New cybersecurity chief Howard Schmidt
(Credit: The White House)The White House's new cybersecurity chief faces a tough agenda, but will be able to draw on the lessons of a 40-year career, including stints at Microsoft and eBay.
Former security adviser Howard Schmidt is returning to the White House as President Obama's new cybersecurity coordinator, the White House announced Tuesday.
In his new role, Schmidt will report to the National Security Council. Schmidt will also "have regular access to the president," said an official who spoke to The New York Times.
Earlier this year, President Obama initiated a review of the government's cybersecurity policies in an effort to streamline operations. Turf wars among various agencies and a perceived weakness in the Department of Homeland Security had raised red flags, prompting the president to declare that the country was not adequately prepared on the cybersecurity front.
Following that review, the White House identified a need for a new cybersecurity chief, then plunged into a tricky, months-long process that now brings Schmidt back to public service.
President Barack Obama greets his new White House cybersecurity chief Howard A. Schmidt in the Cross Hall of the White House.
(Credit: Official White House Photo by Lawrence Jackson)In a recorded speech introducing himself, Schmidt said he sees information technology as offering great opportunities but also great dangers to national security, public safety, economic competitiveness, and personal privacy. As dependence on technology increases, he said, the need to protect our security and privacy also increases.
As such, Schmidt said that the president has directed him to focus on several key areas:
• developing a new and comprehensive strategy to secure U.S. networks to ensure an organized response to future cyber incidents;
• beefing up both public and private partnerships in the U.S. and abroad;
• promoting research and development of next-generation technologies;
• and leading a national campaign to promote cybersecurity, awareness, and education.
Acknowledging that Washington can't solve cybersecurity problems on its own, Schmidt said his agenda is to bring together the government, the private sector, and other stakeholders as part of a new and comprehensive cyberstrategy to strengthen online defenses.
Following Schmidt's appointment, a variety of security analysts offered their thoughts.
In a Tuesday blog post, Randy Abrams of security vendor ESET said that Schmidt is very smart and personable, possessing a depth of knowledge and experience that makes him one of the best possible candidates for the job. But Abrams cautioned people not to expect miracles or fast changes as Schmidt will face huge obstacles trying to coordinate security across different government agencies, most of which have people who think their way is the only way to do things.
Phillip Dunkelberger, president and CEO of security vendor PGP, where Schmidt serves on the board of directors, said: "Howard's familiarity with public sector, private sector, large vendors and small innovative companies should be a great asset to this unique position; one that will just expand as our nation's dependency on cyber communications continues to grow." He also stressed that Schmidt will need to jump in quickly and form a solid working relationship with the Department of Defense and with the federal government's chief information officer, Vivek Kundra, and chief technology officer, Aneesh Chopra.
Schmidt brings to his new post a lengthy resume of government service, with a particular niche in computer crimes and forensics. Early in his career, he worked for the FBI's National Drug Intelligence Center, where he ran the Computer Exploitation Team. He also was a special agent and program director for the Air Force, where he set up one of the government's first dedicated computer forensic labs.
His new post will be Schmidt's second stint at the White House. In December 2001, just after the 9/11 attacks, he was appointed vice chairman for President Bush's Critical Infrastructure Protection Board and deputy to former White House cybersecurity czar Richard Clarke. Schmidt left his post in February 2003 to return to the private sector. During his tenure with the Bush administration, he helped create a new cybersecurity plan, which at the time was criticized as being too watered down, a charge that Schmidt disputed.
In the private sector, Schmidt served as chief security officer for Microsoft from 1997 to 2001 before joining the White House. After leaving his government post, he joined eBay in 2003 as vice president for security.
More recently, Schmidt was the president and CEO of the Information Security Forum, an international nonprofit organization that focuses on risks and research in the cyberworld.
Updated December 23, 4:00 a.m. PST with comments from security analysts.
The accidental disclosure of a House ethics investigation has kicked up quite a fuss on Capitol Hill as it turns out that more than 30 congressman and aides are under investigation. But after committee chairman Zoe Lofgren (D-Calif.) disclosed the breach on the House floor late Thursday, her colleague, Rep. Jo Bonner (Ala.), who is the committee's ranking Republican, spoke next, telling fellow members that the breach was an isolated incident.
Not exactly.
In February, a company that monitors P2P networks said that it had found blueprints and avionics about the president's helicopter, Marine One, on a computer in Tehran. An investigation later found that a third-party defense contractor with access to that data was using a computer that also had P2P file-sharing software on its hard drive...
Read more of "File Sharing's Mysteries Again Stump Uncle Sam" on CBSNews.com.
Microsoft has at times alleged patent infringement in its attempts to stifle certain Linux-based applications. But one group is hoping to fight back by using Microsoft's own former patents.
The Open Invention Network (OIN), a group made up of Microsoft competitors and Linux advocates,said it's close an agreement to buy 22 patents that Microsoft sold to another organization earlier this year. According to Tuesday's Wall Street Journal, the patents may relate to Linux.
The OIN believes that getting these patents is critical to protecting Linux developers from costly lawsuits, according to the Journal. The concern is that otherwise the patents could be grabbed by patent trolls, which will then try to make money from patent-infringement lawsuits.
The group that currently owns the patents, Allied Security Trust, buys them to protect its members from lawsuits. Composed of such companies as Google, Hewlett-Packard, Verizon Communications, and Cisco Systems, Allied Security Trust bought the patents in a private auction held by Microsoft. The Journal reports that Microsoft presented the patents to potential bidders as relating to Linux.
Microsoft has said that it holds more than 50,000 patents, according to the Journal, and that it believes 200 of those are violated by Linux applications.
Over the past few years, Microsoft has signed deals with several open-source companies in which they pay Microsoft money to protect themselves from intellectual property claims.
The OIN's goal is to promote and protect Linux by using patents that allow for free and open collaboration. The group says its patents are available to any company or individual that agrees not to assert those patents against Linux. The idea is to help developers use Linux without having to worry about violating existing patents.
The OIN is trying to use such cases as the recent lawsuit between Microsoft and GPS-maker Tom Tom to prevent similar actions against Linux-based apps. Although Tom Tom settled with Microsoft, the OIN is concerned that the case may establish a precedent.
Started in 2005, the OIN counts among its members IBM, Sony, and Red Hat. Over the years, other powerhouses have joined, including Oracle, Google, and most recently Tom Tom.
When the U.S. Department of Homeland Security announced last summer that it could seize anyone's laptop, mobile phone, or camera at the border to analyze them for an indefinite period, the criticism was immediate.
Sen. Russ Feingold, a Democrat, called the move "alarming," and the ACLU denounced it as "surrendering your Fourth Amendment rights at the border."
It didn't help that the U.S. Ninth Circuit Court of Appeals already had blessed the practice--meaning that anyone, even U.S. citizens, can have their tangle of gadgetry seized at borders or at international arrivals even if there's zero evidence of illicit activities. (It won't happen to everyone in practice, of course, but DHS nevertheless reserved the right to do it.)
On Thursday, Homeland Security Secretary Janet Napolitano announced new guidelines for searching and seizing electronic devices at the border. In a press release, DHS said the guidelines will "enhance and clarify oversight for searches of computers and other electronic media at U.S. ports of entry."
Rhetoric aside, in reality, not much has changed. Laptops and electronic gear can still be seized and held indefinitely; there's no requirement that they be returned to their owners after even six months or a year has passed, though supervisory approval is required if they're held for more than 15 days. The complete contents of a hard drive or memory card can be perused at length for evidence of lawbreaking of any kind, even if it's underpaying your taxes or not paying parking tickets.
This kind of open-ended scanning should worry anyone who travels internationally, not just privacy advocates. When we have laws like the No Electronic Theft Act, which makes sharing a sufficient number of MP3 files a federal crime, how many college students are unindicted felons? File this under the show-me-the-man-and-I'll-show-you-the-crime department.
Harvey Silverglate, a criminal defense attorney in Boston and co-founder of the Foundation for Individual Rights in Education, has a forthcoming book on this point called Three Felonies A Day. "When a statute is so broad that it catches so much ordinary activity, it's very problematic," Silverglate told me in an interview for CBSNews.com this week.
Here's an excerpt from the Homeland Security directive (PDF) to U.S. Customs and Border Protection: "An Officer may detain electronic devices, or copies of information contained therein, for a brief, reasonable period of time to perform a thorough border search. The search may take place on-site or at an off-site location, and is to be completed as expeditiously as possible."
Once the examination is complete and you have not been deemed a criminal, according to Homeland Security's privacy impact assessment (PDF): "CBP will contact you by telephone when the examination of the electronic device(s) is complete, to notify you that you may pick-up the item(s) during regular business hours from the location where the item(s) was detained. If it is impractical for you to pick up the device, CBP can make arrangements to ship the device to you at our expense." (Who's responsible if it's damaged in transit is anyone's guess.)
Homeland Security said Thursday that it performed approximately 1,000 laptop searches from October 1, 2008, through August 11, 2009.
One way to protect yourself from these searches is to use whole disk encryption from a company like PGP and make sure your laptop is completely powered down when crossing the border.
It's true that under the Obama administration, Homeland Security is trying to discourage agents from adding copies of your digital photos or other private files to their personal collections, and it has warned that trade secrets, journalists' notes, and medical records should be handled carefully. These are improvements over the Bush administration's policy.
But a better rule might be a simple one: require some evidence of wrongdoing--at least some suspicion of illegal activity--before agents start to poke through your PC and assorted gadgetry. This is what a bill introduced last year by Feingold would have done. The problem the Wisconsin senator wanted to address still exists; let's hope his desire to fix it does as well.
Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.
They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.
The new version would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.
"I think the redraft, while improved, remains troubling due to its vagueness," said Larry Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board. "It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill."
Representatives of other large Internet and telecommunications companies expressed concerns about the bill in a teleconference with Rockefeller's aides this week, but were not immediately available for interviews on Thursday.
A spokesman for Rockefeller also declined to comment on the record Thursday, saying that many people were unavailable because of the summer recess. A Senate source familiar with the bill compared the president's power to take control of portions of the Internet to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.
When Rockefeller, the chairman of the Senate Commerce committee, and Olympia Snowe (R-Maine) introduced the original bill in April, they claimed it was vital to protect national cybersecurity. "We must protect our critical infrastructure at all costs--from our water to our electricity, to banking, traffic lights and electronic health records," Rockefeller said.
The Rockefeller proposal plays out against a broader concern in Washington, D.C., about the government's role in cybersecurity. In May, President Obama acknowledged that the government is "not as prepared" as it should be to respond to disruptions and announced that a new cybersecurity coordinator position would be created inside the White House staff. Three months later, that post remains empty, one top cybersecurity aide has quit, and some wags have begun to wonder why a government that receives failing marks on cybersecurity should be trusted to instruct the private sector what to do.
Rockefeller's revised legislation seeks to reshuffle the way the federal government addresses the topic. It requires a "cybersecurity workforce plan" from every federal agency, a "dashboard" pilot project, measurements of hiring effectiveness, and the implementation of a "comprehensive national cybersecurity strategy" in six months--even though its mandatory legal review will take a year to complete.
The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco. "As soon as you're saying that the federal government is going to be exercising this kind of power over private networks, it's going to be a really big issue," he says.
Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)
"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."
Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.
The Internet Security Alliance's Clinton adds that his group is "supportive of increased federal involvement to enhance cyber security, but we believe that the wrong approach, as embodied in this bill as introduced, will be counterproductive both from an national economic and national secuity perspective."
Update at 3:14 p.m. PDT: I just talked to Jena Longo, deputy communications director for the Senate Commerce committee, on the phone. She sent me e-mail with this statement:
The president of the United States has always had the constitutional authority, and duty, to protect the American people and direct the national response to any emergency that threatens the security and safety of the United States. The Rockefeller-Snowe Cybersecurity bill makes it clear that the president's authority includes securing our national cyber infrastructure from attack. The section of the bill that addresses this issue, applies specifically to the national response to a severe attack or natural disaster. This particular legislative language is based on longstanding statutory authorities for wartime use of communications networks. To be very clear, the Rockefeller-Snowe bill will not empower a "government shutdown or takeover of the Internet" and any suggestion otherwise is misleading and false. The purpose of this language is to clarify how the president directs the public-private response to a crisis, secure our economy and safeguard our financial networks, protect the American people, their privacy and civil liberties, and coordinate the government's response.
Unfortunately, I'm still waiting for an on-the-record answer to these four questions that I asked her colleague on Wednesday. I'll let you know if and when I get a response.
A federal judge in San Francisco has tossed out a slew of lawsuits filed against AT&T and other telecommunications companies alleged to have illegally opened their networks to the National Security Agency.
U.S. District Judge Vaughn Walker on Wednesday ruled that, thanks to a 2008 federal law retroactively immunizing those companies, approximately 46 lawsuits brought by civil liberties groups and class action lawyers will be dismissed.
Congress has created a "'focused immunity' for private entities who assisted the government with activities that allegedly violated plaintiffs' constitutional rights," Walker wrote in a 46-page opinion. That has not, he said, "affected plaintiffs' underlying constitutional rights."
Wednesday's ruling is a bitter defeat to groups including the Electronic Frontier Foundation and the American Civil Liberties Union, which are coordinating the lawsuits over warrantless wiretapping. They had hoped to convince the judge that the law improperly infringed upon the separation of powers described in the U.S. Constitution and handed too much power to the executive branch.
The 2008 law, called the Foreign Intelligence Surveillance Amendments Act, was approved by a Democratic-controlled Congress last summer. As a senator, President Obama voted for the measure even though he had previously pledged to oppose it.
It says that no "civil action" may take place in state or federal court "against any person for providing assistance to an element of the intelligence community"--and will be automatically dismissed as long as the attorney general claims the surveillance was authorized.
Former Attorney General Michael Mukasey sent the court a letter saying the surveillance was authorized, but without offering any further information. The Justice Department under President Obama has not changed its position.
EFF said it would appeal to the 9th Circuit Court of Appeals. "We're deeply disappointed in Judge Walker's ruling today," EFF Legal Director Cindy Cohn said in a statement. "The retroactive immunity law unconstitutionally takes away Americans' claims arising out of the First and Fourth Amendments, violates the federal government's separation of powers as established in the Constitution, and robs innocent telecom customers of their rights without due process of law."
The ruling does not affect lawsuits that have been filed directly against the NSA or other government agencies, including the EFF's Jewel v. NSA case. (A congressional report accompanying the 2008 law explicitly says: "Nothing in this bill is intended to affect these suits against the government or individual government officials.")
Walker left one possible opening for EFF, ACLU, and their allies. Because the 2008 law exempts surveillance "authorized by the president" during the time from September 11, 2001 and January 17, 2007, telecom firms could be held liable if they surreptitiously cooperated with NSA or other agencies more recently.
He gave the plaintiffs 30 days to amend their complaint to focus on surveillance that took place after January 17, 2007, the date that President Bush decided to amend the program to include supervision by courts.
The U.S. president has announced a comprehensive cybersecurity strategy for the federal government, saying Internet-based threats have risen "dramatically" and the country "must act to reduce our vulnerabilities."
A 76-page White House document calls for a new way of looking at Internet and computer security, saying that private-public partnerships are necessary, collaboration with international organizations will be vital, and privacy and civil liberties must be respected in the process.
Sound familiar? The year was 2003, and the president was George W. Bush, who wrote the introduction to what he called a "National Strategy to Secure Cyberspace."
On Friday, President Obama announced his 76-page "Cyberspace Policy Review"--with precisely the same number of pages as his predecessor's--at an event at the White House.
While the Bush document discusses centralizing cybersecurity responsibilities in the Department of Homeland Security and the Obama document shifts them to the White House, the two reports are remarkably similar. Perhaps this should be no surprise: Obama selected Melissa Hathaway, who worked for the director of national intelligence in the Bush administration and was director of an Bush-era "Cyber Task Force," to conduct the review.
To test your political acumen, we've taken excerpts from both and placed them side by side in the following chart. Can you tell which quotations come from which administration? (An answer key is at the end.)
| #1: Privacy and civil liberties | "The United States needs a partnership between government and industry to perform analyses, issue warnings, and coordinate response efforts. Privacy and civil liberties must be protected in the process." | "Work with the private sector to explore how best to apply technical capabilities to the defense of the national infrastructure and what legal framework would be required to ensure the protection of privacy rights and civil liberties." |
|---|---|---|
| #2: Sophisticated attacks | "The attack tools and methodologies are becoming widely available, and the technical capability and sophistication of users bent on causing havoc or disruption is improving." | "The growing sophistication and breadth of criminal activity, along with the harm already caused by cyber incidents, highlight the potential for malicious activity in cyberspace to affect U.S. competitiveness." |
| #3: Public-Private partnerships | "The federal government invites the creation of, and participation in, public-private partnerships...The government will continue to support the development of public-private partnerships." | "The federal government should examine existing public-private partnerships to optimize their capacity to identify priorities and enable efficient execution of concrete actions." |
| #4: Crisis responses | "Providing crisis management in response to attacks on critical information systems...In wartime or crisis, adversaries may seek to intimidate by attacking critical infrastructures and key economic functions or eroding public confidence in information systems response." | "The Federal government's obligation to protect the American people and to provide for the common defense includes a responsibility to ensure that the Nation can communicate and respond in times of crisis. The communications system itself might bear the brunt of such events and must have resilience or the capability to recover." |
| #5: Coordination | "The United States must improve interagency coordination between law enforcement, national security,and defense agencies involving cyber-based attacks and espionage..." | "The United States (must) achieve a more reliable, resilient, and trustworthy digital infrastructure for the future.... It presents the need for greater coordination and integrated development of policy." |
| #6: Critical infrastructure | "Our nation's critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance..." | "They have also become essential elements in the operation and management of a range of critical infrastructure functions, including transportation systems, shipping, the electric power grid, oil and gas pipelines, nuclear plants, water systems, critical manufacturing, and many others." |
| #7: Terrorists | "Malicious actors in cyberspace can take many forms including individuals, criminal cartels, terrorists, or nation states...The speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult." | "A growing array of state and non-state actors such as terrorists and international criminal groups are targeting U.S. citizens, commerce, critical infrastructure, and government...Exploitation of information networks and the compromise of sensitive data...leave the United States vulnerable." |
| #8: International cooperation | "Enabling our ability to do so requires a system of international cooperation to facilitate information sharing, reduce vulnerabilities, and deter malicious actors." | "Only by working with international partners can the United States best address these challenges, enhance cybersecurity, and reap the full benefits of the digital age." |
| #9: International organizations | "We are also ready to utilize government-sponsored organizations such as the Organization of Economic Cooperation and Development (OECD), G-8,the Asia Pacific Economic Cooperation forum (APEC), and the Organization of American States (OAS), and other relevant organizations to facilitate global coordination on cybersecurity." | "More than a dozen international organizations including...the Group of Eight, NATO, the Council of Europe, the Asia-Pacific Economic Cooperation forum, the Organization of American States, the Organization for Economic Cooperation and Development...address issues concerning the information and communications infrastructure." |
| #10: Catastrophic attacks | "Providing continuity of government requires ensuring the safety of its own cyber infrastructure and those assets required for supporting its essential missions and services." | "The Federal government's obligation to protect the American people and to provide for the common defense includes a responsibility to ensure that the Nation can communicate and respond in times of crisis." |
Answer key: All of the excerpts from the left column are taken from Bush's National Strategy document from February 2003. The right column represents excerpts from Obama's Cyberspace Policy Review document from May 2009.
President Obama on Friday said the U.S. government is "not as prepared" as it should be to respond to disruptions caused by computer or Internet attacks and announced that a new cybersecurity coordinator position would be created inside the White House staff.
The still-to-be-named coordinator will oversee a new bureaucracy tasked with digital infrastructure protection, which had previously been handled by the Department of Homeland Security. "We will ensure that these networks are secure, trustworthy and resilient," Obama said. "We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage."
Obama's announcement, which was expected, came as the president released the outcome of a 60-day review that sought to rethink how the federal government should address cybersecurity. Business groups had sought to raise cybersecurity's profile in the administration but remained wary about regulatory mandates from Washington; security hawks would prefer the new bureaucracy to have more authority over the private sector.
The final report represents a political compromise. It suggests "intrusion detection and prevention systems" and "warning of cyber intrusions and attacks," while stressing that collaboration with privacy groups and industry is vital. New laws compelling companies to share more information with the federal government about intrusions may be necessary, it says, but only "as a last resort."
During his remarks in the White House's East Room on Friday, Obama also seemed to seek a balance between warning of the dangers of terrorists or other miscreants using the Internet and saying the government will not go too far. "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic," he said.
The report also goes out of its way to recognize the civil liberties concerns that could arise by a greater focus on private networks: the word "privacy" appears no fewer than 69 times in the document.
In a cybersecurity "crisis," the plan is for the coordinator to become the "White House action officer for cyber incident response." That's a similar role to the White House officials who help to monitor terrorist attacks or natural disasters. (The new coordinator's fiefdom will be shared between the National Economic Council and the National Security Council.)
While there has been some private grumbling that the new coordinator will not report directly to the president -- a prized symbol of access in Washington circles -- reaction to the administration's announcement was generally positive.
Senators John Rockefeller (D-W.V.) and Olympia Snowe (R-Maine), members of the Commerce and Intelligence committees, said in a statement that "no other president in American history has elevated this issue to that level and we thank (Obama) for his leadership." The Center for Democracy and Technology said it "is evident that the report's authors listened to the concerns of privacy and civil liberties groups."
Cybersecurity headaches
The origin of many of the feds' cybersecurity headaches can be traced back to the process that led to the creation of the Department of Homeland Security nearly seven years ago. Politicians in Washington, D.C. decided to glue together a medley of federal agencies to create a massive bureaucracy that would, as one of its new goals, provide a better focus on cybersecurity.
"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."
Some tasks might benefit from centralization in one of the world's largest bureaucracies. But it soon became evident that cybersecurity was not one of them. By 2005, government auditors concluded that the department failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies; as recently as last fall, DHS Secretary Michael Chertoff said his agency needed to develop a plan to respond to a "cybercrisis."
That led some outside groups to argue that cybersecurity efforts should be taken over by the National Security Agency, which already is responsible for protecting government computers through its "information assurance" arm, or perhaps the White House staff.
Lending an unusual spice to what would normally be a quiet, internecine power struggle was March's resignation of Rod Beckström, director of Homeland Security's National Cybersecurity Center. In his farewell letter, Beckström blasted what he said was an NSA power grab, saying the secretive military agency "effectively controls DHS cyber efforts through detailees, technology insertions."
The week before Beckström's resignation, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying "there are some wizards out there at Fort Meade." But a few weeks later, after a congressional hearing that was hardly enthusiastic about the idea, NSA director Keith Alexander denied his agency had any interest in the job.
In February, Obama ordered a 60-day review of the federal government's cybersecurity efforts, and appointed Hathaway -- who had worked for the director of national intelligence in the Bush administration -- to lead it.
In addition, The New York Times reported on Friday that the Pentagon is preparing a new military command for cyberspace that would operate in parallel with the civilian effort that Obama is expected to announce. He is "expected to sign a classified order in coming weeks that will create the military cybercommand" and recognize "that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use," the newspaper said.
During Friday's remarks, Obama noted that his campaign had been the subject of a cyber intrusion in which hackers accessed policy papers and travel plans but not fundraising data.
President Obama on Friday is expected to unveil his administration's plans to deal with cybersecurity threats to federal agencies and the private sector, including the creation of a White House "cyber czar."
It's not yet clear who that person will be, or even whether Obama will name someone during his announcement. As part of a political compromise, the new position is expected to be folded into both the National Security Council and National Economic Council.
The announcement, which is scheduled to take place at 10:55 a.m. ET in the White House's East Room, caps years of criticism of the Department of Homeland Security's efforts and months of speculation about what form the replacement cybersecurity bureaucracy will take.
"It provides the president with recommendations for a White House organizational structure that can effectively address cyberspace-related issues," Melissa Hathaway, acting cyberspace director for the White House's National Security and Homeland Security councils, said recently.
No bureaucratic mandate will satisfy everyone: Security hawks would like the "czar" to have authority -- which may mean new laws -- to direct both federal agencies and private businesses on cybersecurity matters. Business representatives, on the other hand, like the potential for increased high-level attention but remain wary of mandates from Washington.
In February, Obama ordered a 60-day review of the federal government's cybersecurity efforts, and appointed Hathaway -- who had worked for the director of national intelligence in the Bush administration -- to lead it. Two months later, Hathaway announced the report had been submitted to the president along with recommendations; it's expected to be made public on Friday.
Earlier this week, the White House offered a hint about how the restructuring would proceed, and indicated that the "czar" would not report directly to the president. Obama's statement on Tuesday said the national security and homeland security staff would be integrated and new positions inside the National Security Council and Homeland Security Council would "deal with new and emerging 21st Century challenges associated with cybersecurity."
In addition, The New York Times reported on Friday that the Pentagon is preparing a new military command for cyberspace that would operate in parallel with the civilian effort that Obama is expected to announce. He is "expected to sign a classified order in coming weeks that will create the military cybercommand" and recognize "that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use," the newspaper said.
Bureaucratic roadblocks
The origin of many of the Feds' cybersecurity headaches can be traced back to the process that led to the creation of the Department of Homeland Security nearly seven years ago. Politicians in Washington, D.C. decided to decided to glue together a medley of federal agencies to create a massive bureaucracy that would, as one of its new goals, provide a better focus on cybersecurity.
"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."
Some tasks might benefit from centralization in one of the world's largest bureaucracies. But it soon became evident that cybersecurity was not one of them. By 2005, government auditors concluded that the department failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies; as recently as last fall, DHS Secretary Michael Chertoff said his agency needed to develop a plan to respond to a "cybercrisis."
That led some outside groups to argue that cybersecurity efforts should be taken over by the National Security Agency, which already is responsible for protecting government computers through its "information assurance" arm, or perhaps the White House staff.
Lending an unusual spice to what would normally be a internecine power struggle conducted in secret was March's resignation of Rod Beckström, director of Homeland Security's National Cybersecurity Center. In his farewell letter, Beckström blasted what he said was an NSA power grab, saying the secretive military agency "effectively controls DHS cyber efforts through detailees, technology insertions."
The week before Beckström's resignation, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying "there are some wizards out there at Fort Meade." But a few weeks later, after a congressional hearing that was hardly enthusiastic about the idea, NSA director Keith Alexander denied his agency had any interest in the job.
If any of this sounds familiar, it should. About a year after President George W. Bush took office, his administration announced a highly-anticipated, 76-page document called the "National Strategy to Secure Cyberspace" (PDF). Few of its bullet points calling for immediate "response" have been enacted; even fewer people remember what they were.
In the wake of recent reports describing the electric grid's vulnerabilities to hackers, two members of the U.S. Congress have introduced legislation giving federal regulators more authority to combat that possible threat.
The electric grid system that keeps the United States humming is worth more than $1 trillion and keeps the lights on for more than 300 million Americans. Federal regulators have complained they do not have enough authority over the electric grid networks, which recent reports have suggested may be vulnerable to infiltrations by Chinese and Russian spies--a new concern as utilities tie grid-monitoring control systems to open networks like the Internet.
Matching bills were introduced in the House and the Senate on Thursday to increase the authority of the Department of Homeland Security and the Federal Energy Regulatory Commission to secure the electric grid. The bills were introduced by Sen. Joe Lieberman (I-Conn.) and Rep. Bennie Thompson (D-Miss.), who chair the Homeland Security committees in their respective chambers.
"Our cybersystems are under constant attack," Lieberman said in a statement. "We rely on cyberspace for so much of what is at the heart of our way of life, and our systems are not protected. We are focusing on the electricity cyberstructure today because electricity is what so many critical sectors of the economy depend upon."
Utilities are already expected to comply with mandatory cybersecurity standards, but regulators have reported that utilities are likely downplaying the critical nature of their infrastructure to avoid compliance with the rules.
The legislation addresses that by giving FERC, DHS, and other national security agencies the authority to determine which physical or cyber assets should be deemed "critical electric infrastructure." The bill clarifies that "critical" infrastructure should refer to networks that are so vital to the United States that their incapacity would cause significant harm to the country's security, the economy, or public health at a national or regional level.
It also would enable FERC to issue rules or orders to protect critical electric infrastructure against threats--including emergency orders, which could be issued without prior notice if FERC determines an order is needed immediately to protect the grid from an imminent threat. Emergency orders would remain in place for 90 days, unless FERC opened them up to public comment.
In addition, the legislation calls for FERC and the DHS Secretary to establish within 120 days of its enactment interim measures to protect the electric grid.
The DHS would also be responsible for more oversight of grid protection programs. The legislation would require the department to conduct research to determine if the security of critical electric infrastructure has been compromised and to report its findings to Congress. The department would also have to produce regular reports with recommendations for creating a collective domestic response to a cyberattack by a terrorist, nation-state or person.
The legislation comes as the Obama administration is pushing through stimulus spending smart-grid development, which would connect the electric grid to more networks.
