Security Fails of 2009 – The Strange Case of the Missing Cyber Czar

Today is the second in the series on the Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

2009 began with the inauguration of a new President who had made the need for improved cyber security a prominent part of his campaign agenda.  Once in office, President Obama asked Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils (fit that on a business card) Melissa Hathaway to assess the state of cyber security and create recommendations for going forward.  It was widely believed that the recommendations would include the creation of a National Cyber Advisor or “Cyber Czar” position that would oversee and coordinate cyber security efforts in the federal government and influence private enterprise. 

In late May on the Friday before the Memorial Day weekend, a press conference was held to announce the release of the final version of the study called the White House Cybersecurity Policy Review.  As predicted, the study recommended the creation of the cyber czar position which was reiterated at the podium at the press conference.   The WHite House had numerous industry luminaries aligned to sing the praises of the announcement, but many like our CEO, John Prisco, were underwhelmed.

And then…silence.

Nearly seven months later and there has been no further word on a candidate for the position.  I pointed out that the timing of the announcement was odd – a Friday before a holiday – which smacked of an administration looking to slip by a story with as little notice and coverage as possible.  Since then there have been rumors of candidates but these rumors quickly fade back into…silence. 

Theories abound as to the lack of progress.  Is the position so poorly defined that it is doomed for failure and potential candidates are too savvy to take on such a role? Is it because a candidate would have to have a working knowledge of security, the security industry, and be adroit at navigating the federal landscape, making the population of qualified candidates too small?  Or was the administration simply looking to check off a box from the campaign agenda by addressing the problem superficially and hoping the attention would wane so no further action was needed?

What is clear is that the excitement about the position and its ability to affect cyber security policy and progress has passed as has valuable time.  Without a visible front person to keep the ideas presented in the Policy Review document in the public view, the hard work behind the document has been essentially wasted.  It seems that pressing matters like getting the Olympics for Chicago have taken precedent.

Given the timing of the announcement and the lack of subsequent activity, the administration has sent a clear signal that this topic is not viewed as critical.  I don’t believe that a new Cyber Czar will have a dramatic influence on cyber policy – it is the lack of attantion given to it by the administration that causes me concern.  And that is why I am including the cyber czar misadventure as a security fail for 2009.

Luckily there are others working to fill the void.  I had the opportunity to speak at the NIST Security Automation Conference in October and was encouraged by the progress I see being made by NIST, the NSA, and others.  As a resident of the Washington D.C. area you learn quickly that there are those who do and those who step into spotlights and they are rarely the same person.  Given the progress of others and the time that has passed since the announcement, I wonder if this ship has sailed and that anyone named to the position now would simply be too neutered to be successful.  I also wonder if such a person would now hold back those who are making progress behind the scenes.  

And finally, I wonder if all of this was orchestrated by the same PR genius at the White House that talked the President into posing with Tiger Woods on the cover of Golf Digest.  It would explain a lot.