Back in May, President Obama stated he would appoint a cyber coordinator to help “orchestrate and integrate all cybersecurity policies.” That was then, this is now; we’re still waiting. Amid speculation about possible candidates and the resignation of acting cyber czar Melissa Hathaway, the guessing game continues. For Jim Lewis of Center for Strategic and International Studies, it’s getting too long. In a candid exchange with ExecutiveBiz, Lewis offers his take on the White House’s approach to cybersecurity “” and shares what industry should be doing now in the absence of marching orders from a cyber coordinator.
ExecutiveBiz: We've been waiting (and waiting) for word on the cyber coordinator. What's the delay all about?
Jim Lewis: It's just indecision and turf fighting. Beyond that, the White House has a lot of other high priority issues on the table: health care, energy policy, the recovery, Afghanistan. Those are big problems. They eat up the bulk of the time. Cybersecurity just isn't a priority.
ExecutiveBiz: That's a pretty bold statement. Is cybersecurity as important as health care, etc.?
Jim Lewis: No, it's not as important as health care or recovery “” we have to put this in context “” but it's not so unimportant that you can afford not to do anything for months. The president said that the cyber coordinator would be announced shortly. What date was that? It was in May.
ExecutiveBiz: If you could say anything to the White House to move forward, what would it be?
Jim Lewis: If everyone says they like the CSIS report and this is a fundamental national security issue “” and the director of national intelligence and the joint chiefs of staff have all said the same thing “” we have to start treating this as a national security issue, not an afterthought.
ExecutiveBiz: In our last interview with you, you seemed excited about where the White House was going with cybersecurity. Has your view changed?
Jim Lewis: Yes, it has. You know, there are strong antibodies to actually doing anything and I think it will take a year or so to get through that.
ExecutiveBiz: You've also mentioned that if certain things don't fall into place, regulation is a last resort. As time passes, what's your prognosis on that?
Jim Lewis: Unless something changes, we're probably going to stick with the faith-base approach, where we hope things work out and, when there's a crash, we move to regulation.
ExecutiveBiz: What sort of disaster might we be looking at?
Jim Lewis: We're probably not going to see a disaster for a least the next couple years, barring some unforeseen conflict with, say, Russia or China. Then, yeah, sure, we could see the electrical grid, the financial system, or all government websites as potential targets.
ExecutiveBiz: In the meantime, what questions should industry ask government?
Jim Lewis: I would ask, “Tell me how can I secure my networks, how I can help secure our economy?“ Tell me what I need to do. Tell me what the threat I'm facing is.“ That's still not as widely known as you might hope. The Washington contracting community is still a prime target for foreign entities who want to collect information. So I would ask, “Am I a prime target? Who's after me? What do I need to think about? How do we work together?“
ExecutiveBiz: Who in government can industry have this conversation with?
Jim Lewis: The momentum [to address cybersecurity] has shifted from the White House to DHS and to Cyber Command “” they're the folks driving the train right now. I think you're going to see more investment and activity out of those two places. I also think you're going to see good work at OMB “¦ to use the acquisitions process to help move to a more secure government network. So, that's where we are now: OMB, DHS, DOD, and and Cyber Command. Focus on them for now.
ExecutiveBiz: Any downside to this approach?
Jim Lewis: Yes, there's a caveat. They're all doing good work, but they don't cover the waterfront; we still don't have a comprehensive approach. DHS looks at some infrastructure. Cyber Command has lots of money to spend but only limited ability to secure commercial networks. Same for DHS. We're going to see a lot of activity in the .gov and the .mil space, while the dot com space is pretty much [left] to its own devices. We've been doing that for the last 12 years and it hasn't worked.
ExecutiveBiz: How can government contractors help strengthen cybersecurity, regardless of what the White House is (or isn't) doing?
Jim Lewis: Number one: Think about standards. How do you make more secure products? How do you sell more secure services? I think companies who can offer more secure products and services “” demonstrably more secure “” will have an advantage. There is an emphasis now on security that wasn't there five years ago. So, when you sell to the government, you want to be able to say: “I've thought about how to make this product or service more secure when it's built into a federal network.“ That has to be part of the sales discussion now. It's can't just be, “How does this [product or service] make you [government customer] more efficient?“
ExecutiveBiz: Any other tips for industry?
Jim Lewis: I do think the federal government is doing a better job focusing on security, acquisitions, and architecture. There is some good work starting there. Industry, for its part, should be thinking what products or services it can offer that combine the advantages of the cloud and mobility. That's the direction technology is going over the next five to 10 years. So what people buy and use then will be different than what they buy and use now. That's why it's important to ask, “How do I fit into the security of a wireless network? How do I fit into securing the cloud?“ Those are the challenges ahead.
ExecutiveBiz: So, ultimately, if you had to place your faith in anyone to improve cybersecurity, would it be industry?
Jim Lewis: No. This is a big problem. It requires many solutions and many critical infrastructure parts: military, diplomatic, intelligence, and industrial. Industry owns a big part of this but they don't even own a majority share. That's why the White House really needs to coordinate this effort “” and appoint a cyber coordinator already.
What do you think of the White House’s pace in appointing a cyber coordinator? Share your comments here.