- BlogInfoSec.com - https://www.bloginfosec.com -

Cybersecurity Continuity – The Good, the Bad and the Ugly

In the raft of bad news about security cutbacks and missteps, it is refreshing to see that the Comprehensive National Cybersecurity Initiative (CNCI), which I wrote about in my January 13, 2009 column, may well move forward under the Obama Administration.

The good news is that President Obama has asked Melissa Hathaway, as a senior director at the National Security Council, to do a 60-day review of the state of cybersecurity and report back with recommendations. Ms. Hathaway was the cyber coordination executive for the director of national intelligence, and helped develop the original cybersecurity initiative. She is generally recognized for having brought together many disparate government agencies on the issues. Known for her collaboration skills, she is also well respected for her understanding of the issues and what has to be done. You can read more about it in a February 8, 2009 Wall Street Journal article by Siobhan Gorman at http://online.wsj.com/article/SB123412824916961127.html [1]

I was very fortunate to have been invited to participate in a brainstorming session that Hathaway hosted last fall and to see her in action first hand. My confidence index rose considerably when I saw her sincere effort to obtain opinions from a broad range of experts in both the public and private sectors. I am again hopeful that good progress will be made over the next several years in protecting the US critical cyber infrastructure.



The disappointing news was the resignation of Rod Beckstrom on March 5, 2009, about a year after taking on the role of “cybersecurity chief.” This is reported in a March 7 Wall Street Journal article, again by Siobhan Gorman, available at http://online.wsj.com/article/SB123638468860758145.html [2]  Beckstrom’s complaints about what he saw as an inappropriate assumption of power and the resultant reduction in effectiveness of his role is reminiscent of those articulated by colleague Amit Yoran when he resigned in the fall of 2004, also about a year after taking on the role designated by the press as “cybersecurity chief.” Quick observation … Is there something about being in the job for one year that results in resignation? Beckstrom is considered an expert in organizational governance, as warranted by his popular book The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations. However, it appears from his resignation letter that he was stymied by the organizational circumstances which confronted him in his government role.


I met Rod Beckstrom soon after he delivered a keynote address at the inaugural SC World Congress, which was held in New York in December 2008. As an aside, Jennifer Bayuk and Dan Schutzer, fellow editors of the newly released book Enterprise Information Security and Privacy, and I made up a panel at the same conference. Beckstrom presented an interesting model of how to drive cybersecurity through economic incentives. The model was still in its formative stages. It is a pity that the concepts will not be tested in the world that he occupied at the time.


It is indeed bad news when a role of such importance as leading the charge for cybersecurity in the Department of Homeland Security (DHS) has met with so little success. One can argue as to why that might be the case, but there is no argument, in my opinion, about the importance of such a role succeeding.


By the way, Greg Garcia, who was the first presidentially appointed Assistant Secretary for Cyber Security and Communications at DHS, served for more than two years from October 2006 to December 2008, which might be considered a record.


So what is the ugly? The ugly is the current state of national cybersecurity in both the public and private sectors. With so many false starts and organizational hiccups, we are falling behind the bad guys and our adversaries. It does not appear that the latter have had the same issues with regard to sticking with it and making substantive progress.


While it is encouraging to see that we might expect continuity and progress with respect to the CNCI, it is discouraging to see other efforts hampered by political infighting, organizational chaos and dead starfish. We need to get our cybersecurity ducks in order and achieve the overall level of commitment needed to succeed. We cannot afford to squander a single minute in the efforts to establish a secure cyber environment for the nation, critical public and private sectors, organizations and individuals.