SAN FRANCISCO--The federal official overseeing a 60-day review of the U.S. government's cybersecurity efforts indicated Wednesday that the final report recommends shifting more responsibilities to the White House.
"It provides the president with recommendations for a White House organizational structure that can effectively address cyberspace-related issues," Melissa Hathaway, acting cyberspace director for the White House's National Security and Homeland Security councils, said at the RSA computer security conference here.
At the moment, a division of the U.S. Department of Homeland Security coordinates nonmilitary cybersecurity activities and is responsible for building a national "response system" for online attacks and creating a "risk management program" for critical infrastructure.
Hathaway said her report--which has not yet been made public--was finished on Friday and has been sent to President Obama for his approval.
"This responsibility transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective to match the sweep of the challenges," Hathaway said.
The announcement of the review led to speculation that the White House's National Security Council or the National Security Agency would be handed more cybersecurity responsibilities, along with a larger budget to carry them out. Although the 2002 law creating DHS centralized cybersecurity responsibilities, it has been repeatedly criticized by government auditors who concluded that DHS failed to live up to its responsibilities and may be "unprepared" for emergencies.
On Tuesday, NSA Director Keith Alexander downplayed reports of a power grab by his agency, saying, "We do not want to run cybersecurity for the U.S. government." The NSA has cybersecurity responsibilities for the U.S. military.
Alexander's remarks appeared to be a response to Rod Beckstrom, former director of Homeland Security's National Cybersecurity Center, whose resignation letter last month blasted what he described as an NSA power grab that could threaten "our democratic processes." That led some members of Congress--including the Democratic chairman of the House Homeland Security Committee--to object to NSA control, which Clinton-era FBI director Louis Freeh echoed a day later.
The RSA conference was punctuated by news reports of a discovery of $1.9 million infected zombie computers in a botnet and a report that hackers stole some specifications from the $300 billion Joint Strike Fighter project. (The Pentagon and Lockheed Martin, the primary contractor, said Wednesday that the report was incorrect.)
Any effort by the Obama administration to reshuffle cybersecurity responsibilities will face a significant challenge: the protocols and hardware that make up today's Internet are created and maintained by the private sector. Companies like Cisco Systems, Microsoft, Google, AT&T, and Verizon--not Washington bureaucracies--operate today's Internet, and it's not clear that outside help will be useful.
"Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law," Hathaway said. "Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society."