President Obama on Friday presented his long-awaited cybersecurity plan, which included the establishment of a new White House office headed by a cybersecurity “coordinator” who would oversee and advise Obama on this issue. He also proposed hiring a separate official dedicated to privacy and civil liberties concerns. The proposal, which bears a striking resemblance to the six-year-old National Strategy to Secure Cyberspace, is ambitious in its scope and scale and it likely will face many of the same roadblocks that previous efforts in this area have faced.
What Obama did not do during his remarks was name anyone to the new coordinator position. Instead, he said that he will personally select the person who takes the job, and stressed that protecting the country’s infrastructure, both public and private, needs to be a top priority.
“America’s economic prosperity in the 21st century will depend on cybersecurity. This world is a world that we depend on every single day. Cyberspace is real and so are the risks,” he said. “We failed to invest in the security of our digital infrastructure. From now on our digital infrastructures will be treated the way they should be: as a strategic national asset.”
Obama is correct on both counts. The risks are all too real and the federal government has indeed failed in every way that matters to commit the necessary resources to addressing those risks. The reasons for this failure are many and they’ve been well-documented. One of the key problems, which Obama addressed directly, has been the failure of federal agencies to work together on this issue.
“No single official oversees this and no single agency coordinates. [The federal agencies] don’t coordinate or communicate as well as they should, with each other or with the private sector,” he said. “There’s much work to be done. Ad hoc responses will not do. We will pursue a new comprehensive approach to securing the infrastructure.”
The major tenets of Obama’s cybersecurity plan are familiar, common-sense recommendations that could go a long way toward improving the country’s security posture:
- Providing White House leadership on the issue of cybersecurity
- Encouraging education, awareness and training on security in the private sector
- Partnering with other countries on cybercrime legislation and prosecutions
- Working with the private sector on information sharing and incident response
These are all good ideas, and each of them could have a major effect on the security of the country’s critical infrastructure. But they’re also old ideas that have been put forth in the 2003 National Strategy to Secure Cyberspace, as well as innumerable other policy documents and reports that have made the rounds in Washington for the last several years. That’s not to say they shouldn’t be tried again, but Obama and his security team need to go into this process with their eyes open. Inter-agency squabbling over authority, lack of funding, lack of direction for the president and a lack of communication with the key private sector players have all helped torpedo previous efforts.
Obama will need to be committed to the cause of cybersecurity for the rest of this term, at least, in order to make a real difference. Because this is the very definition of a long-term project. A lot of damage was done in the course of the last decade through sheer inattention to the problem of cybersecurity on the national level, and it will take at least as long to undo that damage.
In the near term, Obama needs to appoint someone to the role of cybersecurity coordinator as soon as is practical. Get the advice of people who have held the job before, such as Howard Schmidt, Amit Yoran and Greg Garcia, talk to folks in the private sector, and then make a choice. Next, Obama should send a short and sweet memo to the heads of all of the federal agencies, saying, “This is my cybersecurity coordinator. He speaks directly for me on this issue. Listen to him. If you’re not interested in helping me fix this problem–which you all helped create, by the way–then step aside. Adults are working here.”
Then, Obama should send his coordinator out to talk to every key player in the critical infrastructure protection community who will talk to him, with instructions to simply listen. Listen to what’s working, what’s going wrong and what the government can do to help. Then take that list and get to work. There are plenty of people out there willing to help, but they need to know that someone in Washington is listening.
*Obama photo via SEIU‘s Flickr photostream