Untitled Document
President Barack Obama has promised to appoint the United States' first chief
technology officer (CTO) as part of his administration. The reaction from many
quarters is that this is a long overdue move -- the country needs a top officer
to ensure that agencies have the right infrastructure, policies and services in
place for the 21st century. However, our most pressing national IT problem is
not so much a lack of vision, but rather a lack of IT security. What the nation
really needs is a chief information security officer (CISO).
Indeed, a number of well-placed IT experts agree, including the authors of
a December report from the Center for Strategic and International Studies (CSIS)
titled "Securing Cyberspace for the 44th Presidency." The report recommends
that the president create a new National Office for Cyberspace, directed by
an assistant to the president for cyberspace -- in effect, a federal CISO.
The Obama administration took much of the CSIS's recommendations to heart,
judging by an outline of its new cybersecurity policy which was recently posted
to whitehouse.gov. Most notably, this policy calls for the nomination of a national
cyber advisor who will report directly to the president and will be responsible
for the development of national cyber policy.
This is a step in the right direction. However, Obama's policy may not go far
enough to fix the very serious problems with federal cybersecurity. The CSIS
report makes it clear that the national cyber advisor needs real power, and
cannot simply be yet another "czar." Rather, it recommends that the
national cyber advisor oversee a newly created National Office for Cybersecurity
(NOC) within the Executive Office of the President. This office should oversee
FISMA, the Trusted Internet Connections initiative, a new regulatory approach
for cybersecurity, and day-to-day implementation of the new national cybersecurity
strategy. The outlined policy makes no mention of creating such an office.
Also, the new policy outline does not cover securing the Supervisory Control
and Data Acquisition (SCADA) systems that control the vital physical infrastructure
of industrial operations such as power generation, water treatment and oil and
gas pipelines. The interconnected nature of our national infrastructure opens
up new possibilities not just for stealing information, but also for wrecking
real physical havoc and the line that separates a nation's physical security
from its Cyber security has largely disappeared.
-1-