Mischel Kwon has resigned as director of the U.S. Computer Emergency Response Team in the Department of Homeland Security. She was the fourth U.S. CERT director in five years. It is believed she will remain in authority until September 2nd of this year. This comes at a particularly interesting time. The same day she resigned, Phil Reitinger, the director of the National Cyber Security Center at DHS, said in a statement that the administration “has made cyber security a top priority.” One article stated that Kwon had become frustrated by bureaucratic obstacles and a lack of authority to fulfill her mission.
Kwon’s resignation follows that of Rod Beckstrom who resigned back in March. He claimed the lack of support inside the agency and what he described as a power grab by the National Security Agency were the reasons for his departure.
Earlier this week Melissa Hathaway, who was regarded as one of the top cyber advisor to the White House recently resigned as well. So why did she resign? Good question and a question that Sen. Susan Collins (R-Maine), a senior ranking member on the Senate Homeland Security and Government Affairs Committee, wants answered. Collins has requested that her staff members interview Hathaway regarding why she is leaving. Hathaway would only site personal reasons for her resignation which is effective August 24th.
That being said Hathaway reportedly noted in her comments that it has been two months since President Obama made a highly publicized speech stating the importance of cyber security. Hathaway has been quoted as saying “I wasn’t willing to continue to wait any longer, because I’m not empowered right now to continue to drive the change.”
These resignations highlight a much larger problem, it shows the inability of the federal government to hire and retain qualified cyber security leaders. Two months after President Obama pledged to “personally” select someone to be the White House’s cyber security coordinator (AKA Cyber Czar), the position remains unfilled. He said that it was time the country had one official to coordinate against likely future attacks on the nation’s technological infrastructure. One report by Government Info Security says that about 30 people have been considered for the job and yet the position remains unfilled.
Why not takers? What do they know that we don’t? The nation’s security is actually at risk and not having a cyber czar doesn’t help. The continued churn has other concerning implications that point to a much bigger issue.
(Note I use terms like “Agency” and “Organization” in context of the government, however the same concepts can be applied to the commercial world, i.e. CSOs, CTOs in a large corporation)
Just from Kevin’s post and the quoted reports, it sounds like there are three major problems that are detrimental to someone who would hold this position:
1) Responsibility without Authority: Someone in charge of “cyber security” needs the authority to change broken security policy and procedures in the orgs they are responsible for. As a security professional, why would I want to be in charge of and eventually take the fall for something I am not able to control when it doesn’t work?
2) Agency internal self-control: Even with real authority over “cyber security” of other organizations, people at the top of large powerful agencies or departments within agencies tend to resist outside influences perceived as encroaching on their own authority, power, or glory. They may do everything they can to buck or oppose those outside influences for their personal self-interest and ego. These people especially may not want someone coming in and telling them “you’ve been doing this wrong, lets work on how to improve what you’re doing.” It creates the perception that those responsible for security within their own organizations may be incompetent and therefore feel threatened that they will lose their control, position, or even their job. National security is much more important than this, but the instinct of self-preservation can be very strong. This sort of goes back to the authority thing — these people should not be able to succeed at pushing back against a strong head of “cyber security” without some really good reason.
3) Understanding the problem and the solution: Even when the person/people in charge of “cyber security” may be extremely credible and has real skills in the field of information security, the people both above and below them need to understand the “why” and “how” of security and how it affects them. Someone responsible for “cyber security” needs to be able to communicate this to those people and influence them not just to change/improve their security posture, but to show them and help them understand why those changes and improvements are beneficial to them. It is difficult to serve two masters, especially when they may have differing viewpoints. However one size does not always fit all. A national security adviser and an economic adviser will and should have different viewpoints — they have different needs, as do the many organizations a “cyber security” head will be responsible for coordinating/securing. Balancing and catering to this variety of needs sounds like a daunting task and there are probably a handful of people in this world that could do it well. This is probably the greatest challenge of the position.
My opinion is the “cyber security czar” that can accomplish this third point will find that the first two points will become less of an issue. If authority it is not given to them, they can create their own brand of authority by being seen as an advocate for the people within these agencies. This includes having real knowledge of each agency/organization’s needs and providing solutions that reflect and respect those needs. They can not act as an adversary coming to lay the smacketh down from the White House taking control away from the people in charge of their own little fiefdoms — which is exactly what a “cyber security czar” sounds like.
Great article, Kevin; and great comment, anon. The points discussed in both are a striking parallel to the problem plaguing nuclear weapons security, as well.
She is showing a lot of clevage for a professional head shot. ???
Why doesn’t anyone wanna be a czar?
You know what happened to the czars, right?
Maybe they should change the title to “cyber scapegoat”.
My take is that this is yet anotehr area where private industry is way ahead of the government and taking this type Government position is like taking ten really big (think Andre the Giant) steps backwards.…
Why is the NSA not the lead on cyber security?
Thanks gsak
Kevin
the reason this job isn’t getting filled is because a certain agency is stomping around threatening to throw a tantrum unless the czar is someone they own, and this agency hasn’t done anything under either the past or present administrations to get it any new bureaucratic favors on the Hill.
citananon, even if NSA is theoretically the “lead agency” (presumably for response and standards-setting), actually having the entire national cybersecurity strategy run out of NSA, or any other department, pretty much guarantees that it will be the strategy that is in that department’s best interest and defined by its primary responsibilities.
For example, a cybersecurity strategy defined by NSA is going to involve lots of shitting ourselves about Chinese spies, lots of expansion of collection authorities, and nothing about cybercrime or enforcement. If Homeland Security ran it it would be all about having national cyber task force centers with as many DHS-employed people and as much DHS-badged infrastructure as possible and be run by people who don’t actually know anything about the intertubes. If FBI ran it it would be about trying to define new cybercrime legislation and get prosecutions under it, and screw standards-setting, education, and herding industry.
You can’t win by having a department run the show.
Anotheranon, that is a good point and sort of fits into both #2 and #3 of my points in my original post…certain agency sees a threat to its own power, control, authority, etc, add that with the “one size fits all” approach each agency would take to the problem. In your example about FBI vs DHS vs NSA, each agency just wants to take what works in their world and apply it to everyone else. That will surely fail.
REMEMBER we are at WAR, & not in good shape as to CYBER STUFF at all! What is supposed to keep us safe in 2012 is already hacked! There was a FEDERAL COURT CASE involving RAYTHEON & it turned out that the best way to keep stuff secure ‚was not to follow the FED. RULE BOOK ‚(that everone knew).A PRINCIPAL,OWNER,HERO,WITH TOP CLEARANCE EX-MILITARY KNEW HOW TO DO THE JOB! Maybe the post should be secret, private & given to a TOP MICROSOFT EX-MILITARY ENGINEER with the skills & resources to REALLY DO THE JOB.
These people are all quitting to force Barack to pick someone sooner rather than later. Get their story in the media, get some attention, get an interview showing why you understand the problems better than anyone else, and then get appointed.
Sounds like History repeating again– this sounds exactly like the problems with the Intelligence community– the WH appointed someone to be “DoI” over the CIA, FBI, DOD Intel, NSA, etc., yet since the DoI was from the CIA, the only department that ever listened was the CIA. Problems with InterAgency politics, trust, security levels, etc. prevents there from being a true “Intel Czar” as was intended.
On top of that, by streamlining and standardizing (cyber security, intel ops, etc), it, by design, because easier to navigate the whole lot (easier for each departments employees, easier for the ‘czar’s’ people, and easier for the enemies), which is another thing all departments are against. Not to mention, if something is implemented and fails, it will fail catastrophically affecting the entire lot at once as opposed to being limited to a single department at worst. Sorry I have no suggestions on how to resolve this, other than the ‘czar’ will need to remember (as others have said before me) that they can’t strong-arm their way in– they will have to be equal parts politician and technician, knowing both what must be done, and how to persuade those from each area to implement the common ideas for the common good (without pissing anyone off or making them feel threatened).
This is further evidence of the Administration’s inability to identify the core problems it is facing. There is no experience guiding the Ship of State.
It is a top priority. The NSA has won the bureaucratic turf war, and DHS efforts have been ineffective for a long time.
So, it will be a top priority. And the NSA will do it.