The Enterprise Blog

Author Archive

Congress Addresses Cybersecurity Though Top Post Remains Vacant

By Kara Flook

December 10, 2009, 12:00 pm

More than six months since the cybersecurity coordinator position was announced (and three months since rumors flew that a candidate had been selected), the Obama administration has yet to announce a selection for the job. Why? In addition to a few minor issues (Afghanistan, the economy, healthcare reform) dominating the agenda, former senior director for cyberspace at the National Security Council Melissa Hathaway suggests it’s because the job description is too exacting. It requires someone experienced in not only national security and cybersecurity, but also economic security. “There are just not that many people who have that kind of resume,” according to Hathaway.

Eric Chabrow, the Government Information Security reporter who interviewed Hathaway, argues that this means it is time to change the job description. “Sometimes things look better on paper, but in reality they just don’t work.” He considers the exacting qualification requirements only half of the problem, though, positing that requiring the position to report to two bosses, the national security adviser and the national economic adviser, is also deterring a number of potential candidates. Since it is doubtful the administration will change the job description (or hierarchy) at this point, it’s a safe bet that the cybersecurity coordinator announcement won’t be coming soon.

Meanwhile, Congress is paying more attention to cybersecurity. On November 17, the Senate Judiciary Subcommittee on Terrorism and Homeland Security hosted a hearing titled “Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace.” The Senate Select Committee on Intelligence announced earlier this week a new bipartisan task force on cybersecurity, which aims to complete its work by June 2010, and Senators Rockefeller and Snowe have reached out to Homeland Security Secretary Napolitano about their draft cybersecurity legislation. Philip Reitinger, the top cybersecurity official at the Department of Homeland Security, maintains that the agency is moving forward on cybersecurity policy despite the lack of a permanent cybersecurity coordinator. It’s a strong reminder for us all that even when the White House’s attention is diverted, other parts of the government continue, hard at work.

Email to Author   |   Permalink   |   Comments Off
Categories:  Foreign and Defense   |   Tags:

House Subcommittee Moving on Cybersecurity

By Kara Flook

September 22, 2009, 2:52 pm

The administration may be lagging behind on cybersecurity, but members of Congress are moving forward. The House Science and Technology Subcommittee on Research and Education is scheduled to mark up a draft amendment to the 2002 Cybersecurity Research and Development Act on September 24. The Cybersecurity Research and Development Amendments Bill of 2009 provides funding for fiscal years 2010 through 2014, mandates an increased focus on medium- and long-term projects, requires a much-needed comprehensive assessment of the federal government’s cybersecurity needs, and encourages public-private partnerships through higher education programs and grants and a university-industry task force. Though the current form is not necessarily its final form, it sounds like it will be an excellent addition to the government’s cybersecurity efforts. With Congress and the military moving forward, the question remains: when will the administration catch up?

Email to Author   |   Permalink   |   Comments Off
Categories:  Media and Technology   |   Tags:

New Cybersecurity Coordinator Near

By Kara Flook

September 10, 2009, 1:45 pm

It appears that President Obama is close to naming the new cybersecurity coordinator—GovInfoSecurity.com reports that the announcement will be in the next week or two. In the meantime, a former FBI cybersecurity expert, Chris Painter, has been named the acting coordinator. According to a source with “direct knowledge of the matter,” Frank Kramer is the top candidate. Kramer, who was the assistant secretary of Defense for international security affairs from 1996 to 2001 under the Clinton administration, has a strong background (p. 4) in defense and international affairs. His main cyber credential, however, seems to be his contributions to and co-editorship of Cyberpower and National Security while at the Center for Technology and National Security Policy. This might shed some light on the administration’s approach to both cybersecurity policy overall and the bureaucratic wrangling between the civilian and military agencies with responsibility for cybersecurity. While some in the private sector will worry that a cybersecurity coordinator with a strong background in defense means a militarization of cyberspace, such a background might give the civilian coordinator the clout and credentials needed to overcome interagency rivalries and ensure a balanced approach to cybersecurity.

Kara Flook is a research associate at AEI.

Email to Author   |   Permalink   |   Comments Off
Categories:  Media and Technology   |   Tags:

Another Glitch in Cybersecurity

By Kara Flook

August 5, 2009, 8:31 am

Is this another setback for President Obama’s cybersecurity policy? Melissa Hathaway, the acting senior director for cyberspace at the National Security Council, has announced her resignation effective August 21. The long delays in forming cybersecurity policy are said to have frustrated Hathaway, who was once considered a front-runner for the still unfilled cybersecurity coordinator position. The release of her cybersecurity policy review was delayed for two months by White House debates, and the Wall Street Journal reports that Obama’s economic advisors insisted on involvement in cybersecurity policy and marginalized Hathaway. Hathaway took herself out of the running two weeks ago, citing personal reasons. With no announcement in sight for the coordinator position, Obama’s cybersecurity policy seems to be floundering.

Kara Flook is a research assistant at AEI.

Email to Author   |   Permalink   |   Comments Off
Categories:  Media and Technology   |   Tags:

NorthKorea.war

By Kara Flook

July 8, 2009, 11:27 am

It looks like North Korea gave the U.S. a bigger birthday present than we first realized. Around the same time that Pyongyang fired seven short range missiles into the Sea of Japan, key U.S. government agencies (DHS, the White House, the Federal Trade Commission), U.S. financial websites (NYSE, NASDAQ, the Treasury) and South Korean government websites came under a cyber attack. South Korea’s National Intelligence Service (NIS) attributes the attack to North Korea or its sympathizers. While the NIS has been accused of exaggerating the North Korean cyber threat in the past (there is little evidence of the thousand-strong elite hacker unit the NIS warns about), the timing of this attack lends credence to their claims. Another theory is that the Distributed Denial of Service attacks, which used a method common to Chinese hackers, were initiated by North Korean sympathizers in China. Either way, it seems cyber attacks are increasingly becoming a way to amplify the effects of conventional action.

Kara Flook is a research assistant at AEI.

Email to Author   |   Permalink   |   Comments Off
Categories:  Foreign and Defense   |   Tags:

An Uncontentious Summit with Russia

By Kara Flook

July 7, 2009, 11:46 am

Although the Obama administration has billed the summit in Moscow as a big step forward in the “reset,” the Kremlin has been downplaying it, focusing more on the meeting as a sign of respect than a venue for big deliverables. Indeed, the flurry of agreements signed, including arms control, military transit to Afghanistan, and a joint commission on POW/MIAs, were all pre-announced and the Russian Defense Ministry even caught the U.S. Joints Chiefs of Staff off guard by trumpeting the resumption of military cooperation in late June. The continued cooperation intended by the creation of a new Bilateral Presidential Commission is important for U.S.-Russian relations, but a plan for cooperation across various levels of government (Congress-Duma exchanges, for example) would be better than this exclusionary focus on the executive. Already, President Obama runs the risk of falling into the trap of his predecessors (in both parties): over-personalization of the relationship by focusing on presidential interactions. While both Presidents Obama and Medvedev are young and share a background in law, this is not enough to bridge the genuine gap in the countries’ national interests and shouldn’t become the focus of bilateral relations. It was heartening to see that President Obama scheduled time to meet with opposition politicians such as Gary Kasparov, Vladimir Ryzhkov, and Boris Nemtsov—one hopes he will continue to support the issues of democracy and human rights, regardless of future political progress with the Kremlin. In all, the summit was exactly what was expected: neither exciting nor inspiring, but not contentious either.

Email to Author   |   Permalink   |   Comments Off
Categories:  Europe and Russia, Foreign and Defense   |   Tags:

New Cybersecurity Coordinator Position Remains Unfilled

By Kara Flook

June 30, 2009, 11:24 am

One month after announcing the creation of a cybersecurity coordinator, the Obama administration is nowhere close to naming one (there is no timetable yet) and already one candidate is turning the position down. Tom Davis, a former Republican congressman from Virginia, was hailed by many in the industry as the perfect choice for the job, combining both political experience and technical expertise. Last week, however, Davis said he was not interested in the job, citing the vagueness of the job description and level of authority. The administration’s term “coordinator” is a distinct step down from “czar” (as the position is described in the media), and many critics wonder if the position will have enough authority to be effective.

Meanwhile, Lt. General Keith Alexander, the director of the National Security Agency, is poised to take control of the new military cyber command, which was officially announced on June 23. The new command will be headquartered at Fort Meade and is expected to begin operations in October 2009. This new command is to protect only the .mil domain, and the NSA will continue to offer assistance to the .gov domain (under the charge of the Department of Homeland Security) and .com domain (the responsibility of both the public and private sectors).

The military cyber command’s speedy progress, especially compared to the civilian version, is alarming some private sector experts and civil libertarians, who worry about a militarization of cybersecurity. On the other hand, other experts and commentators, including the Information Age editors at the Wall Street Journal, argue that the military and NSA should bear responsibility for all cybersecurity in order to best protect the United States (after all, cyber warfare often occurs through non-governmental and nonmilitary channels). What should the Obama administration take from all this? With the increasing international attention to cybersecurity (it is expected to be discussed both during Obama’s visit to Moscow next week and during the UN General Assembly in November), the administration should focus on creating a consistent approach, integrating both the military’s cyber command and the office of the cybersecurity coordinator. In order to do that, the administration needs to name a knowledgeable and capable coordinator—quickly!

Email to Author   |   Permalink   |   Comments Off
Categories:  Media and Technology, War on Terror   |   Tags:

Cybersteps in the Right Direction

By Kara Flook

May 29, 2009, 3:46 pm

“The status quo is no longer acceptable,” President Obama declared, announcing that the results of the White House’s 60-day cyberspace policy review, a 38-page report that dismally concludes that the federal government is not properly set up to handle the growing problems of cybersecurity, either now or in the future. The president announced the creation of a cyber czar position, the head of the White House office of cybersecurity, to be named soon (rumor has it that the National Security Council’s acting senior director for cyberspace, Melissa Hathaway, who oversaw the policy review, will get the job). In recognition of the importance of technology to our economy, the cyber czar will report on his or her efforts to secure government, financial, and infrastructure systems to not only the NSC, but also the National Economic Council.

The cyber czar is just one of the five points in the strategy laid out by the cyberspace policy review; the other four are: national dialogue, aimed at increasing public awareness and education; cooperation, both public-private and with key U.S. allies; a comprehensive framework that enables information sharing and coordinated responses to cyber threats; and capturing the power of innovation to meet defined security objectives.

On Thursday, the Pentagon announced its own plan to create a new military command for cyberspace, which would be tasked with organizing the military’s various cyber capabilities. While the Pentagon’s plan hasn’t been formally presented to the president yet, he is expected to sign a classified order for its creation within weeks. While the president’s announcement focused on defensive capabilities, the creation of a high level office and a cybercommand indicates the administration’s recognition of cyberspace as a domain of warfare and willingness to pursue offensive cyberoperations. The question of who will conduct such operations remains unanswered—this longstanding bureaucratic dispute between the National Security Agency and the Pentagon could be a large headache for the new cyber czar.

In the meantime, both the White House and Pentagon announcements are a huge step in the right direction—cybersecurity has been overlooked in our national security strategy for too long, as recent revelations of vulnerabilities in U.S. power grids and military networks show.

Email to Author   |   Permalink   |   Comments Off
Categories:  Foreign and Defense, Health Policy   |   Tags:

The American Enterprise Institute takes no institutional positions on policy advocacy or political campaigns. The views expressed on The Enterprise Blog represent those of the individual writers.

AEI