Cybersecurity ‘Czar’ Will Have Power Over Private Networks

Published August 1, 2009

President Barack Obama says he wants his cybersecurity advisor not only to help him develop strategy to protect the nation’s government-run computer networks but also to take authority over private computer networks.

The decision has raised questions about how much control and authority a new “cybersecurity czar” will have over private and commercial sectors of the Internet.

“Such a role could be legitimate if its scope were limited to ‘bringing government into the twenty-first century,'” said Wayne Crews, vice president of policy and director of technology studies for the Competitive Enterprise Institute in Washington, DC.

“But given the constant temptation by politicians in both parties to meddle with technology policy, the position of cybersecurity ‘czar’ could easily morph into a central figure in the drive to regulate private networks rather than simply focus on government modernization,” Crews warned.

The cybersecurity czar, who will hold the position as a “senior White House official,” will have broad authority and the most comprehensive mandate granted to such an official to date. Details were still sketchy at press time, but Obama said the czar would work with the National Security Council and the senior White House economic advisor.

A ‘Top Priority’

Obama pledged during his presidential campaign to elevate cybersecurity to a “top priority” and appoint a national cybersecurity advisor “who will report directly to me.” The mandate to report to both the national security and economic advisors suggests the White House may be seeking to ensure a balance between homeland security and economic concerns.

It also indicates an effort to quell an internal political battle in which Lawrence H. Summers, the senior White House economic advisor, has been pushing for the National Economic Council to have a key role in cybersecurity to ensure government efforts to “protect” private networks do not unduly threaten economic growth.

A government report on the topic released in late May said though the government has a responsibility to help secure private-sector networks, regulation should be the last resort.

The report—compiled by Obama technology advisor Melissa Hathaway, believed to be the president’s pick for cybersecurity czar—touts the concept of public-private partnerships to protect nongovernment systems.

Enlisting Private-Sector Help

The White House report discusses the need to provide incentives for greater data-sharing and risk management and to use the federal procurement process to drive increased network security. But Crews is wary of a “private-public” partnership.

“Government regulation to address private-sector cybersecurity practices is premature,” Crews said. “Politicians, when they do weigh in, are likely to seek massive sums to establish research grants for politically favored cybersecurity initiatives; set up redundant cybersecurity agencies, programs, and subsidies; and steer cybersecurity research in the academic world away from its natural course.

“Past regulatory proposals affecting information security have included mandates on data breach disclosure, virus protection, and vulnerability reporting,” Crews added. “Policymakers should be suspicious of proposals to collectivize and centralize cybersecurity risk management, especially in frontier industries like information technology,” Crews said.

White House Coordination ‘Vital’

Amit Yoran, CEO of NetWitness Corp. in, Herndon, Virginia, said to secure government servers, strong coordination from the White House is vital.

“It would be irresponsible to suggest that any single agency can ‘lead’ the federal cyber effort without active White House engagement and support,” Yoran said. “During the review process there was much deliberation as to the seniority and power a cyber point-person would have.

“Consolidated and strong leadership, fully empowered to be bold and decisive, is absolutely critical if cybersecurity is to be taken seriously and any meaningful progress is expected,” Yoran added.

Privacy Concerns

But strong leadership without proper protections for privacy is a big threat to individual rights and the economy, said Rob Douglas, editor of IdentityTheft.info.

“It is very troubling,” Douglas said. “We live in a day and age in which Americans are suspicious of the government exceeding the rules in place for any one of a number of our civil liberties. People have to stop and think of what that means. This gives the administration and future ones a way to bring your daily life to a halt. Everything we do in commerce and in much of our lives is done on the Internet today.

“With this power, the administration and future ones can shut down parts of the Internet,” Douglas added. “That’s not too far from saying that they have the power to regulate the use of the Internet, and you’re just one step away from being allowed to censor what is on the Internet.”

‘Last Freedoms’

Douglas likened this development to Microsoft and other companies being required to play ball with the Chinese government in order to do business in that country.

“The Internet is one of the last freedoms,” Douglas said. “Regulation could stifle innovation. Americans cherish that it is unregulated. There is little doubt that the Internet is where the majority of innovation takes place today. This could hurt that.

“The rest of the world will watch how this administration and successors use this position to impact the Internet,” Douglas added. “It would impact not just us but also how the rest of the world does business. A majority of Internet communications travels through the United States at some point.”

Wary of Tight Controls

Douglas also objects to the tightly controlled authority being proposed.

“That is problematic,” Douglas explained. “We live in a country of checks and balances. When we grant power to the government, we expect checks and balances.”

Phil Britt ([email protected]) writes from South Holland, Illinois.

For more information …

“Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure,” The White House, May 29, 2009: http://www.whitehouse.gov/asset.aspx?AssetId=1906