In a move that could reshape the federal government's cybersecurity efforts, President Obama on Monday said a former Booz Allen consultant would conduct an immediate two-month review of all related agency activities.
The announcement indicates that the White House's National Security Council may wrest significant authority away from the U.S. Department of Homeland Security, which weathered withering criticism last fall for its lackluster efforts.
Obama selected Melissa Hathaway, who worked for the director of national intelligence in the Bush administration and was director of an multi-agency "Cyber Task Force," to conduct the review with an eye to ensuring that cybersecurity efforts are well-integrated and competently managed.
"The president is confident that we can protect our nation's critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said John Brennan, the president's homeland security adviser.
Hathaway's appointment comes as Obama plans to overhaul the National Security Council, expanding its membership and effectively centralizing more decision-making in the White House staff. That would vest more authority in a staff run by James L. Jones, a former Marine Corps commandant who warned at a speech in Munich over the weekend that terrorists could use "cyber-technologies" to cause catastrophic damage.
During a panel discussion that CNET News wrote about last fall, Hathaway defended Homeland Security's efforts to develop what it called a National Cyber Security Initiative, saying there was "unprecedented bipartisan support" for it.
"Over the past year cyber exploitation has grown more sophisticated, more targeted, and we expect these trends to continue," she added. "Our cybersecurity approach to date has not kept up with the threats we've seen."
"She's great," James Lewis, a senior fellow at the hawkish Center for Strategic and International Studies, said of Hathaway. "She was one of the people who was making things work in the Bush administration...It is getting a high level attention at the deputy level of the NSC, but I don't think they've figured out what they want to do. I see it as kicking the can, with the potential to eventually bury the issue."
What remained unclear on Monday is the breadth of the review: Will it be inward-looking, designed to make an existing governmental apparatus run more efficiently? Or will it look outside the federal government too, and yield recommendations or regulations aimed at telling U.S. companies how to run their businesses? (Many companies on the receiving end of such a process may, of course, find it rather ill-advised.)
The origin of the Feds' cybersecurity headaches can be found in the process that led to the creation of Homeland Security nearly seven years ago. Politicians in Washington, D.C. decided to decided to glue together a medley of federal agencies to create a massive bureaucracy that would, as one of its new goals, provide a better focus on cybersecurity.
"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."
Some tasks might benefit from centralization in a sprawling bureaucracy. But it soon became evident that cybersecurity was not one of them. By 2005, government auditors concluded that the department failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies; as recently as last fall, DHS Secretary Michael Chertoff said his agency needed to develop a plan to respond to a "cybercrisis."
That led some outside groups to argue that cybersecurity efforts should be taken over by the National Security Agency, which already is responsible for protecting government computers through its "information assurance" arm, or perhaps the White House staff.
The White House announcement on Monday said Hathaway will conduct an "immediate Cyber Security Review." Left unsaid, though, is that a "National Cyber Security Review" was already part of Homeland Security's official plan--finalized in April 2007, nearly two years ago.
CNET's Stephanie Condon contributed to this report.