The announcement of cyber coordinator may be near. At least that’s what a source tells Federal Times. And it’s a toss-up between two contenders — ISF President Howard Schmidt and former Assistant Defense Secretary Frank Kramer. The source goes on to say the announcement may come around Thanksgiving —  effectively ending speculation that’s persisted since last May when Obama first announced his intention to create a cyber coordinator position.

Could this really be it? Place your bets here.

Three months after President Obama promised — and has yet to deliver on his word — to appoint a cybersecurity czar, all is not lost on the cyber front. That was Melissa Hathaway’s takeaway in her first public speaking engagement since resigning as Acting Senior Director for Cyberspace on National Security Council and Homeland Security Council.

The talk, entitled, “Cyberspace — The Next Frontier,” kicked off the ArcSight Protect 09 security conference the other day. Hathaway’s remarks come at a time when leading voices in cybersecurity have been delivering increasingly pointed critiques of the Obama administration for failing to appoint a cyber coordinator yet. In her talk, Hathaway moved beyond those critiques to highlight positive steps being taken by the federal government.

Bipartisan support growing

“We spent the last several years getting cybersecurity to the national forefront,” said Hathaway, according to internetnews.com. Hathaway also reportedly credited President Obama with helping elevate the issue in May when he gave a 20-minute speech on cybersecurity that coincided with the release of Hathaway’s report. In her ArcSight keynote, Hathaway added that Congress has at least 14 bills pending that address various aspects of cybersecurity, many of which have garnered bipartisan support. “You can see that there’s a lot of unity of effort up on the Hill,” she said.

More work needed

More work is needed, though. Hathaway outlined key gaps in cybersecurity (those details here). Meanwhile, members of Congress are becoming increasingly vocal about the White House’s response to cybersecurity. In a Sept. 10 letter to the White House, Reps. James Langevin and Michael McCaul, the co-chairs of the House Cybersecurity Caucus, stated: “We strongly believe that the continued absence of a permanent cyber-security coordinator impedes the ability of federal agencies to move forward in updating and strengthening their aging cyber-policies.” (Eric Chabrow of govinfo security has the lowdown.)

Cyber coordinator close to being named?

So, where does the cybersecurity saga now stand? An unconfirmed Reuters report names Frank Kramer, a former assistant Defense secretary in the Clinton administration, as the top candidate. As usual, we’ll have to stay tuned.

ExecutiveBiz had the pleasure of interviewing with Deloitte’s Colonel Gary McAlum, a cybersecurity expert and former chief of staff of US Strategic Command’s Joint Task Force Global Operations. Col. McAlum has testified before Congress for the US-China Economic and Security Review Commission, Col. McAlum believes that cyber crime has begun to play an increasing role in the global economy and that lawmakers should respond to this growing threat. Col. McAlum also applauds President Obama for building upon cybersecurity

Gary McAlum

initiatives from the previous administration which Col. McAlum believes will now increase public awareness of cyber crime and other cybersecurity threats.

ExecutiveBiz: Some Experts believe President Obama is building upon what was being done in the previous Administration, do you agree?

Col. Gary McAlum: Absolutely. You can go back as far as 1998, with the Presidential Decision Directive #63 that was signed by President Clinton recognizing our dependence on critical infrastructure. Then with the Comprehensive National Cybersecurity Initiative back in January of 2008 – I think a lot of mechanisms have been put in place to accelerate the focus on this issue. The current Administration has reaffirmed our dependence on this digital infrastructure that supports our national security and our economy, and takes it to another level when the President stated that it would be a key management priority for his Administration and he would use metrics to measure performance.

ExecutiveBiz: How is Deloitte preparing for the Administration’s focus on cybersecurity?

Col. Gary McAlum: Deloitte definitely believes this is a strategic issue and that it is something bigger than just a traditional information security problem for a Chief Information Security Officer or CIO to deal with – it’s a significant leadership challenge. One of the things that we continue to do is assess the legislative, policy and operational cybersecurity environment for the broader implications so that we can best support our federal clients with holistic solutions to their challenges. That’s something to remember — that while all of this is playing out in terms of the future, federal agencies have to deal with today’s problems. Looking at our capabilities internally and determining how we can leverage those to assist is a key part of what we are focusing on at Deloitte.

ExecutiveBiz: What do you think of the role of the Cyber Coordinator, Department of Defense’s new CYBERCOM should be?

Col. Gary McAlum: President Obama clearly stated that the federal government today is not organized well for dealing with the challenges of cybersecurity. The first thing the White House Cybersecurity Coordinator is going to have to do is work on a holistic national cybersecurity strategy that is truly synchronized across the federal government – that should be priority one. Regarding DoD’s new Cyber Command that organization will continue to build on what has already been occurring under U.S. Strategic Command for the past several years. So, this organizational change, while significant, is more evolutionary than revolutionary. The primary focus will continue to be on the “.mil” environment but undoubtedly there will be more emphasis on cybersecurity unity of effort across the federal government.

ExecutiveBiz: I saw that you were on the U.S. China Economics and Security Review Committee. How big of a threat is this from foreign countries?

Col. Gary McAlum: It’s no secret that nation states have foreign intelligence services, and that they have a variety of capabilities that they will use to gain information and intelligence, including accessing communications networks. So while this is a serious threat, it’s one that has been around for a long time. I think the bigger threat for most people comes from the threat of cyber crime. There is a significant amount of profit-driven cyber criminal activity going on all around us, particularly focused on data theft ranging from personal identity and financial information to obtaining organizational intellectual property. Organizations, especially financial, are being heavily targeted and successfully exploited in many cases. The cyber crime economy is exploding because of the profit margin that they are able to realize. Cyber crime involves not only traditional organized crime but new enterprises that are focused on leveraging technology and tools, as well as hiring very skilled people to conduct everything from online fraud to data theft and, in some cases, extortion. The cyber crime impact of what is happening today on a global scale is just as much of a concern to me as the most sophisticated threats on the far right of that spectrum.

ExecutiveBiz: What do you think the role of government contractors should be with the new emphasis on cyber security in the new Administration?

Col. Gary McAlum: The federal government hasn’t always done a very good job of defining what they need contractors to do and what level of performance they need to provide in the area of cybersecurity. However, you are going to see acquisition regulations being modified and contracts modified over time to be much more specific, and companies will continue to provide highly skilled and certified personnel. All of which is good and needed. However, contractors should continue to realize that they are being targeted by the same cyber threats that are focused on government networks by virtue that they are doing business with the government. They should focus on securing their networks and protecting information as much as the government is trying to do and, wherever possible, demonstrate excellence and innovation.

“Cyber crime involves not only traditional organized crime but new enterprises that are focused on leveraging technology and tools, as well as hiring very skilled people to conduct everything from online fraud to data theft and, in some cases, extortion. The cyber crime impact of what is happening today on a global scale is just as much of a concern to me as the most sophisticated threats on the far right of that spectrum” -Col. Gary McAlum

Col. Gary McAlum: There are a lot of ways to incentivize cybersecurity improvements but the more fundamental issue is having a clear definition of exactly what that means. Today, there is no common understanding of what defines success and how it is measured. Accepted standards and metrics are critical in this discussion of incentives and only make sense when you can point to a cybersecurity standard that clearly demonstrates how well one company stacks up against others. We can’t do that today. It’s little bit like car crash ratings in Consumer Reports. When prospective car buyers see how well a car does or doesn’t do in a crash test they are going to make value-based decisions more often than not. Wherever possible, they will probably pay more for a car that is safer. But the key is there are common standards and metrics involved in assessing the safety of automobiles. We need to get to the same type of standardized approach with cybersecurity. Once we understand what we are measuring and then normalize that across the private sector, the private market will drive performance improvements. When that happens, those companies and service providers that don’t do as well may go out of business or they will have to raise their standards. The free market is going to drive this area and some of that might be driven by tax breaks and incentives.

ExecutiveBiz: Where do you see the future of cybersecurity?

Col. Gary McAlum: In the next five years the level of public awareness is going to go way up, and that’s a good thing. Once you get outside the beltway, there is not a lot of understanding what this complex issue means to the average digital citizen, yet they are very much affected. We are right at the beginning of a process where you are going to see a lot more activity on a national level basis, kind of like the seat belt ads and anti-drug campaigns. You are going to see activities centered around raising the level of end user awareness, the private citizens who operating on this network that pretty much permeates all aspects of our lives; whether it’s using cell phones, texting, to doing online banking and shopping. Today the level of awareness is not where it needs to be, you are going to see that as an area of significant improvement in the next five years.

Melissa Hathaway

Melissa Hathaway, the ExecutiveBiz Top 10 Game Changer to Watch in ‘09 who completed the Obama administration’s cybersecurity review in April and has served as the White House’s acting cybersecurity czar announced her resignation today, citing personal reasons.  Her resignation will take effect August 24th.

The White House is considering candidates for the position of Cyber Coordinator, which the President created May 29. The Cyber Coordinator will report to both the National Security Council and the National Economic Council.

Ms. Hathaway recused herself from consideration for the position two weeks ago. She cited personal reasons for leaving and intends to continue her work in the interest of national cybersecurity.

Share your comments here.

Deloitte cyber expert and former White House director of Cybersecurity and Communications, Billy O’Brien sat down with ExecutiveBiz to discuss the aftermath of the 60-day Cyberspace Review and what every CEO should be asking themselves about the security of their company. O’Brien appreciates that the 60-Day review included vowing to protect our nations national infrastructures, that privacy and civil liberties were a major factor in the published 60-Day review and for labeling cybersecurity as a ‘strategic national asset’. O’Brien is also waiting to see action from the Obama administration and believes the private sector will be able to help the public sector with the future of US cybersecurity by providing a unique prospective and already trained cyber experts.

ExecutiveBiz:  Can you describe your current role at Deloitte & Touche, LLP as it relates to cyber security?

Billy O’Brien: In my current position, I provide expert counsel to Deloitte’s Federal clients on how to navigate and understand the cybersecurity policy landscape. Our deep bench of cyber expertise allows us to provide solutions to our clients’ most critical challenges.  I also continue to work on a number of strategic initiatives, including our most recent global publication, Cybersecurity: Everybody’s Imperative – Protecting our economies, governments, and citizens (www.deloitte.com/cybersecurity <http://www.deloitte.com/cybersecurity> ).

ExecutiveBiz:  Could you comment on the President’s 60-Day Review press conference?

Billy O’Brien: I applaud President Obama for declaring cybersecurity a key management priority and ordering a 60-day cyberspace policy review. His staff engaged many public and private stakeholders to frame and prioritize multiple key issues.

I was particularly intrigued by three topics the President mentioned:

1. The declaration of cyber as a strategic national asset. This may have legal implications for private sector organizations that own and operate Internet infrastructure (i.e. ISPs) or provide technical services to government organizations through Networks.
2. Convergence. Traditional telecommunications and IP-based infrastructures are integrating and the government must anticipate the impact to priority communications services, next generation networks, and resiliency. 
3. Privacy and civil liberties. This is a high-visibility topic and it will be a challenge for the Administration to manage expectations to protect critical systems while maintaining a high standard of privacy. The public should realize that the protections in place are not designed to read email, rather, they are sophisticated tools intended to protect government information networxs.

However, some questions remain unanswered. For example, the report calls for an updated cyber strategy, which will certainly have greater significance and substance than the 60-day review. Will the White House change or request additional authorities? Will DHS maintain the lead for execution? Will the Administration choose to further the Comprehensive National Cybersecurity Initiative or change direction?

ExecutiveBiz:  What do you think the qualifications of the next Cyber Czar should be?  Do you think the Coordinator will be able to overcome the turf battle that exists historically among agencies?

Billy O’Brien: President Obama has intentionally used the term “Cyber Coordinator.” Accordingly, one primary qualification should be the ability to diplomatically but effectively “coordinate” and oversee the vast number of issues, initiatives, and projects across departments and agencies. The Coordinator should understand how to utilize the existing White House policy processes to hold Federal organizations accountable for their respective deliverables while ensuring they receive appropriate levels of funding from the Office of Management and Budget and ultimately Congress. Lastly, the Coordinator should possess the ability to translate extremely technical information into digestible material required for the President to make informed decisions.

ExecutiveBiz:  What is the proper role for government contractors to solve the cybersecurity challenge facing the country?

Billy O’Brien:  The private sector, particularly consultancies, typically offers immediate and scalable human resources, specialized skill sets and capabilities, independent perspectives, and often, the expertise of seasoned government executives who have left service. Given the sheer size and aggressive schedule of the Comprehensive National Cybersecurity Initiative combined with classified activities in the defense and intelligence communities, the government will require the expertise of consultancies to manage, implement, enhance, and operate these programs. However, the government is seeking to build a skilled cyber workforce, which will decrease its reliance on contractors.

                                    
ExecutiveBiz: What question should executives, CEO types be asking of their CTOs or their IT departments at organizations as it relates to cyber security?

Billy O’Brien: Executives should work with their CTOs to identify and prioritize their most valuable data assets, such as proprietary or sensitive information. Subsequently, they should ask their CTOs to determine the greatest risk to these assets and evaluate whether funding and protections are proportionately allocated to mitigate their risk profile – this prioritization will lead to efficiencies and cost savings. Many executives will find that their end users present the greatest cyber risk, which can be mitigated through training and access restrictions. Lastly, executives should not allow their CTOs or CISOs to act autonomously; rather, they should remain actively engaged in cyber security decisions.