Whoever is brave enough to fill the soon-to-be-created cybersecurity czar position will find a rather large pile of challenges waiting. Among them will be dealing with a confused and argumentative Congress, doing a full-scale assessment of the country’s critical infrastructure and reaching out to all of the federal agencies that have been without leadership on cybersecurity for months. But none of those should be the cybersecurity czar’s top priority.
No, the first order of business should be building relationships with the key people and constituencies in the private sector. It’s been said a thousand times before, but it bears repeating: Much of the critical infrastructure is owned and operated by the private sector. That’s important to note for a couple of reasons, most importantly because the government has little say in the way that those networks are operated. Certainly the government can and does establish regulations and mandates governing how the utilities, financial institutions and other key organizations set up and secure their networks. But in terms of the day-to-day operation of those networks, it’s up to each individual organization.
Now, some lawmakers and administration officials would love to see that changed, and have even proposed giving the president the ability to shut off critical networks during cyber attacks or other incidents. That provision seems unlikely to be implemented, but it’s a clear sign that the Obama administration knows how little control it has of the country’s key networks and how much of a problem that could pose.
The other key reason the cybersecurity czar needs to make relations with the private sector a priority is the wealth of experience and expertise that industry has to offer the government. There’s plenty of security expertise in the federal government as well, but the amount of talent in U.S. companies and universities is probably unparalleled anywhere in the world. It would be foolish to continue to let that resource go to waste.
Whether and how this happens will depend largely on who gets the cybersecurity czar job and how much juice that person has. Even if the adviser sits inside the Oval Office and plays basketball with President Obama on weekends it won’t matter one bit if he or she doesn’t have the credibility and experience to deal with the players in the private sector on an equal footing. The adviser’s place in the government’s organizational chart is important, but no more so than his or her experience and reputation in the security community.
The Bush administration tried every conceivable approach to this problem, bringing in security insiders (Howard Schmidt, Amit Yoran), a former lobbyist (Greg Garcia) and even an entrepreneur/author/futurist (Rod Beckstrom). None of them had the resources or support he needed to truly build a partnership with the private sector, though each of them tried.
It will be interesting to see which road Obama goes down in choosing his cybersecurity czar. Whichever way he goes, the private sector surely will be watching closely.