New cybersecurity chief Howard Schmidt
(Credit: The White House)The White House's new cybersecurity chief faces a tough agenda, but will be able to draw on the lessons of a 40-year career, including stints at Microsoft and eBay.
Former security adviser Howard Schmidt is returning to the White House as President Obama's new cybersecurity coordinator, the White House announced Tuesday.
In his new role, Schmidt will report to the National Security Council. Schmidt will also "have regular access to the president," said an official who spoke to The New York Times.
Earlier this year, President Obama initiated a review of the government's cybersecurity policies in an effort to streamline operations. Turf wars among various agencies and a perceived weakness in the Department of Homeland Security had raised red flags, prompting the president to declare that the country was not adequately prepared on the cybersecurity front.
Following that review, the White House identified a need for a new cybersecurity chief, then plunged into a tricky, months-long process that now brings Schmidt back to public service.
President Barack Obama greets his new White House cybersecurity chief Howard A. Schmidt in the Cross Hall of the White House.
(Credit: Official White House Photo by Lawrence Jackson)In a recorded speech introducing himself, Schmidt said he sees information technology as offering great opportunities but also great dangers to national security, public safety, economic competitiveness, and personal privacy. As dependence on technology increases, he said, the need to protect our security and privacy also increases.
As such, Schmidt said that the president has directed him to focus on several key areas:
• developing a new and comprehensive strategy to secure U.S. networks to ensure an organized response to future cyber incidents;
• beefing up both public and private partnerships in the U.S. and abroad;
• promoting research and development of next-generation technologies;
• and leading a national campaign to promote cybersecurity, awareness, and education.
Acknowledging that Washington can't solve cybersecurity problems on its own, Schmidt said his agenda is to bring together the government, the private sector, and other stakeholders as part of a new and comprehensive cyberstrategy to strengthen online defenses.
Following Schmidt's appointment, a variety of security analysts offered their thoughts.
In a Tuesday blog post, Randy Abrams of security vendor ESET said that Schmidt is very smart and personable, possessing a depth of knowledge and experience that makes him one of the best possible candidates for the job. But Abrams cautioned people not to expect miracles or fast changes as Schmidt will face huge obstacles trying to coordinate security across different government agencies, most of which have people who think their way is the only way to do things.
Phillip Dunkelberger, president and CEO of security vendor PGP, where Schmidt serves on the board of directors, said: "Howard's familiarity with public sector, private sector, large vendors and small innovative companies should be a great asset to this unique position; one that will just expand as our nation's dependency on cyber communications continues to grow." He also stressed that Schmidt will need to jump in quickly and form a solid working relationship with the Department of Defense and with the federal government's chief information officer, Vivek Kundra, and chief technology officer, Aneesh Chopra.
Schmidt brings to his new post a lengthy resume of government service, with a particular niche in computer crimes and forensics. Early in his career, he worked for the FBI's National Drug Intelligence Center, where he ran the Computer Exploitation Team. He also was a special agent and program director for the Air Force, where he set up one of the government's first dedicated computer forensic labs.
His new post will be Schmidt's second stint at the White House. In December 2001, just after the 9/11 attacks, he was appointed vice chairman for President Bush's Critical Infrastructure Protection Board and deputy to former White House cybersecurity czar Richard Clarke. Schmidt left his post in February 2003 to return to the private sector. During his tenure with the Bush administration, he helped create a new cybersecurity plan, which at the time was criticized as being too watered down, a charge that Schmidt disputed.
In the private sector, Schmidt served as chief security officer for Microsoft from 1997 to 2001 before joining the White House. After leaving his government post, he joined eBay in 2003 as vice president for security.
More recently, Schmidt was the president and CEO of the Information Security Forum, an international nonprofit organization that focuses on risks and research in the cyberworld.
Updated December 23, 4:00 a.m. PST with comments from security analysts.
Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.
They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.
The new version would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.
"I think the redraft, while improved, remains troubling due to its vagueness," said Larry Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board. "It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill."
Representatives of other large Internet and telecommunications companies expressed concerns about the bill in a teleconference with Rockefeller's aides this week, but were not immediately available for interviews on Thursday.
A spokesman for Rockefeller also declined to comment on the record Thursday, saying that many people were unavailable because of the summer recess. A Senate source familiar with the bill compared the president's power to take control of portions of the Internet to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.
When Rockefeller, the chairman of the Senate Commerce committee, and Olympia Snowe (R-Maine) introduced the original bill in April, they claimed it was vital to protect national cybersecurity. "We must protect our critical infrastructure at all costs--from our water to our electricity, to banking, traffic lights and electronic health records," Rockefeller said.
The Rockefeller proposal plays out against a broader concern in Washington, D.C., about the government's role in cybersecurity. In May, President Obama acknowledged that the government is "not as prepared" as it should be to respond to disruptions and announced that a new cybersecurity coordinator position would be created inside the White House staff. Three months later, that post remains empty, one top cybersecurity aide has quit, and some wags have begun to wonder why a government that receives failing marks on cybersecurity should be trusted to instruct the private sector what to do.
Rockefeller's revised legislation seeks to reshuffle the way the federal government addresses the topic. It requires a "cybersecurity workforce plan" from every federal agency, a "dashboard" pilot project, measurements of hiring effectiveness, and the implementation of a "comprehensive national cybersecurity strategy" in six months--even though its mandatory legal review will take a year to complete.
The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco. "As soon as you're saying that the federal government is going to be exercising this kind of power over private networks, it's going to be a really big issue," he says.
Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)
"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."
Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.
The Internet Security Alliance's Clinton adds that his group is "supportive of increased federal involvement to enhance cyber security, but we believe that the wrong approach, as embodied in this bill as introduced, will be counterproductive both from an national economic and national secuity perspective."
Update at 3:14 p.m. PDT: I just talked to Jena Longo, deputy communications director for the Senate Commerce committee, on the phone. She sent me e-mail with this statement:
The president of the United States has always had the constitutional authority, and duty, to protect the American people and direct the national response to any emergency that threatens the security and safety of the United States. The Rockefeller-Snowe Cybersecurity bill makes it clear that the president's authority includes securing our national cyber infrastructure from attack. The section of the bill that addresses this issue, applies specifically to the national response to a severe attack or natural disaster. This particular legislative language is based on longstanding statutory authorities for wartime use of communications networks. To be very clear, the Rockefeller-Snowe bill will not empower a "government shutdown or takeover of the Internet" and any suggestion otherwise is misleading and false. The purpose of this language is to clarify how the president directs the public-private response to a crisis, secure our economy and safeguard our financial networks, protect the American people, their privacy and civil liberties, and coordinate the government's response.
Unfortunately, I'm still waiting for an on-the-record answer to these four questions that I asked her colleague on Wednesday. I'll let you know if and when I get a response.
Acting White House Cyberspace Director Melissa Hathaway, who has reportedly resigned her post, addresses cybersecurity during the RSA computer security conference in April.
(Credit: James Martin/CNET)Melissa Hathaway, acting cyberspace director for the White House's National Security and Homeland Security councils, has resigned from her post, citing personal reasons, according to The Wall Street Journal.
The White House press office did not immediately respond to a call seeking confirmation of her resignation, but a spokesman has offered an e-mail statement to other publications.
"We are grateful for her dedicated service and for the significant progress she and her team have made on our national cybersecurity strategy," White House spokesman Nick Shapiro said in an e-mail to the publication Federal Computer Week.
The timing of Hathaway's resignation is a bit surprising, given that President Obama was reportedly getting close to choosing a permanent replacement for her post as the country's "cyberczar," a position he created in late May. Hathaway, who had worked for the director of national intelligence in the Bush administration, led the Obama administration's recent 60-day review of the federal government's cybersecurity efforts.
At one point, Hathaway was considered a leading candidate to take over the cyberczar post permanently. But the Journal said she took her name out of the running two weeks ago. "She said she was leaving for personal reasons and that she plans to remain working in the cybersecurity arena," according to the Journal post, which added that her resignation will take effect August 21.
The U.S. president has announced a comprehensive cybersecurity strategy for the federal government, saying Internet-based threats have risen "dramatically" and the country "must act to reduce our vulnerabilities."
A 76-page White House document calls for a new way of looking at Internet and computer security, saying that private-public partnerships are necessary, collaboration with international organizations will be vital, and privacy and civil liberties must be respected in the process.
Sound familiar? The year was 2003, and the president was George W. Bush, who wrote the introduction to what he called a "National Strategy to Secure Cyberspace."
On Friday, President Obama announced his 76-page "Cyberspace Policy Review"--with precisely the same number of pages as his predecessor's--at an event at the White House.
While the Bush document discusses centralizing cybersecurity responsibilities in the Department of Homeland Security and the Obama document shifts them to the White House, the two reports are remarkably similar. Perhaps this should be no surprise: Obama selected Melissa Hathaway, who worked for the director of national intelligence in the Bush administration and was director of an Bush-era "Cyber Task Force," to conduct the review.
To test your political acumen, we've taken excerpts from both and placed them side by side in the following chart. Can you tell which quotations come from which administration? (An answer key is at the end.)
| #1: Privacy and civil liberties | "The United States needs a partnership between government and industry to perform analyses, issue warnings, and coordinate response efforts. Privacy and civil liberties must be protected in the process." | "Work with the private sector to explore how best to apply technical capabilities to the defense of the national infrastructure and what legal framework would be required to ensure the protection of privacy rights and civil liberties." |
|---|---|---|
| #2: Sophisticated attacks | "The attack tools and methodologies are becoming widely available, and the technical capability and sophistication of users bent on causing havoc or disruption is improving." | "The growing sophistication and breadth of criminal activity, along with the harm already caused by cyber incidents, highlight the potential for malicious activity in cyberspace to affect U.S. competitiveness." |
| #3: Public-Private partnerships | "The federal government invites the creation of, and participation in, public-private partnerships...The government will continue to support the development of public-private partnerships." | "The federal government should examine existing public-private partnerships to optimize their capacity to identify priorities and enable efficient execution of concrete actions." |
| #4: Crisis responses | "Providing crisis management in response to attacks on critical information systems...In wartime or crisis, adversaries may seek to intimidate by attacking critical infrastructures and key economic functions or eroding public confidence in information systems response." | "The Federal government's obligation to protect the American people and to provide for the common defense includes a responsibility to ensure that the Nation can communicate and respond in times of crisis. The communications system itself might bear the brunt of such events and must have resilience or the capability to recover." |
| #5: Coordination | "The United States must improve interagency coordination between law enforcement, national security,and defense agencies involving cyber-based attacks and espionage..." | "The United States (must) achieve a more reliable, resilient, and trustworthy digital infrastructure for the future.... It presents the need for greater coordination and integrated development of policy." |
| #6: Critical infrastructure | "Our nation's critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance..." | "They have also become essential elements in the operation and management of a range of critical infrastructure functions, including transportation systems, shipping, the electric power grid, oil and gas pipelines, nuclear plants, water systems, critical manufacturing, and many others." |
| #7: Terrorists | "Malicious actors in cyberspace can take many forms including individuals, criminal cartels, terrorists, or nation states...The speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult." | "A growing array of state and non-state actors such as terrorists and international criminal groups are targeting U.S. citizens, commerce, critical infrastructure, and government...Exploitation of information networks and the compromise of sensitive data...leave the United States vulnerable." |
| #8: International cooperation | "Enabling our ability to do so requires a system of international cooperation to facilitate information sharing, reduce vulnerabilities, and deter malicious actors." | "Only by working with international partners can the United States best address these challenges, enhance cybersecurity, and reap the full benefits of the digital age." |
| #9: International organizations | "We are also ready to utilize government-sponsored organizations such as the Organization of Economic Cooperation and Development (OECD), G-8,the Asia Pacific Economic Cooperation forum (APEC), and the Organization of American States (OAS), and other relevant organizations to facilitate global coordination on cybersecurity." | "More than a dozen international organizations including...the Group of Eight, NATO, the Council of Europe, the Asia-Pacific Economic Cooperation forum, the Organization of American States, the Organization for Economic Cooperation and Development...address issues concerning the information and communications infrastructure." |
| #10: Catastrophic attacks | "Providing continuity of government requires ensuring the safety of its own cyber infrastructure and those assets required for supporting its essential missions and services." | "The Federal government's obligation to protect the American people and to provide for the common defense includes a responsibility to ensure that the Nation can communicate and respond in times of crisis." |
Answer key: All of the excerpts from the left column are taken from Bush's National Strategy document from February 2003. The right column represents excerpts from Obama's Cyberspace Policy Review document from May 2009.
President Obama on Friday said the U.S. government is "not as prepared" as it should be to respond to disruptions caused by computer or Internet attacks and announced that a new cybersecurity coordinator position would be created inside the White House staff.
The still-to-be-named coordinator will oversee a new bureaucracy tasked with digital infrastructure protection, which had previously been handled by the Department of Homeland Security. "We will ensure that these networks are secure, trustworthy and resilient," Obama said. "We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage."
Obama's announcement, which was expected, came as the president released the outcome of a 60-day review that sought to rethink how the federal government should address cybersecurity. Business groups had sought to raise cybersecurity's profile in the administration but remained wary about regulatory mandates from Washington; security hawks would prefer the new bureaucracy to have more authority over the private sector.
The final report represents a political compromise. It suggests "intrusion detection and prevention systems" and "warning of cyber intrusions and attacks," while stressing that collaboration with privacy groups and industry is vital. New laws compelling companies to share more information with the federal government about intrusions may be necessary, it says, but only "as a last resort."
During his remarks in the White House's East Room on Friday, Obama also seemed to seek a balance between warning of the dangers of terrorists or other miscreants using the Internet and saying the government will not go too far. "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic," he said.
The report also goes out of its way to recognize the civil liberties concerns that could arise by a greater focus on private networks: the word "privacy" appears no fewer than 69 times in the document.
In a cybersecurity "crisis," the plan is for the coordinator to become the "White House action officer for cyber incident response." That's a similar role to the White House officials who help to monitor terrorist attacks or natural disasters. (The new coordinator's fiefdom will be shared between the National Economic Council and the National Security Council.)
While there has been some private grumbling that the new coordinator will not report directly to the president -- a prized symbol of access in Washington circles -- reaction to the administration's announcement was generally positive.
Senators John Rockefeller (D-W.V.) and Olympia Snowe (R-Maine), members of the Commerce and Intelligence committees, said in a statement that "no other president in American history has elevated this issue to that level and we thank (Obama) for his leadership." The Center for Democracy and Technology said it "is evident that the report's authors listened to the concerns of privacy and civil liberties groups."
Cybersecurity headaches
The origin of many of the feds' cybersecurity headaches can be traced back to the process that led to the creation of the Department of Homeland Security nearly seven years ago. Politicians in Washington, D.C. decided to glue together a medley of federal agencies to create a massive bureaucracy that would, as one of its new goals, provide a better focus on cybersecurity.
"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."
Some tasks might benefit from centralization in one of the world's largest bureaucracies. But it soon became evident that cybersecurity was not one of them. By 2005, government auditors concluded that the department failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies; as recently as last fall, DHS Secretary Michael Chertoff said his agency needed to develop a plan to respond to a "cybercrisis."
That led some outside groups to argue that cybersecurity efforts should be taken over by the National Security Agency, which already is responsible for protecting government computers through its "information assurance" arm, or perhaps the White House staff.
Lending an unusual spice to what would normally be a quiet, internecine power struggle was March's resignation of Rod Beckström, director of Homeland Security's National Cybersecurity Center. In his farewell letter, Beckström blasted what he said was an NSA power grab, saying the secretive military agency "effectively controls DHS cyber efforts through detailees, technology insertions."
The week before Beckström's resignation, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying "there are some wizards out there at Fort Meade." But a few weeks later, after a congressional hearing that was hardly enthusiastic about the idea, NSA director Keith Alexander denied his agency had any interest in the job.
In February, Obama ordered a 60-day review of the federal government's cybersecurity efforts, and appointed Hathaway -- who had worked for the director of national intelligence in the Bush administration -- to lead it.
In addition, The New York Times reported on Friday that the Pentagon is preparing a new military command for cyberspace that would operate in parallel with the civilian effort that Obama is expected to announce. He is "expected to sign a classified order in coming weeks that will create the military cybercommand" and recognize "that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use," the newspaper said.
During Friday's remarks, Obama noted that his campaign had been the subject of a cyber intrusion in which hackers accessed policy papers and travel plans but not fundraising data.
This was originally published at CBSNews.com.
President Obama on Friday confirmed that his presidential campaign suffered a cyber intrusion in which hackers gained access to a range of files.
Barack Obama says of cyberattacks: "It has happened to me."
(Credit: CBS)In a speech in which he unveiled a plan for a comprehensive national cybersecurity strategy, the president said he understands what it is like to be a victim of a cyberattack because "it has happened to me and the people around me."
Between the months of August and October, Obama said, hackers accessed files including policy papers and travel plans. Files pertaining to fundraising information were left untouched, he assured his supporters in a joking manner.
Obama noted that his campaign's vulnerabilities reflected those of the rest of the world in the digital era.
"It's no secret my presidential campaign harnessed the Internet" to communicate with a wide swath of supporters, he said. However, the hacking was "a powerful reminder...one of your greatest strengths, our ability to communicate...could also be one of your greatest vulnerabilities."
The campaign worked with federal agents and hired security consultants to address the breach, Obama said. Newsweek reported in November that federal agents were investigating cyberbreaches of both the Obama and McCain campaigns.
President Obama on Friday is expected to unveil his administration's plans to deal with cybersecurity threats to federal agencies and the private sector, including the creation of a White House "cyber czar."
It's not yet clear who that person will be, or even whether Obama will name someone during his announcement. As part of a political compromise, the new position is expected to be folded into both the National Security Council and National Economic Council.
The announcement, which is scheduled to take place at 10:55 a.m. ET in the White House's East Room, caps years of criticism of the Department of Homeland Security's efforts and months of speculation about what form the replacement cybersecurity bureaucracy will take.
"It provides the president with recommendations for a White House organizational structure that can effectively address cyberspace-related issues," Melissa Hathaway, acting cyberspace director for the White House's National Security and Homeland Security councils, said recently.
No bureaucratic mandate will satisfy everyone: Security hawks would like the "czar" to have authority -- which may mean new laws -- to direct both federal agencies and private businesses on cybersecurity matters. Business representatives, on the other hand, like the potential for increased high-level attention but remain wary of mandates from Washington.
In February, Obama ordered a 60-day review of the federal government's cybersecurity efforts, and appointed Hathaway -- who had worked for the director of national intelligence in the Bush administration -- to lead it. Two months later, Hathaway announced the report had been submitted to the president along with recommendations; it's expected to be made public on Friday.
Earlier this week, the White House offered a hint about how the restructuring would proceed, and indicated that the "czar" would not report directly to the president. Obama's statement on Tuesday said the national security and homeland security staff would be integrated and new positions inside the National Security Council and Homeland Security Council would "deal with new and emerging 21st Century challenges associated with cybersecurity."
In addition, The New York Times reported on Friday that the Pentagon is preparing a new military command for cyberspace that would operate in parallel with the civilian effort that Obama is expected to announce. He is "expected to sign a classified order in coming weeks that will create the military cybercommand" and recognize "that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use," the newspaper said.
Bureaucratic roadblocks
The origin of many of the Feds' cybersecurity headaches can be traced back to the process that led to the creation of the Department of Homeland Security nearly seven years ago. Politicians in Washington, D.C. decided to decided to glue together a medley of federal agencies to create a massive bureaucracy that would, as one of its new goals, provide a better focus on cybersecurity.
"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."
Some tasks might benefit from centralization in one of the world's largest bureaucracies. But it soon became evident that cybersecurity was not one of them. By 2005, government auditors concluded that the department failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies; as recently as last fall, DHS Secretary Michael Chertoff said his agency needed to develop a plan to respond to a "cybercrisis."
That led some outside groups to argue that cybersecurity efforts should be taken over by the National Security Agency, which already is responsible for protecting government computers through its "information assurance" arm, or perhaps the White House staff.
Lending an unusual spice to what would normally be a internecine power struggle conducted in secret was March's resignation of Rod Beckström, director of Homeland Security's National Cybersecurity Center. In his farewell letter, Beckström blasted what he said was an NSA power grab, saying the secretive military agency "effectively controls DHS cyber efforts through detailees, technology insertions."
The week before Beckström's resignation, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying "there are some wizards out there at Fort Meade." But a few weeks later, after a congressional hearing that was hardly enthusiastic about the idea, NSA director Keith Alexander denied his agency had any interest in the job.
If any of this sounds familiar, it should. About a year after President George W. Bush took office, his administration announced a highly-anticipated, 76-page document called the "National Strategy to Secure Cyberspace" (PDF). Few of its bullet points calling for immediate "response" have been enacted; even fewer people remember what they were.
In the wake of recent reports describing the electric grid's vulnerabilities to hackers, two members of the U.S. Congress have introduced legislation giving federal regulators more authority to combat that possible threat.
The electric grid system that keeps the United States humming is worth more than $1 trillion and keeps the lights on for more than 300 million Americans. Federal regulators have complained they do not have enough authority over the electric grid networks, which recent reports have suggested may be vulnerable to infiltrations by Chinese and Russian spies--a new concern as utilities tie grid-monitoring control systems to open networks like the Internet.
Matching bills were introduced in the House and the Senate on Thursday to increase the authority of the Department of Homeland Security and the Federal Energy Regulatory Commission to secure the electric grid. The bills were introduced by Sen. Joe Lieberman (I-Conn.) and Rep. Bennie Thompson (D-Miss.), who chair the Homeland Security committees in their respective chambers.
"Our cybersystems are under constant attack," Lieberman said in a statement. "We rely on cyberspace for so much of what is at the heart of our way of life, and our systems are not protected. We are focusing on the electricity cyberstructure today because electricity is what so many critical sectors of the economy depend upon."
Utilities are already expected to comply with mandatory cybersecurity standards, but regulators have reported that utilities are likely downplaying the critical nature of their infrastructure to avoid compliance with the rules.
The legislation addresses that by giving FERC, DHS, and other national security agencies the authority to determine which physical or cyber assets should be deemed "critical electric infrastructure." The bill clarifies that "critical" infrastructure should refer to networks that are so vital to the United States that their incapacity would cause significant harm to the country's security, the economy, or public health at a national or regional level.
It also would enable FERC to issue rules or orders to protect critical electric infrastructure against threats--including emergency orders, which could be issued without prior notice if FERC determines an order is needed immediately to protect the grid from an imminent threat. Emergency orders would remain in place for 90 days, unless FERC opened them up to public comment.
In addition, the legislation calls for FERC and the DHS Secretary to establish within 120 days of its enactment interim measures to protect the electric grid.
The DHS would also be responsible for more oversight of grid protection programs. The legislation would require the department to conduct research to determine if the security of critical electric infrastructure has been compromised and to report its findings to Congress. The department would also have to produce regular reports with recommendations for creating a collective domestic response to a cyberattack by a terrorist, nation-state or person.
The legislation comes as the Obama administration is pushing through stimulus spending smart-grid development, which would connect the electric grid to more networks.
This was originally published on CBSNews.com.
When times are hard, people adjust their priorities--even the president. When an unexpected economic disaster imploded as Barack Obama was entering office, some of his technology agenda was put on hold.
Almost 100 days into his presidency, Obama has yet to advance most of the strong technology policies he promised during the campaign.
Thanks in large part to the economic crisis, Obama has yet to put forward his new cybersecurity strategy, or even fill some important technology-related vacancies. At the same time, the downward-spiraling economy has let him to push forward in other ways that were unexpected as recently as last fall.
In orchestrating the development of a $787 billion stimulus package, the president won congressional approval for significant spending on broadband infrastructure, electric smart-grid technology, and electronic health care records. Still unclear, though, are the ultimate results of that spending, or whether it will translate into more investment by the private sector.
"I think it's a positive sign (the administration is) including technology as a cross-cutting issue in all of their priorities," said Ben Scott, the policy director for the media advocacy group Free Press. "So far, with every opportunity to push technology policy into the mix, they've done so. Some of the standalone tech policy agenda has not been an immediate priority, but it would be unfair to demand that, given the other crises the administration is dealing with."
Some of the most important pieces of the president's technology policy are only beginning to unfold. Less than two weeks ago, Obama appointed Virginia's secretary of technology, Aneesh Chopra, to be his chief technology officer. Chopra is responsible for formulating an open government directive within the next 20 days and will work closely with Obama's chief information officer, Vivek Kundra.
Obama's pick to chair the Federal Communications Commission, Julius Genachowski, has yet to be confirmed, but he is expected to push for more Net neutrality regulation.
All three appointments, Scott said, "reflect a strong commitment to a new kind of technology policy, (and) a commitment to making technology work for the government."
Appointments may hint at approach
Obama has also made some high-level appointments within the Justice Department that may hint at the administration's approach to technology--specifically, toward the protection of intellectual property. The president has filled out the department with lawyers favored by the copyright industry, including attorneys who have represented the Recording Industry Association of America and the Business Software Alliance.
The president has yet to appoint anyone to fill the role of intellectual property enforcement coordinator, a new, congressionally mandated cabinet position responsible for coordinating the White House's IP enforcement efforts. Vice President Joe Biden emphasized the need to find the "right person" for the job, given the significant impact intellectual property has on the economy.
The jury is still out on whether the IP enforcement coordinator will play a meaningful role in copyright and IP policy in the White House, said David Sohn, senior policy counsel for the Center for Democracy and Technology (CDT).
"What the person in that position is able to achieve and how much prominence they will have is hard to tell," he said.
While the administration has yet to take any significant actions on the IP front, the Justice Department did intervene last month in a file-sharing case in which it sided with the record label plaintiff.
Obama's endorsement of strong but reasonable intellectual property enforcement generally aligns with the Bush administration's position. President Bush's White House endorsed the legislation that created the IP enforcement coordinator position, after it was stripped of its more extreme provisions.
The Obama White House has yet to greatly diverge from the Bush administration on another tech policy item critical to the nation's economy--cybersecurity--but that could change dramatically in the coming weeks.
Bush in 2008 gave the Homeland Security Department jurisdiction over the Comprehensive National Cybersecurity Initiative, a new program to coordinate cybersecurity efforts. The program has come under harsh scrutiny, however, and President Obama in February called for a comprehensive, two-month review of all federal cybersecurity efforts. He selected Melissa Hathaway, who worked for the director of national intelligence in the Bush administration, to conduct the review.
The final review was sent to the president for his approval but has yet to be publicly released. Hathaway last week indicated that it may recommend shifting cybersecurity responsibility away from DHS to the White House.
"Signs so far say there will be at least one major difference (from Bush cybersecurity policy) in terms of transparency," said Greg Nojeim, senior counsel for CDT. "The review team's process has so far been transparent, and they've involved stakeholders from industry, Congress, and privacy and advocacy groups. If that carries forth into the execution of the policy, it would be a very good sign and a significant departure from President Bush's approach."
While Obama may be able to learn from Bush's mistakes in the realm of cybersecurity, he also has the fortuitous advantage of having a green light from Congress to invest in new, major initiatives that his predecessor did not.
Doctors and hospitals will have to digitize their patients' medical records under Obama's watch or face eventual penalties under the electronic health record provisions of the stimulus package. The stimulus bill dedicated $19 billion for the digitization of medical records, which Obama has called the "low-hanging fruit" of health care reform.
Challenges to IT adoption ahead
It may be easy in comparison to comprehensive health care reform, but experts say there are dizzying challenges to information technology adoption in the health sector. It is so challenging that it took the current economic crisis to jump-start the process, even though the and called for health IT adoption years ago.
"I think it was a game-changer for (Obama's) entire economic agenda," said Scott, of Free Press.
In the five years Scott has spent advocating for broadband deployment, he said, it has been difficult to envision investments of even around $200 million--much less the $7.2 billion for broadband included in the stimulus.
Back in September 2008, former FCC Chairman Michael Powell said at an FCC forum that it would be unrealistic to entertain "the idea that there's money to get people to dig up streets and put in fiber."
Now, Scott says, it's possible the $7 billion in broadband stimulus funds could be the first of regular annual investments, if the Universal Service Fund is revised to subsidize broadband infrastructure rather than just telephone service.
"The stimulus bill gave the administration an instant opportunity to implement a new theory of broadband policy, which is to begin treating Internet access as a public good, not as a private good," Scott said. "When you put $7 billion in broadband infrastructure, that is a policy which is really unprecedented and positive."
Rob Atkinson, president of the Information Technology and Innovation Foundation, agreed that the stimulus reflects Obama's commitment to advancing the use of technology, whether through the modernization of the health care system or the expansion of broadband. A commitment to technology is likely to be manifest in the president's procurement policies, regulatory changes, and in other areas.
He said it is doubtful, though, the president will be able to promote spending on technology at a significant level ever again.
"While I think the administration has a deep commitment to public investment in these areas, there are going to be so many priorities in other areas that risk crowding them out," Atkinson said. "The stimulus was a one-time opportunity that doesn't come around very often."
Acting White House Cyberspace Director Melissa Hathaway addresses the cybersecurity issue during the RSA computer security conference on Wednesday.
(Credit: James Martin/CNET)SAN FRANCISCO--The federal official overseeing a 60-day review of the U.S. government's cybersecurity efforts indicated Wednesday that the final report recommends shifting more responsibilities to the White House.
"It provides the president with recommendations for a White House organizational structure that can effectively address cyberspace-related issues," Melissa Hathaway, acting cyberspace director for the White House's National Security and Homeland Security councils, said at the RSA computer security conference here.
At the moment, a division of the U.S. Department of Homeland Security coordinates nonmilitary cybersecurity activities and is responsible for building a national "response system" for online attacks and creating a "risk management program" for critical infrastructure.
Hathaway said her report--which has not yet been made public--was finished on Friday and has been sent to President Obama for his approval.
"This responsibility transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective to match the sweep of the challenges," Hathaway said.
The announcement of the review led to speculation that the White House's National Security Council or the National Security Agency would be handed more cybersecurity responsibilities, along with a larger budget to carry them out. Although the 2002 law creating DHS centralized cybersecurity responsibilities, it has been repeatedly criticized by government auditors who concluded that DHS failed to live up to its responsibilities and may be "unprepared" for emergencies.
On Tuesday, NSA Director Keith Alexander downplayed reports of a power grab by his agency, saying, "We do not want to run cybersecurity for the U.S. government." The NSA has cybersecurity responsibilities for the U.S. military.
Alexander's remarks appeared to be a response to Rod Beckstrom, former director of Homeland Security's National Cybersecurity Center, whose resignation letter last month blasted what he described as an NSA power grab that could threaten "our democratic processes." That led some members of Congress--including the Democratic chairman of the House Homeland Security Committee--to object to NSA control, which Clinton-era FBI director Louis Freeh echoed a day later.
The RSA conference was punctuated by news reports of a discovery of $1.9 million infected zombie computers in a botnet and a report that hackers stole some specifications from the $300 billion Joint Strike Fighter project. (The Pentagon and Lockheed Martin, the primary contractor, said Wednesday that the report was incorrect.)
Any effort by the Obama administration to reshuffle cybersecurity responsibilities will face a significant challenge: the protocols and hardware that make up today's Internet are created and maintained by the private sector. Companies like Cisco Systems, Microsoft, Google, AT&T, and Verizon--not Washington bureaucracies--operate today's Internet, and it's not clear that outside help will be useful.
"Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law," Hathaway said. "Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society."
