The much anticipated cybersecurity report (hereafter referred to as the Hathaway report) was released on Friday, and I have to say I was a little underwhelmed. Not that it didn't address a critical issue - it simply didn't have the depth I was hoping to see. But perhaps my impression was skewed by the fact that I read it on the tails of the Center for Strategic International Studies (CSIS), which was a more detailed and straightforward report. While the general flavor of the Hathaway report closely matched the CSIS report, it left me with many more questions that I would love to pose to the new "cyber czar":How much influence will this position really have?
According to President Obama's speech, this person will be backed by and have access to his office, but the language in the report leaves room for interpretation. According to the description in the report, the czar will "harmonize" policy and provide unified policy guidance. The position has also been referred to as a cybersecurity "coordinator." Considering the magnitude of the initiative, I'm wondering if this politically correct language is code for a Rahm Emanual-esque, hard-nose leader who will collaborate on the issues but put real muscle behind implementation.
Speaking of implementation, who's going to push compliance beyond a FISMA exercise?
The report suggests an entity fashioned after the Joint Interagency Cyber Task Force which runs the Comprehensive National Cybersecurity Initiative (CNCI) under the Director of National Intelligence (DNI). According to the report, this entity could
be in OMB or elsewhere in the Executive Office of the President (EOP). If OMB gets this directive, it could significantly boost OMB's influence.
Whether in the lead or not, the Hathaway report suggests that OMB should "use its program assessment framework to ensure departments and agencies use performance-based budgeting in pursuing cybersecurity-related goals." On the campaign trail, President Obama criticized these program assessments, calling for stricter
guidelines. Cybersecurity could be a major driver in reconfiguring the Program Assessment Rating Tool (PART) for more comprehensive reviews and better outcomes.
What is the play between civilian and military cybersecurity efforts?
The report didn't go into much detail about this - possibly intentionally - but it discusses the need to blur the line between civilian and military cybersecurity activities. The cyber czar would "help coordinate intelligence and military policies and strategies for cyberspace." It also suggests shifting from the "artificial" distinctions between national security and other federal networks." Will this open the door for DoD - which receives 45% of cybersecurity dollars - to influence (or even lead) some civilian cyber activities?
The Hathaway report lays the groundwork for a much needed national cybersecurity strategy. This report offered a high-level view of that strategy, and hopefully we'll see more detail in the coming months. What struck me more than anything is that the effort isn't so much about cybersecurity as it is about driving information sharing across agencies, with S&L/tribal governments and with the public sector. Whether it's green IT, IT consolidation or cybersecurity, it's the information sharing piece that could be the monkey wrench in this initiative. If they can accomplish that, they will have created a government-wide benchmark that could be applied
across the board.
For more discussion about cybersecurity policy, trends and spending, plan to attend the GovWin/ICG Government event "Cybersecurity in the Federal Government" on June 11.