Governance & Risk Management

Hathaway: White House Must Lead in Cybersecurity

Scant on Detail, Speech Points to Future Policy
Hathaway: White House Must Lead in Cybersecurity
Obama administration cybersecurity advisor Melissa Hathaway, in her much anticipated speech before the RSA Conference on Wednesday, suggested that the findings of a study she submitted Friday to President Obama calls for cybersecurity policy to be run from the White House.

"The White House must lead the way forward with leadership that draws upon the strength, advice and ideas of the entire nation," said Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils.

Scant on details, Hathaway in her 2,400-word speech did not explain how federal cybersecurity should be governed, even if it's based in the White House.

Two months ago, President Obama charged Hathaway to head up a team to review current cybersecurity policies and processes.

"It can be said that the federal government is not organized appropriately to address this growing problem because responsibilities for cyberspace are distributed across a wide array of federal departments and agencies, many with overlapping authorities and none with sufficient decision authority to direct actions that can address the problem completely," Hathaway said. "We need an agreed way forward based on common understanding and acceptance of the problem."

Hathaway said the team she assembled addressed all missions and activities associated with the information and communications infrastructure, including the missions of computer network defense, law enforcement investigations, military and intelligence activities and the intersection of information assurance, counter intelligence, counter terrorism, telecommunications policies and general critical infrastructure protection. Task force members held more than 40 meetings with different stakeholder groups during the 60 days and received and read more than 100 papers that provided specific recommendations and goals, she said.

"We identified over 250 needs, tasks, and recommendations," Hathaway said. "We also solicited input from government departments and agencies on their specific cyber activities, authorities, and capabilities and requested them to identify any new or existing requirements that may not have been identified as part our initial inventory."

In what she described as a 60-day movie trailer, Hathaway teased the assembled with these general conclusions of her report:

  • It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and to ensure that the United States and the world can realize the full potential of the information technology revolution.

  • This responsibility transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective to match the sweep of the challenges.
  • It requires leading from the top -- from the White House, to Departments and Agencies, State, local, tribal governments, the C-Suite, and to the local classroom and library.

  • The national dialogue on cybersecurity must advance now. We need to explain the challenges and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action.

  • The United States cannot succeed in securing cyberspace if our government works in isolation. Cyberspace knows no boundaries. There is a unique opportunity for the United States to work with countries around the world to make the digital infrastructure a safe and secure place that drives prosperity and innovation for all nations.

  • The federal government cannot entirely delegate or abrogate its role in securing the nation from a cyber incident or accident. The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well-being of citizens. The private sector, however, designs, builds, owns, and operates most of the digital infrastructures that government and private sector use in concert. The public and private sector's interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend. Information is key to preventing, detecting, responding to and recovering from cyber incidents. Again, this requires evolving our partnerships together. Government and industry leaders, both here and abroad, need to delineate roles and responsibilities, balance capabilities, and take ownership of the problem to develop holistic solutions. Only through such partnerships will the United States be able to enhance cybersecurity and reap the full benefits of the digital revolution.

  • Building toward the architecture of the future requires research and development that focuses on game-changing technologies that could enhance the security, reliability, resilience and trustworthiness of our digital infrastructure. We need to be mindful of how we, government and industry together, can optimize our collective research and development dollars and work together to improve market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services.
"Cyberspace won't be secured overnight and on the basis of one good plan," Hathaway said. "As they say, this is a marathon not a sprint. But with this review, we have taken the first steps to make real and lasting progress. Sixty days' work is just the beginning of the beginning, and the pace for this marathon we're now running is one that we'd best set to ensure we have the legs to make it over the finish line. "Being in security, I've learned that security is just that, a marathon...and here in San Francisco, you can well appreciate it being an uphill run."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.