Hathaway RSA Remarks Praised Inside BeltwayStrong Commitment to Cybersecurity Seen
In San Francisco, conference attendees expressed disappointment that Hathaway, who last week handed President Obama her two-month study on federal government cybersecurity policy, only hinted at the details of her report.
Understanding how government works, those with extensive Washington experience were more sympathetic. "Clearly Melissa was asked by the administration not to provide any details on the specific recommendations provided in the report prior to them being vetted by the administration," said independent consultant Richard Spires, former deputy commission and CIO at the Internal Revenue Service.
Karen Evans, the federal government's de facto CIO till this past January, said Hathaway's appearance before the RSA Conference will help advance the administration's cybersecurity agenda. "For her not to be at the conference of this importance would send the wrong message," said Evans, who's official title was administrator of e-government and IT in the White House Office of Management and Budget. "Her presence alone signals and confirms the importance of this issue and the future initiatives it will generate by the administration"
Ray Bjorklund, chief knowledge officer of government IT advisor FedSources concurred, saying that administration event planners probably thought she'd be able to disclose more details when they first scheduled her appearance weeks ago. "Sometimes, when you get to the end of a study, you may not have a real story or at least a story that can be told publicly," Bjorklund said. "It was the right time for her to speak, despite the dearth of information. If she hadn't, there may have some perception of a compromise in Obama's transparency initiatives."
What did D.C. insiders see as the most important part of Hathaway's message?
For Evans, it was Hathaway's remark that information sharing is key to prevent, detect, respond to and recover from cyber attacks. "Information sharing needs to happen to make this effort succeed for all of the nation," Evans said. "To truly address this effort, a cultural shift will need to occur not just with technologists but with the nation as whole. With the sharing of the necessary information, we will be able to shift from the current environment of attempting to recover to new environment of detection and prevention and then taking action through appropriate channels if necessary."
Spires noted Hathaway's allusion to a White House organizational structure to effectively address cybersecurity matters, a position he strongly supports. "The implications for our government and nation to this growing threat need to be addressed at this highest level," Spires said. "Policy guidance with individual agencies addressing information assurance is a patchwork approach that has proven not to be effective. Frankly, many agencies just do not have the expertise to effectively address the threat. A government-wide approach and priority focus will be required. In addition, a process that will enable agencies to get the help and expertise they need to implement government-wide solutions will be critical to success."
Bjorklund said Hathaway's assessment of a lack of coordinated efforts as a key point in her address. "By that, I don't just mean who's in charge," he said. "I mean all the statutory and regulatory authorities. In some ways the laws and rules have become as convoluted as the tax code. It's going to take a while to unravel, clarify and condense them so everybody operates in this domain more effectively."
Hathaway's speech left Bjorklund with the impression that the government will not have an unlimited budget for cybersecurity. "Increasingly centralized management of a portfolio of cybersecurity initiatives from the White House may facilitate budgetary controls, but it may also stifle innovation," he said. "I know she was asking industry to help, but what will be the first telephone number to call if they want to help."
Greg Garcia, Homeland Security's assistant secretary for cybersecurity and communications in the Bush administration, harkened back to his RSA Conference presentation in 2007, saying Hathaway's themes echoed the ones he made: "I didn't quote Poe and Emerson, however; I think I quoted Susan B. Anthony: 'Failure is impossible.' So I agree with these words completely. Now the veracity is in whether the Obama Administration can pick up where we left off implementing those words, and improve upon the organization and execution of a national cybersecurity success."
Asked if anything Hathaway said was surprising, Evans replied: "That she has three Blackberries and one pager."