Hathaway’s departure renews worries about cyber-czar vacancy

The resignation of Melissa Hathaway, the Obama administration’s acting senior director for cyberspace and her decision not to seek the permanent White House cyber coordinator position have brought increased scrutiny on how the administration is accomplishing its ambitious plans to secure cyberspace.

The news on Aug. 3 that Hathaway would be stepping aside on Aug. 21 came after months of speculation about whom President Barack Obama would pick to fill the permanent cyber coordinator position that he pledged in May to establish. That position remains vacant and some observers have been disappointed with the time it’s taken Obama to make his pick.

James Lewis, director of the Center for Strategic and International Studies’ (CSIS) technology and public policy program, said it’s not clear if there are any leading candidates for the job. The people the administration wants for the position don’t want the job, and the people who want the job, the administration doesn’t want, he said.

The Washington Post cited an unidentified former government official as saying that 30 people had been interviewed for the position in an article Aug. 4 that featured comments from the outgoing Hathaway. The article quoted Hathaway as saying, "I wasn't willing to continue to wait any longer because I'm not empowered right now to continue to drive the change."

Meanwhile, a White House spokesman said in an e-mail message Aug. 3, “The president is personally committed to finding the right person for this job, and a rigorous selection process is well under way.”

However, Lewis said there’s a real concern that the person selected won’t have the ability to do what needs to be done.

Hathaway led the Obama administration’s 60-day review of cybersecurity policy while on detail to White House from the Office of the Director of National Intelligence where she has served as senior adviser and cyber coordination executive to the Director of National Intelligence. She also played a leading role in coordinating the Comprehensive National Cybersecurity Initiative started by the George W. Bush administration.

The White House spokesman also said the administration was grateful for Hathaway's "dedicated service and for the significant progress she and her team have made on our national cybersecurity strategy.” Hathaway also drew praise from cybersecurity experts. 

Meanwhile, Lewis said the cybersecurity coordinator situation confirms to members of Congress that they need to act on cybersecurity. However, he said those efforts will come after lawmakers consider health care and energy legislation.

Rep. Bennie Thompson (D-Miss.), the chairman of the House Homeland Security Committee, said in a statement he’s “troubled with the apparent loss of momentum on cybersecurity, an issue that is critical to our national and economic security.”

Sen. Susan Collins (R-Maine), the ranking member on the Senate Homeland Security and Governmental Affairs Committee, has previously expressed concern about the administration’s plans to appoint a White House official to oversee cybersecurity efforts. She said in a statement that Hathaway’s departure “underscores the continued lack of leadership within the Obama administration on cybersecurity issues.”

“The administration should take this time to reconsider the merits of putting a cyber czar within the White House – with no operational authority and shielded from congressional oversight,” she said. Collins added that the administration should instead work with Congress to “establish an effective, accountable cyber leader” at the Homeland Security Department.

However, many cybersecurity experts have said a coordinator position at the White House is needed.

The White House spokesman said cybersecurity is a “major priority,” which is why shortly after taking office, Obama directed the National Security and Homeland Security Councils to conduct the cybersecurity review. “The White House released the [cybersecuity review] report and announced the creation of a cybersecurity coordinator who will have direct access to the president and that the Obama administration is pursuing a new comprehensive approach to securing America's digital infrastructure,” he added.

On May 29, Obama said he would set up a new White House cybersecurity office to be led by a coordinator whom he will select and depend on for all matters relating to cybersecurity.

Roger Thorton, chief technology officer and founder of Fortify Software said in an e-mail message that the security industry is anxious to see who is appointed as the cyber coordinator. In another e-mail message, John Stewart, chief security officer at Cisco, praised what Hathaway had accomplished and said the next person should build upon the work already started and accelerate it. "We only have so much time, and we need to get this right."

Karen Evans, former administrator of e-government and information technology at the Office of Management and Budget and now a partner at KE+T Partners, said she thought the cyber coordinator “would help with clarification and ensure that agency concerns as they go forward with their implementation are brought forward into the broader policy discussions and formulations that happen within the White House.”

However, Evans said, even without the coordinator position filled, agencies should still be working to improve cybersecurity.

“The agencies are good at moving forward and executing to make sure that they get their mission done, and I don’t think anybody would disagree that cybersecurity from an operational perspective is important to make sure that they’re protecting data,” Evans said.

In a recent blog post Evans wrote for GovInfoSecurity.com, she said, “If agency [chief information officers, chief information security officers] and others responsible for securing government IT are awaiting the appointment of the cybersecurity coordinator to get their marching orders, they're wasting time. In reality, what will happen in the White House in the coming weeks will have little or no bearing on what agency security managers must do now to perform their jobs.”

CSIS’ Lewis said a lot of the authority that people thought would be with the cyber adviser has gone to the Homeland Security Department, the Defense Department, and OMB. “But the coordinating function just isn’t there yet,” he said.

“DHS and DOD are trying to do new things, so they're the ones really moving the ball,” Lewis said. “OMB is turning out to be the place that’s setting the agenda for how this administration will use IT.”

However, Lewis said OMB hasn’t done much on cybersecurity so far because he thinks they keep expecting to see the cyber adviser arrive.

Alan Paller, director of research at the SANS Institute said the main problem is that Aneesh Chopra and Vivek Kundra, Obama’s chief technology and chief information officers, respectively, may delay pressing improved cybersecurity as an agenda to avoid pre-empting the new cyber coordinator’s efforts.

“That could be a big problem if it lasts,” Paller said in an e-mail message.