Tuesday, July 07, 2009
Joe Mazzafro

As fascinated (OK obsessed) as I am with the lack of trust between the Congress and the IC with its attendant impact on national security, its time to move on!  I thought DNI Denny Blair’s first public address on June 8th at an INSA dinner would provide more than enough material for this month edition, but having sat through it in person I can’t bare to review a “dare to be bland” overview of the IC by its CEO.  Had this speech been a Wall Street Analyst guidance call I believe there would have been an immediate rush to “short IC” based on lack of strategic direction and tired fundamentals. 


Lots of cyber security developments though since I last engaged you, so let’s turn our attention there.  The 60 Day White House Cyber Review, which became a 70 day review when reportedly the Council of Economic Advisors insisted on a rewrite to reflect the economic issues associated with cyber security, was announced by President Obama on 29 May (http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf)


Not surprising to anyone reading this is that the 60 Review and the President emphasized:


·         the serious (and growing) risks engendered by cyber threats and vulnerabilities to our national and economic security

·         the need for a comprehensive cyber security strategy and implementing policies that protect both the government and private sector

·         because cyber space is literally boundless it does not fall neatly into the domain of one or two Cabinet level departments, establishing a White House Cyber Security Coordinator (aka Cyber Czar) position is essential


What was surprising to the IC digitari though was that having rung the cyber fire bell, that President Obama did not concurrently introduce who would lead the cyber fire brigade for his administration.  Its now early July and no Cyber Czar has been appointed, along with still no nominations for a Principal Deputy DNI (PDDNI) nor a DHS Under Secretary for Intelligence and Analysis (I&A), but I digress! 


According to the “Beltway Echo Chamber” Melissa Hathaway, who was thought to be the natural choice to be the Cyber Czarina because she was the responsible official for the 60 Day Cyber Review, has fallen afoul of powerful internal White House forces for not sufficiently coordinating with Larry Summers and the Council of Economic advisers. Subsequently, there have been near weekly reports that somebody is under serious consideration for the Cyber Coordinator Position with the latest being Microsoft Security Chief Scott Charney and recently retired Northern Virginia Congressman Tom Davis.  Messer’s Charney and Davis, along with others, are apparently not interested because the position description has a long list of responsibilities to go with a variety of reporting chains paired with a sparse roster of authorities.  They have seen the Program Manager for Information Sharing movie (or at least read the reviews) and understand why this has been a policy “box office” bust.


To develop and implement an effective cyber security policy, common “DC wisdom” is that the Cyber Coordinator will need direct Presidential cover (i.e. access) and not report via the Deputy National Security Advisor for Terrorism with a dotted line to a counterpart on the Council of Economic Advisers.  Of course, anybody qualified to be the nation’s first “Cyber Czar” will know they are only a pretender to the government’s real Cyber Czar  - - - the Director of NSA (DIRNSA).  NSA stands alone in understanding cyber space better than any organization on the planet and only it has the technical throw weight needed to immediately shore up America’s cyber defenses.  When DIRNSA is dual hated as the Commander of US Cyber Command in October the position will gain even more influence and authority related to US interests in cyber space.


Given these circumstances I just don’t see many high profile personalities attracted to being the third or fourth choice for a position that lacks authority, reports to a Deputy National Security Adviser and must operate in the shadow of DIRNSA.  What I do see, however, is an opportunity for a solid cyber professional who knows how to plan and get things done in government without being ego driven. Hard to find?  I suppose, especially if you are not looking, but my direct experience tells me there is a relatively large pool of people like this in DOD and the IC. 


Such a person would have a simple metric for success: create an environment where the President will want to know directly how the White House Cyber Coordinator is improving national cyber security.   Easy to say and hard to do, but I would suggest the following concurrent courses of actions:


·         Remember you are not a Czar!  Stay mindful of Inman’s third rule of Washington: do not needlessly create enemies

·         Use the White House staffing and government coordination process to build awareness of and eventually support for your plans.  Don’t expect to be an over night success. 

·         Focus on securing the dot mil domain and migrating best practices there to the dot gov domain.   Let NSA lead.

·         Engage the private sector with securing dot gov in order to protect information they are reporting to the government; establish dot gov as the model for securing the dot com domain

·         Be the persistent voice until you are the powerful voice that reminds those securing cyber space that they have to be mindful of civil liberties and those intent on protecting civil liberties in cyber space that the Constitution is not a “suicide pact.”


The White House “Cyber Czar” can have an immediate positive effect if he or she can create a large bureaucratic sandbox to craft a national cyber security strategy and implementing policies that uses an analysis of alternatives methodology.  Its time to find somebody who wants to do this job and move out!


That’s what I think; what do you think?     joemaz


Share Your Thoughts:

My sources tell me that the PDDNI has been offered to several people -- all of whom have turned it down. Just like last time! We have created jobs that you cannot give away!!!

Joe's right on point, as usual. We're seeing a pattern in Washington -- one that has nothing to do with party affiliation. When we can't solve a problem (and many of our problems don't have off-the-shelf solutions, at least in conventional bureaucratic terms) we add another layer to the pagoda, to little effect.
One question a new cyber czar should ask, assuming, as Joe does, that NSA has the talent, tradition, and technology to be the effective lead on cyber, no matter the wiring diagram, is "How do I help NSA, a DOD and Intell organization, gain support from those in the public who fear such an organization taking on such a large, potentially invasive national mission?" That could be the czar's most important function, at least in the short term. And that means a czar willing to fly wing to someone else's lead, not necessarily what one finds under the usual understandings of "czar."

A "Czar/Czarina" of any stripe, needs platoons of willing "Cossacks" to enforce his/her cerebral edicts. No such Band of Brothers is envisioned in connection with the naming of a new Chief of Cyber. As such, we can safely predict that we face a dismal future where the IC will spin in circles as dozens of department- and agency-embedded little fish -- dare I call them czardines?-- nip at each other with reams of memos filled with sesquipedalian, polysyllabic goop.

I am sitting watching my 7yr old grandson connect the Wii to the internet via our wideband telephone. One more duty for the CZAR -- having a daily TV program informing the kids (and America) about the enemy and how to fight the cyber war? The kids might make the best cyber wariors. Americans need help understanding this war and what it means to them. The US will need all their citizens knowledgeable & engaged & cyber protected. Now how do we secure the Wii communications to the internet? Pick an expert and get going!!

Gail, Murray, Bill, thank you for your thoughful feed back. Each of you have expanded eloquently on the point I am trying to make. There are plenty of cyber issues to deal with and considerable capability in the government and the private sector to address them, but we need a Leslie Grooves like personality who can choregograph a coherent response that will maximize our cyber security


Joe is spot on. Actually the cyber coordinator thing is like war in heaven--won't really matter much to those on earth.
Agree with assessment--NSA is the czar--Washington authority is based in money and billets--NSA+USCYBERCOM is unmatchable here-- more than what may be written somewhere.

I'll take the Cyber Czar job, when it's offered to me. I think I could get my head wrapped around it. I'd focus on getting the myriad organizations, experts, stakeholders and helpers in this equation better synchronized on a common set of U.S. goals -- tempered with the right balance of perspective. I fear we're going to regulate and monitor and secure ourselves into complete helplessness with this massive cyber-protect mandate. Because so many of the critical capabilities we rely upon in the West are so open, thus the value, we have to be mindful of not throwing out the baby with the bath water here. Why do I think DIRNSA and other appointed players are likely to get it wrong? Because the experts that typically gravitate to these jobs largely have never had to provision and manage operational capability; they've only had to govern, regulate and lock it down. Stand by for years of self-inflicted wounds before the U.S. develops some healthy balance in the cyber realm. Aloha, Dave

Andy, thanks for the feedback and you value add

Dave, you are exactly the kind of person I think should be the WH Cyber Coordinator ----- somebody who knows how to actualize policy

The success of the position is dependent upon the success of the person and it appears that no one will allow a person to necessarily be successful from a political perspective. I would set the lowest of expectations before taking the job.

It is a shame that, although we have been talking about this problem for roughly 20 years, we keep "re-discovering" what has been obvious to many of us for a long time: there are threats; we have lots of vulnerabilities; the only way to deal with these is for government to LEAD. We do a great job setting up new organizations (bureaucracies)which will be at each others' throats within the year, but we rarely move the ball down the field in part due to internecine warfare. (Believe me