The Public Eye with Eric Chabrow

Cybersecurity , Risk Management

Has Cybersecurity Been Overstudied? Melissa Hathaway Claims Past Recommendations Have Been Ignored
Has Cybersecurity Been Overstudied?
Melissa Hathaway speaking at a Harvard-MIT cybersecurity conference. (Photo: Belfer Center)

Has cybersecurity been overstudied by the U.S. federal government and its stakeholders?

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

Melissa Hathaway, who served presidents George W .Bush and Barack Obama as a top cybersecurity adviser, points out that over the past decade, more than 100 recommendations on improving the cybersecurity of government and the private sector have come from Congress, presidential studies and private-sector think tanks (see Obama's Cyber Review Leader on What's Ahead for Trump).

"This will require every agency to dedicate precious and shrinking resources - time and personnel - to develop these plans, delaying and possibly distracting these agencies from their current cybersecurity activities and operations." 

But for the most part, those recommendations have not been implemented, she points out. "They have consistently called for the need for leadership, follow-through and operationalization of the policies," says Hathaway, a senior adviser on cybersecurity at the Harvard Kennedy School's Belfer Center for Science and International Affairs.

Heavy Load

Hathaway says the cybersecurity executive order signed by President Donald Trump on May 11, which directs the government to further study the problem, will add dozens of new reports in 14 areas (see Trump Finally Signs Cybersecurity Executive Order).

"This will require every agency to dedicate precious and shrinking resources - time and personnel - to develop these plans, delaying and possibly distracting these agencies from their current cybersecurity activities and operations," Hathaway says.

Hathaway is a veteran of cybersecurity strategy development. In February 2009, a new president - Obama - tapped Hathaway to conduct a policy review that became the basis of the Obama administration's cybersecurity policy.

She acknowledges that modernizing government IT is "desperately needed" and is consistent with congressional initiatives. "It is essential that we clean up our infected infrastructures," the former presidential adviser says.

"It is clear that cybersecurity is an important priority to President Trump," Hathaway says. "I am happy to see new initiatives along with continuity of some of the important activities that commenced under Presidents Obama and Bush."

Hathaway created a table that lists the new executive order's 14 requested reports, deadlines to complete the studies, lead agencies overseeing the studies and the recipients of the reports. The primary recipient for most of the reports is Thomas Bossert, assistant to the president for homeland security and counterterrorism. Bossert's portfolio includes cybersecurity.

Reports' Deadlines

Report Timeframe Lead Agency Recipient
Risk Management Report (using NIST Framework) 90 Days All Agencies OMB
Governmentwide Risk Assessment 150 Days OMB with support from DHS, DoC, GSA Assistant to the President for Homeland Security and Counterterrorism (APHSCT)
Modernizing Federal IT - Shared IT Services 90 Days DHS, OMB, GSA, DoC Director, American Technology Council
Modernizing Federal IT - Shared IT Services for National Security Systems 150 Days DNI and DoD Assistant to the President for National Security Affairs (APNSA) and APHSCT
Supporting and Engaging Section 9 Entities - Cybersecurity Risk Management 180 Days (report annually) DHS with others APHSCT
Market Transparency for Critical Infrastructure Entities 90 Days DHS and DoC APHSCT
Increase Resilience to Automated Distributed Threats (Botnets) (Draft Report) 240 Days DOC and DHS Public Report
Increase Resilience to Automated Distributed Threats (Botnets) (Final Report) 365 Days DOC and DHS POTUS
Assessment of Electric Sub-sector Incident Response Capabilities 90 Days DOE and DHS APHSCT
Risks to Defense Industrial Base, Including Supply Chain 90 Days DoD, DHS, FBI with support from DNI APNSA and APHSCT
Strategic Options for Deterrence 90 Days DoS, Treasury, DoD, AG, DHS, and USTR APNSA and APHSCT
International Cybersecurity Priorities 45 Days DoS, Treasury, DoD, DoC, DHS, AG, FBI POTUS
Engagement Strategy for International Cooperation 135 Days DoS APHSCT
Cybersecurity Workforce Strategy 120 Days DoC and DHS, with support from Labor, Education, OPM APHSCT
Cybersecurity Workforce Strategies of Other Nations 60 Days DNI APHSCT
Cyber Capabilities Assessment 150 Days DoD APHSCT
Source: Melissa Hathaway


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network