The long awaited release of the President’s Cyber Policy Review on 29 May has been and will continue to be studied by all who are concerned with the issue of Cyber Security. If one wants to dive straight to the heart of the report, it is best to go directly to Chapter VI. Action Plans.
These are presented on two charts at the rear of the report, and they encapsulate, in a very general form, what the Administration must do if they are to have any hope of approaching the lofty goals laid out by the President. I will focus here on the Near-Term Action Plans, and will follow with another posting on the slightly longer Mid-Term Action Plans later. I will list the actual entry, and then offer comments.
1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.
This has been blessed already, short of the actual name. The leading contenders are Melissa Hathaway, Paul Kurtz, and Rod Beckstrom. Larry Summers won the internal argument and got the Cyber manager dual-hatted to the NEC. The key weakness here is that his role is to coordinate, not direct, or truly lead. It is probably the best we can hope for at this time, but not adequate.
2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.
This is the long pole in the tent. One hopes that they have already begun this effort. We can ill afford to wait a year to get an actual strategy with which to drive policy.
3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.
OK, it is officially a management priority, but the metrics are the key. Who writes them and how are they to be enforced?
4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
This is the correct action, but what authority will this official have and will he be distracted with other duties, or do this exclusively?
5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
Basically, this says that Cyber will be on the Interagency agenda. It is assumed that it will follow the same procedures (Policy Coordination Committees, Deputies’ Committees, Principals’ Committees, etc) as for other issue sets. It is a mouthful, but it simply means that this will be the daily “meat and potatoes” of policy making in Washington.
6. Initiate a national public awareness and education campaign to promote cybersecurity.
This is a key factor, but will a Directorate in the National Security Staff have the assets (staff and budget) to do this? If not, then who will be the executive agent?
7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
Given the borderless nature of Cyber, this is not merely a throw away to the Dept of State, but a very significant issue. Can we effectively reach out to international partners and organizations before we get our own house in order? I do not think so; without solidifying our ideas, how can we negotiate with others adequately? That said, this is an action we need to pursue.
8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement
This must be done. Who leads and who supports in any given scenario (many must be considered) has to be established before any of those events occur. Particularly given the restricted coordination only role given the Cyber Director, this action will be a lynchpin of the policy.
9. In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
This sounds good, but leap ahead technologies will not be defined first and then developed. They will likely be discovered before we realize we need them. However, some guidance as to areas of research would be helpful.
10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
This has to be done, but I fear it will be recognized that the tension between security and privacy / civil liberties is not easily mitigated. One side or the other must give some ground.
These ten items will be the crux of the ongoing policy efforts for the foreseeable future. The Obama Administration should be given credit for developing a good outline. It is only a beginning however, and now the real work begins.