Schneier on Security
A blog covering security and security technology.
« Reacting to Security Vulnerabilities |
| Wondermark on Passwords »
December 11, 2009
Obama's Cybersecurity Czar
Rumors are that RSA president Art Coviello declined the job. No surprise: it has no actual authority but a lot of responsibility.
Security experts have pointed out that previous cybersecurity positions, cybersecurity czars and directors at the Department of Homeland Security, have been unable to make any significant changes to lock down federal systems. Virtually nothing can get done without some kind of budgetary authority, security expert Bruce Schneier has said about the vacant position. An advisor can set priorities and try to carry them out, but won't have the clout to force government agencies to make changes and adhere to policies.
For the record, I was never approached. But I would certainly decline; this is a political job, and someone political needs to fill it.
I've written about this before -- also, the last paragraph here:
And if you're going to appoint a cybersecurity czar, you have to give him actual budgetary authority -- otherwise he won't be able to get anything done, either.
Maybe we should do a reality TV show: "America's Next Cybersecurity Czar."
EDITED TO ADD (12/12): Commentary.
Posted on December 11, 2009 at 6:37 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It's not just budget authority. The post needs legal authority over, say, government IT procurement and hiring and training. Or it will be ignored, irrespective of its budget.
"[...]this is a political job, and someone political needs to fill it."
1. Why is a Cyber-Czar necessary?
2. Why do you think we are not going to get yaTSA?
I think the security of federal IT systems would benefit much more from hiring smart and motivated people to be empowered to actually secure the systems against threats and not just to FISMA complience.
Such things aren't news anymore, but this is another broken promise of candidate Barack Obama (http://www.barackobama.com/2008/07/16/remarks_of_senator_barack_obam_95.php): "As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information - from the networks that power the federal government, to the networks that you use in your personal lives."
"but this is another broken promise of candidate Barack Obama"
Not being a resident of the US, I don't know all the ins and outs.
But it's difficult to apoint somebody is nobody will take the job.
Personaly I can see three impediments,
1, Is the "Don't embaris me" disclosure.
2, The job is a "poisoned chalice"
3, It needs to be a Gov insider.
It is the last point that is a problem. To be able to deal with the vested intrests of the system you have to know the system.
To rise to a senior position in the system you get selected by the system thus are part of the vested interest of the system (unless you are very very clever at hiding your real self).
So I have no real hope for the job and I don't think POTUS is going to get past the vested interets currently.
The real problem in getting a National Cyber Adviser is getting the role some power. I'm confident Obama can do it (he was a successful Illinois politician, after all), but it's going to take time and likely more attention than Obama's got to spare right now. He hasn't been in office a full year, and has had to deal with a major crisis.
The next problem will be to find somebody who's able to work well within the government while stepping on toes, and who either has the technical knowledge, or knows how to get it and will actually listen to it.
The idea has a lot of promise, but nothing's going to happen fast, and we'll have to see if it's going to be done more or less right.
I put that quote in my last comment to show that he promised to have the position report directly to him. Now it reports both (I think) to the NSA and OMB, neutering the position. If it turned out to be impossible to make the position as senior as he promised then he was precipitous in making that promise. If it's actually possible and he compromised then he's just breaking a promise. Don't make too many excuses for the guy
Would the people griping about this position being a campaign promise please acknowledge that campaign promises have been ruled by the courts to be "mere puffery".
I've had some rather pleasant comments with very senior civil servants in which they've described their initial briefings to a newly elected head of government. Said briefings typically follow the pattern of "promise X will have disastrous consequence A, promise Y will have disastrous consequence B, but can be modified in manner C so that you can avoid bringing about the disastrous consequence and still claim to have kept your promise, promise Z is probably doable, but has complicating factors D, E, and F".
Conveniently, election campaigns provide civil servants a good advance look at these promises so that they can brief the incoming politicians pretty much as soon as they get in.
Security is an issue in a riot, a civil war, on the war front.
Sure seems like the present state of Washington, the political process, and the powers that be fighting.
As for a reality TV show, about life in IT and the Cybersecurity Czar role, make it simple, just see the movie, Alien vs Predator. Quick summary, two powers, fighting in a pyramid that dangerously reconfigures itself, with a team of humans inside. Survival dictates, pick a side, win the war, escape the pyramid, rise to new levels, and be a good human to those who help you, to balance and stabilize power, for the survival of the earth.
Sure makes for interesting media and history being writen today.
send them my way, i'll do it.
"Would the people griping about this position being a campaign promise please acknowledge that campaign promises have been ruled by the courts to be "mere puffery"."
But if we're expected not to believe any of their campaign promises, then what the hell are we voting for?
BlueRaja: your preconceived notions, plus gut feelings, plus the breakfast you ate.
Oh, you say you thought politicians actually stood for something? My sympathy.
Their voting record?
I would do it. I would probably last all of one term, because without a budget I would just travel the talk show circuit and talk about a lot of things that would make a lot of people very, very angry.
"But if we're expected not to believe any of their campaign promises, then what the hell are we voting for?"
Oddly enough, we're voting for "character."
@ Bruce Schneier,
'Oddly enough, we're voting for "character."'
Which is what's wrong with the system (which is why I refer to Politicos as "monkeys in suits" they exhibit all the traits you see at a zoo at the "tea party" except for the cuteness).
Representational democracy is a con, it is easily open to significant abuse by a very few people with the money to push their agenda be it semi-legitimatly (campaign funds) covertly (lobbying) or less seamly ways such as sinecur jobs or think group hosting kickbacks etc etc etc down to fraudulant "cash for questions" or "cash for honours" or good old "brown envolop" bribes.
We need to think of ways to remove the current sleaze and vested interests and enable people to vote on substantive issues without having to do it through an unreliable "representative".
> I would certainly decline;
Good for you.
> this is a political job, and someone political
> needs to fill it.
Well... I do not think there should be anybody in this job. Or any other federal job, for that matter.
My guess is that the #1 problem Obama has found with giving this position some REAL power is that the heads of the IT departments of all the various government bodies balked at the idea of handing over ultimate control and responsibility for security to another government agency.
i.e. he was unable to overcome politics.
The US really needs a complete replacement of the entire political system like in Tom Clancy Executive Orders (maybe with less people being killed though)
@ Bruce Schneier,
'Oddly enough, we're voting for "character."'
I've always thought that the job selection process should match the skills being selected for the position to be filled.
I'm not as sure as Clive that the process doesn't work.
At the very least the campaign selects for people with stamina. (which is something much needed in DC).
@Johnathan Wilson "heads of the IT departments ...balked at the idea "
It doesn't work like that. All SAISO's and ISSMs already answer to their CIOs who answer to their agency heads (appointees as a rule) and OMB.
And for all the legitamite flack FISMA has taken? If congress hadn't made it a law these agencies would've done nothing but lip service (if that).
There's also the fact that Obama's appointments are presently being blocked by a record setting number of Republican filibusters.
If cyber Czar is a political job, then we are better off without one. We need to unpoliticize the job, and this job should have a real authority to attract talented people who really deserve this rather than having just a political figure head.
While I support the position of having a cybersecurity czar, here are some challenges:
1) The person in the position needs access to at least the National Security Advisor. If we ever get an electronic "Pearl Harbor", then the czar needs to be able to approach the President and tell him how we can mitigate the incident.
2) Have budgetary authority or some degree of control. The problem now is that cybersecurity is divided among several departments including DoD and DHS. Somebody needs to be able to crack the whip at them to move in the right direction.
3) We need someone with a thick skin willing to step on toes (like a Hymen Rickover, Leslie Groves, or a J. Eager Hoover.) The White House would have to back them up and I have a hard time seeing that.
4) Someone with the technical expertise. However, people with the right expertise is unlikely to be willing to take a major pay cut, put up with lots of political hassles, and take a lot of risks for little personal benefit. On top of that, be a good fit for the Obama administration with all of its current problems.
What does it say about a man's charachter that he tosses aside so many of his campaign promises, including this one? (The list of such promises is long.)
Albatross - The Republicans can't filibuster anything. They only have 40 votes. Nice try.
Interesting Bruce..... I just found your post after commenting on the same topic in my recent post:
Cybersecurity: The Problem with Czars
Cheers and Happy Holidays,
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.