the Obama administration is devoting enough bandwidth to
the issue.
Yesterday, Steven P. Bucci, a former Deputy
Assistant Secretary of Defense, Homeland Defense who oversaw cybersecurity efforts at the Pentagon during the Bush administration, took
to Twittering: "The continuing
exodus of cyber sec leaders from the Obama Admin is even more vexing
given the POTUS's emphasis on the key area. What is up?"
Earlier this week, the Navy's chief information officer said that a White House-level coordination was needed -- and soon.
In
interviews, officials acknowledged that the delay in appointing a cyber
security coordination director at the National Security Council has
contributed to the perception that the White House is a few nodes short of a hub.
"We
can't get this done soon enough," a White House official said last
week. Another official said the delay was less significant than it
seemed, noting that the National Security Council convened a top-level
meeting last week on cybersecurity to review the status of classified
cross-government collaboration.
In
the presence of a leadership vacuum, the Department of Homeland
Security is bolstering its ranks and streamlining its cyber chain of command. Last week, DHS Secretary Janet
Napolitano drew chuckles at a cybersecurity conference in Washington
when she suggested to a group of private sector consultants that she
was coming to recruit away their best talent.
But Napolitano was
being serious: according to a DHS spokesperson, the department expects
to employ twice as many as cybersecurity staffers by the middle of
next year.
DHS recently convinced
Bruce McConnell, a well-regarded industry mandarin, to return to
government after 15 years in the private sector. He is now the
counselor to the DHS's protections and programs directorate, which
oversees its cybersecurity center. Coordinating DHS cybersecurity
efforts is Philip Reitinger, formerly a senior Microsoft executive. In
a bit of consolidation, Reitinger is also the director of the National
Cyber Security Center, reporting directly to Napolitano and to her
chief counselor, Rand Beers. A third hire from industry is Greg
Schaffer, the former chief risk officer for Alltel Communications.
Still,
the resignation announcement last week of the head of DHS' U.S.
Computer Emergency Readiness Team, Mischel Kwon, underscores the
challenge DHS faces.
For months, Kwon, like other
cybersecurity officials, had been courted by private companies. The
pace of the revolving door between government and industry is
especially quick in this arena, and given the choice between a
government bureaucracy where progress was slow and incremental and a
plum assignment at RSA,
a leading infrastructure protection company, the choice for Kwon was
obvious. Unfortunate timing: her resignation letter leaked the day
after Twitter, which hosts a large cadre of cyber security wonks,
experts and officials -- grumpy or otherwise -- was hit with a
distributed denial of service attack.
The potential for brain drain is real. Contractors will staff many user-end positions, and companies like CACI and
General Dynamics are aggressively seeking to hire cyber-wise experts,
luring them with the promise of salaries and perks that the government
can't offer. Niche companies like Cyber Coders are already struggling to handle the demand from the military alone.
Nick
Shapiro, a White House spokesperson, said that Kwon's departure was not
related to the recent resignation of Melissa Hathaway, who had
coordinated a cybersecurity review for the National Security Council.
Hathaway was detailed to the White House staff from the Office of the
Director of National Intelligence, and that secondment expired last
week.
According to an administration official, Hathaway was not a finalist for the NSC cybersecurity post. But she did want the job, and her bosses at the NSC apparently did not inform her that she was not in contention.
Administration
officials said that some of the president's top national security
advisers, including John Brennan, the counterterrorism chief, were disappointed that Hathaway's 60-day
policy review, announced with much fanfare, posed questions that it did
not answer; the public release of the document was scheduled -- and
delayed -- at least twice while it was rewritten.
One key
recommendation that was changed: Hathaway's team wanted the
cybercoordinator to report directly to the president. Her report, when
released, recommended simply that the official have "direct access" to
the president, which, in bureaucratese, is less impressive. Hathaway's
defenders noted that she had a tiny staff -- fewer than 10 people --
and an entire government to cover in less than 60 days.
Whoever
gets the White House job will coordinate policy across the government without having budget authority.
The three major government domains are not integrated. Dot.gov is now
protected by the DHS, dot.mil, which is protected by the National
Security Agency, and dot.ic, a sub domain used by intelligence agencies
and falls under the purview of the ODNI.
Civilian
cybersecurity
experts worry that the savvy, lumbering giants -- the NSA
and the military -- are outfoxing the much newer DHS, which to them is
troubling because they don't believe the military culture of
secrecy is well-suited to the more transparent realm of
cyber-infrastructure protection.
DHS uses NSA technology to
protect the dot.gov domain now, but it remains firmly in control of how
the technology is used. Still, NSA is adding cybersecurity staff as
quickly as -- if not more quickly than -- DHS, and cyber security
officials inside and outside government worry that unless the White
House asserts its management prerogatives, NSA will win internecine
battles by default.
As for how DHS formally interacts with the
Pentagon's cyber command, a DHS official concedes that "the answer to
the question isn't known yet."
Shapiro, the White House spokesman, in a statement, said that "the President is personally
committed to finding the right person for this job, and a rigorous
selection process is well underway."
