While much of the reaction to President Obama’s speech on Internet security last week has centered on who Obama will name to the newly created cybersecurity coordinator position, that may be a moot point unless there is a dramatic change in the way that security is handled at the highest levels in Washington, experts say.
Many longtime members of the security community say they are encouraged by what they’ve seen from Obama so far on security, saying he clearly understands the seriousness of the problem and the potential consequences if it’s not addressed soon. However, there is a growing sentiment that even Obama’s support on this issue may not be enough to make a real difference any time soon. The problem lies with lawmakers, economic advisers, lobbyists and other Washington power brokers who don’t have a clear understanding of the severity of the security problem and what’s needed to fix it.
The new cybersecurity coordinator will be at least one level removed from Obama and will have dual taskmasters, reporting to both the National Security Council and the National Economic Council. Those two bodies often have competing priorities, which has led to friction on the security issue in the past.
“In my time in the White House, the National Economic Council tried to kill the national strategy on a multi-faceted front,” said Howard Schmidt, a former information security adviser to President George W. Bush, who helped create the 2003 National Strategy to Secure Cyberspace. “I tried to explain the botnet problem to them and they said that’s not a problem. The NEC folks wouldn’t look at it. They asked about the economic impact. Based on what I’ve read about [current Director of the NEC] Larry Summers, I think he gets the economic impact. So that’s a good sign.”
What’s not such a good sign is that the security adviser will be lower down the organizational chart than many observers had hoped for.
“I was hoping it would be at least a deputy to the president. In order to make this happen, it needs to be at least a deputy, otherwise we’re just rehashing it,” said Tom Kellermann, vice president of security awareness at Core Security.
Kellermann, who was involved in drafting the CSIS report on security for the new administration, said he was happy to see Obama taking security so seriously, but was disappointed with his nods to the lobbyists and special interests regarding Internet regulation and monitoring.
“His statements to appease K Street vis a vis Net neutrality and setting strategy are naive,” he said. “People are still building weak castles based on consensus opinions created to dilute regulations. The worst fear that corporate America fears isn’t regulation, it’s the theft of their entire intellectual property and attacks that will cause so much damage that a public company will go under. They need to be worried about that.”
The potential for such damaging attacks is a main reason that Kellermann, Schmidt and others have advocated the need for the new security adviser to sit at the highest possible level in the administration. Such authority would help defuse power struggles and help keep the issue of information security in front of Obama, they say.
“The beauty of [Obama’s] speech is that it’s an awakening by the most powerful man in the world, and a huge fan of technology. But it’s a double-edged sword,” Kellermann said. “He dispelled the myth that this is all about DDoS and stupid kids, so now I hope he begins to study and make this one of his preferred issues.”
Schmidt said that many past efforts to elevate information security in the White House have been met with resistance from not just economic advisers, but also law enforcement and national-security advisers.
“Staff issues became a problem because everything was focused on terrorism and while much of what we talk about has a direct impact on computers, terrorism doesn’t come into play,” he said. “It was about showing them how this stops a bomb from going off in New York City.”
In the end, the success of Obama’s security plan may have less to do with who he hires to implement it than with the willingness of his other advisers to make security a priority.
“I hope he chooses a deputy, a holistic purist who has an understanding of the underground and the nation-state adversaries that we’re facing,” Kellermann said. “I hope he hires someone who plays a lot of chess. The rest of those people play checkers.”