Risk
11/2/2009
11:01 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Pressure Grows To Name National Cybersecurity Coordinator

Five months after President Obama announced plans to appoint a cybersecurity coordinator, some members of Congress are getting impatient and pressing for action.

Five months have passed, including the just completed "cybersecurity month," since President Obama said that he would hand pick a cybersecurity coordinator for the federal government. That position, however, remains unfilled.

In announcing the newly created position of cybersecurity coordinator on May 29, Obama cited the "critical importance" of securing the United States' cyber infrastructure. The job, he said, would entail "orchestrating and integrating all cybersecurity policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response."

Many names have been mentioned as possible appointees to the position, and there have been media reports that an appointment was imminent, yet they haven't panned out.

Some members of Congress are growing impatient. In September, the co-chairmen of the House Cybersecurity Caucus, Reps. James Langevin, D-R.I., and Michael McCaul, R-Texas, said they were "deeply concerned by the delay." The following week, Rep. Ann Kirkpatrick, D-Ariz., urged the quick appointment of the cybersecurity coordinator.

Last month, Rep. Yvette Clarke, D-N.Y., chairwoman of the House Homeland Security Committee's Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, asked members of trade organization TechAmerica to join her in pushing the White House to put a cybersecurity coordinator in place.

Last week, Sen. Joe Lieberman, ID-Conn., joined the fray, announcing that he would introduce a bill with Sen. Susan Collins, R-Maine, that would make the cybersecurity coordinator a Senate-confirmed official. Lieberman said in a press release that the position was needed "to ensure that everyone is working off the same playbook."

Without a cybersecurity coordinator, there's no nexus for government-wide cooperation on cybersecurity and no authoritative voice to speak out on issues such as the security of critical infrastructure or international standards, said SANS Institute research director Allan Paller. "This position matters enormously," Paller said. "It's a big problem not having a White House coordinator."

Despite the delay, the government has taken a number of strong, positive steps on cybersecurity over the past several months, Paller said. The Department of Defense has consolidated cybersecurity efforts under NSA director Keith Alexander and a new cyber command. The Department of Homeland Security has asserted its leadership under Phil Reitinger, deputy undersecretary of the DHS' National Protection & Programs Directorate. And the FBI and Secret Service have ramped up their cybercrime efforts.

In the meantime, Chris Painter is serving as cybersecurity coordinator on an interim basis, on loan to the White House from the Federal Bureau of Investigation, where he worked for years on cybercrime and cybersecurity issues.

Among the names mentioned by various sources as potentially taking the full-time position are Microsoft VP of trustworthy computing Scott Charney, former assistant secretary of Defense Frank Kramer, former White House special adviser for cybersecurity Howard Schmidt, Obama transition team technology adviser Paul Kurtz, and Painter.

Those who have either taken themselves out of the running or are said no longer to be being considered include former Rep. Tom Davis, R-Va., and former top White House cybersecurity official Melissa Hathaway.



InformationWeek Analytics has published a guide to the Open Government Directive and what it means for federal CIOs. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5075
Published: 2014-12-27
Integer overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5.0 Korean Trial allows local users to cause a denial of service (memory corruption and panic) via a crafted IOCTL_ASWFW_COMM_PIDINFO_RESULTS DeviceIoControl request to \\.\aswFW.

CVE-2011-4720
Published: 2014-12-27
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVE-2011-4722
Published: 2014-12-27
Directory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswitch WhatsUp Gold allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename field of an RRQ operation.

CVE-2012-1203
Published: 2014-12-27
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.

CVE-2012-1302
Published: 2014-12-27
Multiple cross-site scripting (XSS) vulnerabilities in amMap 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data_file or (2) settings_file parameter to ammap.swf, or (3) the data_file parameter to amtimeline.swf.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.