[Infowarrior] - Cyber Czar Offers Few Details on Govt. Strategy

[Richard Forno]

Obama's Cyber Czar Offers Few Details on Govt. Strategy


http://voices.washingtonpost.com/securityfix/2009/04/obamas_cyber_czar_offers_few_d.html?hpid=sec-tech

Those who were hoping to hear details today about how the Obama  
administration plans to revamp the government's approach to cyber  
security threats may have to wait a little while longer.

In a much-anticipated speech at the RSA security conference in San  
Francisco today, Melissa Hathaway, the White House's top cyber  
official, instead highlighted all of the meetings, studies, and  
recommendations that have informed the administration's 60-day  
cyberspace policy review, which was completed last week. But details  
about how the administration might seek to organize and streamline the  
government's cyber efforts were lacking.

Much of the coverage of the administration's cyber review has focused  
on the power struggle on cyber underway between the Department of  
Homeland Security and the National Security Agency. The Obama  
administration also is finalizing plans for a new Pentagon command to  
coordinate the security of military computer networks and to develop  
new offensive cyber weapons. Meanwhile, civil liberty advocates are  
concerned that the government's effort to define cyber security in  
broad economic and national security terms could sweep virtually every  
aspect of American life into the mix.

Hathaway seemed to acknowledge this tension in her speech:

     Previous attempts to deal with cyber security in isolation have  
failed, in no small part, because they were perceived to be in  
conflict with the broader societal goals of progress and innovation,  
civil liberties and privacy rights. However, cyber security only  
succeeds in the context of broader economic progress. At times, it was  
a destination in itself, rather than a compass that guides us toward  
our objective. If treated in a broader context, cyber security will  
enable higher and far reaching national goals, have better acceptance,  
and as a result, a greater chance for success. Our goals depend on  
trust, and trust cannot be achieved if people believe that they are  
vulnerable to fraud and theft or if they cannot depend upon the  
resources (infrastructure services, i.e., water, power, telephone  
service) being available when needed most. At the same time, security  
has no meaning if the application that serves society no longer is  
practical or usable. Stated differently, progress and security must  
not viewed in a zero-sum fashion.

Hathaway did say more about the economic aspects of cyber (in)security  
than I've heard recently from a top government official, which is  
encouraging. The government's usual approach in discussing the  
nation's cyber threats is to couch the issue in cyber terrorism  
dimensions. However, early in her keynote, Hathaway made an apparent  
reference to a data breach last year at payment processor RBS  
Worldpay. In that complex, multi-stage attack, hackers were able to  
inflate the dollar value of stolen payroll cards that were then used  
by a small army of hired hands who made coordinated withdrawals of  
millions of dollars from ATMs around the world.

"One recent example from November 2008 illustrates both the speed and  
the scope of these challenges. In a single 30-minute period, 130  
automated teller machines in 49 cities around the world were illicitly  
emptied. These and other risks have the potential to undermine our  
confidence in the information systems that underlie our economic and  
national security interests."