In a speech at the White House today, President Obama put forward his vision for protecting the nation’s critical IT infrastructure from attack, and announced the new office of Cyber Security Coordinator.
The individual to fill that role isn’t expected to be announced until next week. But Obama said the official will “have regular access to me" to advise on a wide range of cyber-security issues, from military cyber defense to coordinating federal security policies, to improving online privacy and civil liberties of Americans.
But the head of the Coordinator office will be more of an administrator for unified policy and a public voice for the White House and the federal government than a “czar,” the title bandied about for several months in the media as expectation grew the administration would create some sort of White House job for cyber-security.
The president explicitly said the new White House office will “not dictate security standards to private companies.” The president also said the government would not seek to control private networks on monitor the Internet as part of its emerging cyber-security plans.
The individual will be included in meetings of the national security staff and the National Economic Council.
“Cyberspace is a world we depend on every day,” the president said, noting networks in schools, hospitals, the military and elsewhere are necessary parts of modern life and there are those trying to “disrupt and destroy.”
“Privacy is violated. It’s happened to me, and people around me,” Obama said, pointing to how between August and October last year hackers managed to penetrate the computer systems used by his campaign.
The job description disappointed some security experts who had anticipated the new cyber-security post would carry more clout.
“The position is certainly a lot more lower-level than what many of us working in security had hoped,” said Eugene Spafford, a professor at Purdue University.
“This position will be largely coordination, no policy,” he said, expressing disappointment that the position would be reporting to the economic council, which would likely override suggestions that might require significant change, especially in asking for more financial allocations for security purposes. He said good security is more about near-term economic and financial decisions than long-term risk evaluation. He said he doubted the person would be in a position to get attention from high-level government officials to exert policy change.
Notably absent from Obama's description of the position was the word "czar."
“I’m really happy he didn’t use the word czar,” said Jeff Moss, director of the Black Hat information-security conferences. “We’re a democracy and we don’t have dictators. How could we have one person sweeping away all these problems?”
The White House also published its anticipated Cyber-Security Review, completed by the National Security Council and Homeland Security Council.
The 76-page report says the government should review laws and policies regarding cybersecurity, better coordinate with the private sector and invest in research efforts. The input came from many sources, including the Center for Strategic and International Studies, and is fairly bland -- a far cry from the controversy many expected to see in the arguments around the question of how far the government should control private networks or the Internet.
Several ideas that gained momentum during the Bush Administration were re-affirmed, one of them being Homeland Security Presidential Directive-12 (HSPD-12), which set government authentication guidelines.
But the report also indicated that future efforts in identity management would focus on reports from the National Science and Technology Council’s subcommittee on biometrics and identity management, which issued its “Identity Management Task report” in 2008.