Obama on cybersecurity: We're not that prepared

President announces new White House cybersecurity coordinator job, which has not been filled, and says feds will not monitor private sector Internet communications.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read

President Obama on Friday said the U.S. government is "not as prepared" as it should be to respond to disruptions caused by computer or Internet attacks and announced that a new cybersecurity coordinator position would be created inside the White House staff.

The still-to-be-named coordinator will oversee a new bureaucracy tasked with digital infrastructure protection, which had previously been handled by the Department of Homeland Security. "We will ensure that these networks are secure, trustworthy and resilient," Obama said. "We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage."

Obama's announcement, which was expected, came as the president released the outcome of a 60-day review that sought to rethink how the federal government should address cybersecurity. Business groups had sought to raise cybersecurity's profile in the administration but remained wary about regulatory mandates from Washington; security hawks would prefer the new bureaucracy to have more authority over the private sector.

The final report represents a political compromise. It suggests "intrusion detection and prevention systems" and "warning of cyber intrusions and attacks," while stressing that collaboration with privacy groups and industry is vital. New laws compelling companies to share more information with the federal government about intrusions may be necessary, it says, but only "as a last resort."

During his remarks in the White House's East Room on Friday, Obama also seemed to seek a balance between warning of the dangers of terrorists or other miscreants using the Internet and saying the government will not go too far. "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic," he said.

The report also goes out of its way to recognize the civil liberties concerns that could arise by a greater focus on private networks: the word "privacy" appears no fewer than 69 times in the document.

In a cybersecurity "crisis," the plan is for the coordinator to become the "White House action officer for cyber incident response." That's a similar role to the White House officials who help to monitor terrorist attacks or natural disasters. (The new coordinator's fiefdom will be shared between the National Economic Council and the National Security Council.)

While there has been some private grumbling that the new coordinator will not report directly to the president -- a prized symbol of access in Washington circles -- reaction to the administration's announcement was generally positive.

Senators John Rockefeller (D-W.V.) and Olympia Snowe (R-Maine), members of the Commerce and Intelligence committees, said in a statement that "no other president in American history has elevated this issue to that level and we thank (Obama) for his leadership." The Center for Democracy and Technology said it "is evident that the report's authors listened to the concerns of privacy and civil liberties groups."

Cybersecurity headaches
The origin of many of the feds' cybersecurity headaches can be traced back to the process that led to the creation of the Department of Homeland Security nearly seven years ago. Politicians in Washington, D.C. decided to glue together a medley of federal agencies to create a massive bureaucracy that would, as one of its new goals, provide a better focus on cybersecurity.

"Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic."
--President Obama

"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."

Some tasks might benefit from centralization in one of the world's largest bureaucracies. But it soon became evident that cybersecurity was not one of them. By 2005, government auditors concluded that the department failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies; as recently as last fall, DHS Secretary Michael Chertoff said his agency needed to develop a plan to respond to a "cybercrisis."

That led some outside groups to argue that cybersecurity efforts should be taken over by the National Security Agency, which already is responsible for protecting government computers through its "information assurance" arm, or perhaps the White House staff.

Lending an unusual spice to what would normally be a quiet, internecine power struggle was March's resignation of Rod Beckström, director of Homeland Security's National Cybersecurity Center. In his farewell letter, Beckström blasted what he said was an NSA power grab, saying the secretive military agency "effectively controls DHS cyber efforts through detailees, technology insertions."

The week before Beckström's resignation, Director of National Intelligence Admiral Dennis Blair suggested to a House committee that the NSA was ready for the job, saying "there are some wizards out there at Fort Meade." But a few weeks later, after a congressional hearing that was hardly enthusiastic about the idea, NSA director Keith Alexander denied his agency had any interest in the job.

In February, Obama ordered a 60-day review of the federal government's cybersecurity efforts, and appointed Hathaway -- who had worked for the director of national intelligence in the Bush administration -- to lead it.

In addition, The New York Times reported on Friday that the Pentagon is preparing a new military command for cyberspace that would operate in parallel with the civilian effort that Obama is expected to announce. He is "expected to sign a classified order in coming weeks that will create the military cybercommand" and recognize "that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use," the newspaper said.

During Friday's remarks, Obama noted that his campaign had been the subject of a cyber intrusion in which hackers accessed policy papers and travel plans but not fundraising data.