Update on Anticipated Appointment of a Cybersecurity Coordinator

Updates a prior post: Anticipated Appointment of “Cyber Czar” on May 29, 2009.

While President Obama has not yet identified the individual who will undertake the position of Cybersecurity Coordinator (which has been referred to recently as a “Cyber Czar”), he apparently confirmed during a meeting of government officials and corporate executives on May 29, 2009, that this individual will be appointed to the staff of both the National Security Council and the National Economic Council. See Cam Simpson and August Cole, “Obama Moves to Curb Data-System Attacks,” The Wall Street Journal, at A9 (June 1, 2009) — You might need a subscription to The Wall Street Journal Online to view this article. As the Wall Street Journal put it, this individual will “effectively serve two masters.” Id. It will be interesting to see how effective this position will be, given the oversight by both agencies.

Related Links:

* President Obama’s remarks during the May 29, 2009 session, which provide a bit more information about the expected responsibilities to be assigned to the position:

“To give these efforts the high-level focus and attention they deserve — and as part of the new, single National Security Staff announced this week — I’m creating a new office here at the White House that will be led by the Cybersecurity Coordinator. Because of the critical importance of this work, I will personally select this official. I’ll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me as we confront these challenges.

“Today, I want to focus on the important responsibilities this office will fulfill: orchestrating and integrating all cybersecurity policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response.

“To ensure that federal cyber policies enhance our security and our prosperity, my Cybersecurity Coordinator will be a member of the National Security Staff as well as the staff of my National Economic Council. To ensure that policies keep faith with our fundamental values, this office will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people.” (Emphasis added)

* The report by Melissa Hathaway’s team was released to the public on May 29, 2009, and is available on the White House’s web site. There is also a brief discussion of her remarks during the May 29 meeting on the Briefing Room Blog.

Anticipated Appointment of “Cyber Czar” on May 29, 2009

On May 26, President Obama announced among other things that he was establishing “new directorates and positions within the National Security Staff to deal with new and emerging 21st Century challenges associated with cybersecurity, WMD terrorism, transborder security, information sharing, and resilience policy, including preparedness and response.” Statement by the President on the White House Organization for Homeland Security and Counterterrorism, May 26, 2009.

These new positions directly result from the completion of an interagency cyber-security study that he commissioned on February 9, 2009, “to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.” President Obama Directs the National Security and Homeland Security Advisors to Conduct Immediate Cyber Security Review, February 9, 2009. The study, lead by Melissa Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, was to be completed within sixty days.

The White House reported that the study was completed and delivered to White House staff on April 17, and is currently being reviewed. Statement by the Press Secretary on Conclusion of the Cyberspace Review, April 17, 2009. Once the review of the conclusions is completed, the White House “will begin discussing the results.” Id.

During a speech delivered at the RSA Conference in San Francisco in April 22, 2009, Hathaway apparently discussed some of the report’s methodologies and promised that once the report was issued to the public, it would be apparent that significant work would be required to remedy identified concerns. Reports of the speech were published in various places, but notable among them were Government Technology and Fusion Authority.

Finally, according to Information Week, the White House is expected to release the study report to the public on May 29, 2009, at the same time the new positions in the National Security Staff are announced.

CDT Recommended Keeping Advisor Position within Department of Homeland Security

On May 1, 2009, Gregory T. Nojeim, Senior Counsel and Director of the Center for Democracy & Technology’s (“CDT”) Project on Freedom, Security and Technology, testified before a subcommittee of the House Committee on Energy and Commerce on May 1, 2009, arguing that the new positions be created within the Department of Homeland Security, instead of within the National Security Agency (“NSA”). See also Reuters, “Experts: Cybersecurity Czar Needs to Be White House-Based,” published by FoxNews on May 2, 2009; Cong. Rec., Daily Digest, May 1, 2009 at D486 (confirms that hearing was held and that testimony was received by “public witnesses,” but does not identify who testified).

In his printed remarks, Nojeim admonished that the White House’s role in cybersecurity should be limited to “set[ting] policy and direction, and to budget[ing] enough resources for the program” through a newly-created White House office – to ensure transparency in the planning and budgeting phase of the process. Testimony at p. 7. He further argued, however, that as far as cybersecurity operations were concerned, “[t]he lead for cybersecurity operations should stay with the Department of Homeland Security, and the NCSC [National Cyber Security Center] should be provided with additional resources and high-level attention.” Id. at p. 8. He explained in detail why these operations should not be controlled by the NSA, including articulating CDT’s concerns that the NSA’s expertise in “spying” does not “necessarily entail superior expertise in cybersecurity.” Id. at p. 7.

The House Committee on Oversight and Government Reform held a hearing on May 5, 2009 to address “Cybersecurity : Emerging Threats, Vulnerabilities, and Challenges in Securing Federal Information Systems.” Cong. Rec., Daily Digest, May 1, 2009 at D489; see also Daily Digest, May 5, 2009, at D503 (identifying testifying witnesses).

The Senate Committee on Energy and Natural Resources also held a hearing on May 7, 2009 “to receive testimony on a Joint Staff draft related to cybersecurity and critical electricity infrastructure” at which witnesses were to testify by invitation only. Cong. Rec., Notice of Hearings, April 30, 2009, at S4994; see also Cong. Rec., Daily Digest, May 7, 2009 at D520 (identifying testifying witnesses who appeared during the hearing).

Expected Mandate of the CyberSecurity Director (“Cyber Czar”)

On May 26, 2009, after the President’s announcement, FoxNews broadcast its analysis (in video format). The analysis addressed a potentially “broad mandate” to be assigned to this new office, but did not provide any particular detail – presumably because the White House has not yet released any detail about these new positions.

Note that thus far, not only does it appear that a director-level position will be created, but also subordinate positions reporting to the director. It also appears that these positions actually may be created within the NSA, and not the Department of Homeland Security, as the CDT recommended. See Statement by the President on the White House Organization for Homeland Security and Counterterrorism, May 26, 2009.

New Bill Proposed on April 1 Supports Creation of National Cybersecurity Advisor

Several weeks before these announcements, Sen. John D. Rockefeller, IV (D-WV) introduced Senate Bill S. 778 (on April 1, 2009), which proposed certain duties and responsibilities of a “National Cybersecurity Advisor,” including acting as principal advisor to the President on cybersecurity legal issues, reviewing all cybersecurity-related budget requests, directing sponsorship for certain security clearances and employing experts or consultants as needed for “cybersecurity-related work.” S. 778, section 1(b).

An additional proposed duty is particularly troubling from a privacy perspective: “[N]otwithstanding any provision of law, regulation, rule, or policy to the contrary, [the National Cybersecurity Advisor shall] have full access to all Federal cyber-compartmented or special access programs.” While some of the terms in this provision are not defined – notably, “cyber-compartmented . . . programs”– the breadth of this provision and its clear rejection of the authority of other laws seems overreaching, perhaps permitting this Advisor to have unfettered access to certain information that may have been protected from disclosure by these other laws, regulations, rules or policies. Id., section 1(b)(5).

This bill was read twice when it was introduced and referred to the Senate Committee on Homeland Security and Governmental Affairs. Current status of the bill can be found here.

A More Detailed Bill, The Cybersecurity Act of 2009, S. 773

Senator Rockefeller proposed another bill on April 1, 2009: The Cybersecurity Act of 2009, S. 773. This bill identifies a more rigorous cybersecurity plan, including the ability to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network” or disconnect these systems or networks in the “interests of national security.” Section 18, paras. 2 and 6.

The breadth of this proposed power to foreclose access to Federal government agency systems is troubling. One hopes that this power to declare an emergency – sufficient to deny access to public services – will not be wielded lightly, especially given the current Administration’s stated interest in providing transparency to government operations. The bill does not provide any guidelines for the identification of such an emergency, or for the determination of how long access should be denied, but it is anticipated that these guidelines will be included in any regulations associated with an act of this nature.

The CDT similarly criticized these powers through Mr. Nojeim’s May 1, 2009 testimony. Testimony at p. 4.

Because S. 773 does not refer to a National Cybersecurity Advisor or the powers intended to be assigned to this Advisor, further discussion of this bill is beyond the scope of this posting.