Hathaway team working on national cybersecurity plan

The team that conducted the 60-day review of government cybersecurity policy is following up with a national incident response plan and efforts to untangle legal hindrances to improved security.

The Cyberspace Policy Review released by the White House last month was only the beginning of an effort being driven by President Barack Obama to reshape and strengthen the nation’s cybersecurity, according to Melissa Hathaway, who headed up the review.

Hathaway, acting senior director for cyberspace for the National and Economic Security Councils, said today her team plans to produce a comprehensive national incident response plan by the end of the year that will guide response to the cyber equivalent of a major natural disaster. The team also will be working to unravel the overlapping and sometimes contradictory laws and regulations identified in the study that get in the way of effective cooperation and responses to cyber threats.

“You can expect a dialog on this issue with the private sector,” Hathaway said at the Symantec Government Symposium in Washington. “You will also see us working with Congress because many issues will require a legislative fix.”

As a result of the Cyberspace Policy Review, Obama announced last month the creation of a White House office of cyberspace coordinator, who will oversee government cybersecurity policy.

Hathaway on June 12 told Defense System's sister publication, Federal Computer Week, that she is a candidate for the White House cybersecurity coordinator position. According to Hathaway, officials hope to select a cybersecurity coordinator in the coming weeks, but no definite date had been set.

“In the coming weeks there will be an announcement of a cyberspace coordinator,” Hathaway said. She said the president is personally engaged in the selection, which should be made soon.

The efforts reflect what Hathaway called an ‘”unprecedented level” of presidential leadership in cybersecurity. It is being established as one of Obama's management priorities, which means performance metrics are being established that will make department heads, not just chief information officers, accountable for their agencies’ security posture.

Hathaway illustrated the scope of the cybersecurity issue with a familiar litany of challenges. The Internet and its associated information infrastructure now underpin much of the global economy and are essential to continued economic growth. However, it has expanded in scope and functionality at a pace that has outstripped efforts to secure it.

“It is not secure enough nor is it resilient enough to be move us forward,” she said. “We are faced with a dangerous combination of known and unknown vulnerabilities.”

The infrastructure is being challenged and attacked not by amateurs, but by professional criminals and spies backed with substantial resources.

There are no coordinated plans for protecting the critical infrastructure or responding to incidents, either by government or the private sector, she said. At the same time, three of the most important initiatives in moving the nation’s economy ahead — building out universal broadband networks, a smart energy grid and electronic health records — are all threatened by these vulnerabilities and exploits.

“These are some of the things that keep the president up at night,” Hathaway said.

The incident response plan will be vetted by the Homeland Security Department and private industry, and Hathaway said a wiki might be established to allow the private sector to collaborate in its development.

Difficult issues of liability and confidentiality will have to be resolved to enable the kind of pubic/private partnership that everyone agrees is necessary to improve cybersecurity. “We can no longer talk about a public-private partnership, but need to act on it,” she said.

Greater international cooperation also is needed, and achieving this will require establishing common standards of behavior in cyberspace. Norms need to be established for defining criminal activity, warfare and terrorism, so that appropriate responses can be agreed upon, she said.

And to achieve all of this, a greater pool of manpower and expertise is required. Educational efforts must be extended past universities into primary and secondary schools to provide an adequate flow to the pipeline.