Tuesday, July 07, 2009
Joe Mazzafro

As fascinated (OK obsessed) as I am with the lack of trust between the Congress and the IC with its attendant impact on national security, its time to move on!  I thought DNI Denny Blair’s first public address on June 8th at an INSA dinner would provide more than enough material for this month edition, but having sat through it in person I can’t bare to review a “dare to be bland” overview of the IC by its CEO.  Had this speech been a Wall Street Analyst guidance call I believe there would have been an immediate rush to “short IC” based on lack of strategic direction and tired fundamentals. 


Lots of cyber security developments though since I last engaged you, so let’s turn our attention there.  The 60 Day White House Cyber Review, which became a 70 day review when reportedly the Council of Economic Advisors insisted on a rewrite to reflect the economic issues associated with cyber security, was announced by President Obama on 29 May (http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf)


Not surprising to anyone reading this is that the 60 Review and the President emphasized:


·         the serious (and growing) risks engendered by cyber threats and vulnerabilities to our national and economic security

·         the need for a comprehensive cyber security strategy and implementing policies that protect both the government and private sector

·         because cyber space is literally boundless it does not fall neatly into the domain of one or two Cabinet level departments, establishing a White House Cyber Security Coordinator (aka Cyber Czar) position is essential


What was surprising to the IC digitari though was that having rung the cyber fire bell, that President Obama did not concurrently introduce who would lead the cyber fire brigade for his administration.  Its now early July and no Cyber Czar has been appointed, along with still no nominations for a Principal Deputy DNI (PDDNI) nor a DHS Under Secretary for Intelligence and Analysis (I&A), but I digress! 


According to the “Beltway Echo Chamber” Melissa Hathaway, who was thought to be the natural choice to be the Cyber Czarina because she was the responsible official for the 60 Day Cyber Review, has fallen afoul of powerful internal White House forces for not sufficiently coordinating with Larry Summers and the Council of Economic advisers. Subsequently, there have been near weekly reports that somebody is under serious consideration for the Cyber Coordinator Position with the latest being Microsoft Security Chief Scott Charney and recently retired Northern Virginia Congressman Tom Davis.  Messer’s Charney and Davis, along with others, are apparently not interested because the position description has a long list of responsibilities to go with a variety of reporting chains paired with a sparse roster of authorities.  They have seen the Program Manager for Information Sharing movie (or at least read the reviews) and understand why this has been a policy “box office” bust.


To develop and implement an effective cyber security policy, common “DC wisdom” is that the Cyber Coordinator will need direct Presidential cover (i.e. access) and not report via the Deputy National Security Advisor for Terrorism with a dotted line to a counterpart on the Council of Economic Advisers.  Of course, anybody qualified to be the nation’s first “Cyber Czar” will know they are only a pretender to the government’s real Cyber Czar  - - - the Director of NSA (DIRNSA).  NSA stands alone in understanding cyber space better than any organization on the planet and only it has the technical throw weight needed to immediately shore up America’s cyber defenses.  When DIRNSA is dual hated as the Commander of US Cyber Command in October the position will gain even more influence and authority related to US interests in cyber space.


Given these circumstances I just don’t see many high profile personalities attracted to being the third or fourth choice for a position that lacks authority, reports to a Deputy National Security Adviser and must operate in the shadow of DIRNSA.  What I do see, however, is an opportunity for a solid cyber professional who knows how to plan and get things done in government without being ego driven. Hard to find?  I suppose, especially if you are not looking, but my direct experience tells me there is a relatively large pool of people like this in DOD and the IC. 


Such a person would have a simple metric for success: create an environment where the President will want to know directly how the White House Cyber Coordinator is improving national cyber security.   Easy to say and hard to do, but I would suggest the following concurrent courses of actions:


·         Remember you are not a Czar!  Stay mindful of Inman’s third rule of Washington: do not needlessly create enemies

·         Use the White House staffing and government coordination process to build awareness of and eventually support for your plans.  Don’t expect to be an over night success. 

·         Focus on securing the dot mil domain and migrating best practices there to the dot gov domain.   Let NSA lead.

·         Engage the private sector with securing dot gov in order to protect information they are reporting to the government; establish dot gov as the model for securing the dot com domain

·         Be the persistent voice until you are the powerful voice that reminds those securing cyber space that they have to be mindful of civil liberties and those intent on protecting civil liberties in cyber space that the Constitution is not a “suicide pact.”


The White House “Cyber Czar” can have an immediate positive effect if he or she can create a large bureaucratic sandbox to craft a national cyber security strategy and implementing policies that uses an analysis of alternatives methodology.  Its time to find somebody who wants to do this job and move out!


That’s what I think; what do you think?     joemaz


Share Your Thoughts:

Thanks John! I'don't disagree, but I also don't see this administration (like the last one as well) willing to spend any political capital on cyber and what your are recommending is an outlay of Presidential political capital in "TARP" like amounts

There is a question,how is cybersecurity interwined with intelligence jobs? We all know that a lot of jobs were done through the internet, but specificly, what responsibilities IC should take on cybersecurity matters?

Clearly a question the IC and the larger government is struggling with. In government sense I see the following roles for the IC in Cyber:
1. Threat definition and analysis
2. Indications & Warning regarding cyber threats to national security
3. S&TI support to cyber acquisition

Where this gets more challenging is what should the roll of the IC be in the private sector when it comes to cyber. Here the nation needs a debate about how far it wants its intell capabilities supporting the private sector.
Interested to know what others think