Risk
11/2/2009
11:01 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Pressure Grows To Name National Cybersecurity Coordinator

Five months after President Obama announced plans to appoint a cybersecurity coordinator, some members of Congress are getting impatient and pressing for action.

Five months have passed, including the just completed "cybersecurity month," since President Obama said that he would hand pick a cybersecurity coordinator for the federal government. That position, however, remains unfilled.

In announcing the newly created position of cybersecurity coordinator on May 29, Obama cited the "critical importance" of securing the United States' cyber infrastructure. The job, he said, would entail "orchestrating and integrating all cybersecurity policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response."

Many names have been mentioned as possible appointees to the position, and there have been media reports that an appointment was imminent, yet they haven't panned out.

Some members of Congress are growing impatient. In September, the co-chairmen of the House Cybersecurity Caucus, Reps. James Langevin, D-R.I., and Michael McCaul, R-Texas, said they were "deeply concerned by the delay." The following week, Rep. Ann Kirkpatrick, D-Ariz., urged the quick appointment of the cybersecurity coordinator.

Last month, Rep. Yvette Clarke, D-N.Y., chairwoman of the House Homeland Security Committee's Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, asked members of trade organization TechAmerica to join her in pushing the White House to put a cybersecurity coordinator in place.

Last week, Sen. Joe Lieberman, ID-Conn., joined the fray, announcing that he would introduce a bill with Sen. Susan Collins, R-Maine, that would make the cybersecurity coordinator a Senate-confirmed official. Lieberman said in a press release that the position was needed "to ensure that everyone is working off the same playbook."

Without a cybersecurity coordinator, there's no nexus for government-wide cooperation on cybersecurity and no authoritative voice to speak out on issues such as the security of critical infrastructure or international standards, said SANS Institute research director Allan Paller. "This position matters enormously," Paller said. "It's a big problem not having a White House coordinator."

Despite the delay, the government has taken a number of strong, positive steps on cybersecurity over the past several months, Paller said. The Department of Defense has consolidated cybersecurity efforts under NSA director Keith Alexander and a new cyber command. The Department of Homeland Security has asserted its leadership under Phil Reitinger, deputy undersecretary of the DHS' National Protection & Programs Directorate. And the FBI and Secret Service have ramped up their cybercrime efforts.

In the meantime, Chris Painter is serving as cybersecurity coordinator on an interim basis, on loan to the White House from the Federal Bureau of Investigation, where he worked for years on cybercrime and cybersecurity issues.

Among the names mentioned by various sources as potentially taking the full-time position are Microsoft VP of trustworthy computing Scott Charney, former assistant secretary of Defense Frank Kramer, former White House special adviser for cybersecurity Howard Schmidt, Obama transition team technology adviser Paul Kurtz, and Painter.

Those who have either taken themselves out of the running or are said no longer to be being considered include former Rep. Tom Davis, R-Va., and former top White House cybersecurity official Melissa Hathaway.



InformationWeek Analytics has published a guide to the Open Government Directive and what it means for federal CIOs. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.