As National Cyber Security Awareness Month comes to a close, the debate on who should be America’s lead on cyber security continues unabated. On Monday of this week, the US Air Force suspended its efforts to establish a Cyber Command until its new leadership takes over and determines what course they should take. While the USAF begins to figure out how much of the cyber skies they will end up patrolling, the battle over the civilian side of the America’s cyber house goes on at full throttle.
The latest installment in the debate comes courtesy of an article in Government Computer News reviewing the forthcoming report of the bipartisan Commission on Cyber Security for the 44th Presidency. The Center for Strategic and International Studies (CSIS) has been the point for assembling the Commission’s report, and details on its preliminary findings are starting to come out. Most notable will be its recommendation to make the White House the point for cyber security, not DHS as it is presently under Homeland Security Presidential Directive 23.
While this Commission’s forthcoming recommendation has hardly been a secret, I still scratch my head in wonder and ask “Why?”
The Commission is made up of some of the smartest people in the country on this issue. Yet for all of their intellectual capacity and operational experience on this issue, I am bewildered they would choose a proven path of frustration and futility where failure is not an option.
It is a great campaign line and applause generator to stand up and say that the White House is going to take command on something. Republican or Democrat, we have many examples when Administrations have stood up to say “We are going to run this out of White House because it is important!” The Administration then finds someone with a great name and impressive reputation, dubs them a ‘Czar’ of something and then holds an East Room or Rose Garden ceremony to swear them in and charge them to get going on their mission. At this point the camera flashbulbs go off; the assembled crowd rises up to clap and then a bunch of people go out to talk to reporters about ‘how wonderful this is,’ and ‘what a difference this will make.’
But does it?
If recent history is any indicator, we’ve all been to this picture show before and it was not what we wanted. – I can’t believe folks as smart as this Commission don’t see that.
Cool titles, White House offices and bully pulpits can do many things but they cannot be the game changers without having real authority over personnel, programs and budgets to put real points on the scoreboard. Short of putting this person in OMB where they can tinker and toil with the various federal budgets and move things around, having a White House Czar for Cyber Security is a roadmap for going nowhere.
As the Commission continues to deliberate its findings, are they prepared to recommend how a White House Cyber Czar will have the powers they need to make the necessary things happen?
If so, are they prepared to detail how this person will overrule other federal departments and agencies to do his/her bidding?
Are they going to detail how this person will be able to do this and be subject to Congressional questioning, oversight and redirection?
There are a lot more questions that will need to be asked, but if history is any indicator, ‘Czars’ from both Democratic and Republican White Houses have a very limited success rate.
As profiled in my previous posting on this subject, Tom Ridge’s tenure as America’s first Homeland Security Czar was filled not so much with the challenges of getting his arms around this new innocuous thing called homeland security but rather the frustrations of not having the authorities or abilities to coordinate among the federal components to make America safer.
After nearly a year in the position, he ended up going to then-White House Chief of Staff Andy Card and the President and essentially said, “Ah guys, this isn’t going to work. We need something with teeth if we’re going to make this homeland security stuff work like we want it to.”
As a result, the White House and the Congress created DHS.
While there are those who are quick to pick on the Department’s various fumbles and on-going challenges, it was specifically designed to be a cross cutting coordinating body to secure our national interests across a range of areas.
Isn’t that what we want in cyber?
Isn’t that why we created a National Infrastructure Protection Plan, Sector Coordinating Councils and other focused infrastructure specific mechanisms to bring people from public and private sectors together?
Don’t we already have in place the authorities at DHS to do this type of work?
Why should we risk repeating the same type of frustration and futility by creating a White House Cyber Czar?
Are we so desperate for titles and showcase positions that we overlook real operational components that work and can build towards success?
I don’t think we have time or luxury to travel the same path as before. Cyber is far more complex and frankly more dangerous. Now the keystroke and the malicious code writing are more dangerous and costly than the finger on the detonator or the incoming hurricane.
I have no doubt about the goals of the Commission or its distinguished membership. Those are shared by everyone in this fight but recommending a proven path of ineffectiveness instead of using and strengthening available mechanisms is not the type of recommendation our new President will need.
We have enough work to do in this area. Why would we want to make it harder?