Cybersecurity czar has the right idea: Give up on centralized security

Melissa Hathaway, the White House’s acting cybersecurity czar, confirmed to the Wall Street Journal that she has resigned. Hathaway, who had recently taken herself out of the running for a permanent appointment to the job, only claimed “personal reasons.” But it’s more likely that her most earnest recommendations weren’t the answers the Obama administration wanted.

Hathaway had advocated rolling up more power and setting policies to improve IT defenses at a high level in the government. That approach is the opposite of Internet culture’s firm belief in decentralization.

After taking office in February, Hathaway oversaw a 60-day study of the Federal government’s cyberspace defense policy that concluded in April. The Obama administration seems to be stuck trying to figure out what to do with the report. Its conclusions, however carefully worded, say that the only way to effectively protect U.S. networks from attack would be to “lead from the top,” meaning that the government should take a much stronger hand to coordinate public and private sector resources as a singular whole. Says the report:

“The review team found that … missions and authorities were vested with various departments and agencies by laws and policies enacted to govern aspects of what were then very diverse and discrete technologies and industries. The programs that evolved from those missions were focused on the particular issue or technology of the day and were not necessarily considered with the broad perspective needed to match today’s sweeping digital dependence.”

The report says the government needs to answer the question, “Who is in charge?” It talks about “unifying mission responsibilities” and observes that this is already the government’s direction:

In 2007, the Comprehensive National Cybersecurity Initiative (CNCI) took a different approach. Core to this strategy is the “bridging” of historically separate cyber defensive missions with law enforcement, intelligence, counterintelligence, and military capabilities to address the full spectrum of cyber threats from remote network intrusions and insider operations to supply chain vulnerabilities.

What’s not spelled out here is that implementing this vision would mean government regulation of at least some private sector resources, to force them to get with the program. That, the Journal reports, made Bush-era holdover Hathaway unpopular with Obama’s people.

It would be easy to deem Hathaway’s recommendations as a power grab. But no, her report recommends that the cybersecurity czar’s role be that of a coordinator and facilitator, rather than a policy-setter or regulator. Yet the report also concludes there’s no way for the government to shore up national IT defenses without more centralized authority and a singular mission statement for every public and private network.

More likely, the opposite will happen. Decentralized organization is practically a religion on the Internet. Regulation of private sector networks is something the Obama administration wants to avoid. That’s why the administration has been fussing over the final wording of the report since April.

Hathaway’s abrupt resignation probably signals her recognition that the whole concept of a cybersecurity czar was misguided. “The status quo is no longer acceptable,” said the executive summary of her report. “Leadership should be elevated and strongly anchored within the White House to provide direction, coordinate action, and achieve results.”

Instead, both the Bush and Obama administrations shoved cybersecurity down under layers of bureaucracy, and dithered on what actions to take. Hathaway told the Washington Post today, “I wasn’t willing to continue to wait any longer, because I’m not empowered right now to continue to drive the change. I’ve concluded that I can do more now from a different role.”

Here’s an alternative take on that: Our string of cybersecurity czars, who resign at an abnormally high rate, have figured out that what the government can do to secure cyberspace is … nothing. Neither the computer networks nor human organizations cited in the official definition of cyberspace in Hathaway’s report were designed for top-down regulation. Federal oversight works for airports, but not for the Internet. In cyberspace, the best thing the government can do is what Hathaway just did: get out of the way.