Ex-Cybersecurity Adviser to Bush, Obama Weighs in On Current Admin

Melissa Hathaway, a former White House cybersecurity adviser, says Biden is pushing through more regulatory reforms than previous administrations.

8 Min Read
Headshot of Melissa Hathaway, a white woman with a blond bob and a dark jacket
Lack of transparency with third-party suppliers is companies' biggest cyberthreat, says CIGI's Melissa Hathaway.Source: Harvard Kennedy School Belfer Center

Melissa Hathaway hasn't shied away from advising corporate boards and government leaders on cybersecurity policy since leaving the White House a decade ago. Hathaway, a former National Security Council Cybersecurity Chief, served in two administrations, leading the Comprehensive National Cybersecurity Initiative for President George W. Bush, and launching President Barack Obama's Cyberspace Policy Review.

Currently a member of the Centre for International Governance Innovation's board of directors, Hathaway recently spoke about current digital risks at a CIGI conference last month. Hathaway also provides consulting services as president of Hathaway Global Strategies, and most recently, was tapped by data protection vendor Commvault to chair its newly formed Cyber Resilience Council. During a meeting in New York City, Hathaway shared her views on the latest global cybersecurity threats from China and Russia, and the impact of the war in Israel.

Dark Reading: How would you compare today's threat landscape to when you were working for the White House over a decade ago?

Hathaway: Ransomware is on the rise, and it has become very sophisticated. Now you can encrypt 50 terabytes of data in less than five minutes, and all an intruder needs is one path in. A lot of really destructive, malicious software is being developed, and proof pointed over in Ukraine, such as the wiper virus attacks that we saw against Viasat. You're also starting to see the infections of low-level botnets capable of high-volume distributed denial service attacks. I'd say, though, the biggest problem is that companies don't have enough transparency into the dependencies of their third-party suppliers. The path into most of the companies right now, if it's not an unpatched system, is through their third-party suppliers.

DR: Such as software supply chain vulnerabilities?

Hathaway: Yes, but it doesn't have to be just that. It could be the trusted supplier who didn't patch their own infrastructure and they're the pathway in not just the product that was bad, like what we're dealing right now with Cisco IOS.

DR: What's your take on President Biden's approach to cybersecurity?

Hathaway: The new White House strategy is focused a lot on making companies more responsible for not only their product and introducing secure development lifecycle, but also making them more responsible for their governance and enterprise risk management. And that's been needed for more than a decade. I think that this administration is really focused on making corporates responsible.

DR: Would you say this White House is doing more than previous administrations?

Hathaway: They're just taking a different approach. The Biden administration is focused on a regulatory approach which previous administrations never took.

DR: And do you think that's a good thing?

Hathaway: In 2010 I wrote that there was an important moment for the SEC, FCC, and FTC to own their authorities to get to resilience. But I think that there's a challenge when you have all the regulators going in different directions. It puts an undue cost on industry. And so there has to be some harmonization of the regulatory frameworks that the administration is pushing. But that's difficult to do. One, it requires strong leadership and understanding of how the government works. Two, it requires getting those regulators to potentially cooperate and coordinate, and they don't necessarily have it within their remit to do that. And then third, you have to decide which problem you want to solve first, second, and third.

DR: With the current policies that are being laid out and proposed, to what effect do you think the outcome of the next presidential election could change those policies if there is a change in administrations?

Hathaway: You have the new SEC Rule and it took almost 13 years to get that rule in place. If another administration were to come in, regardless of party, and wanted to change direction, it would be very difficult to change the regulations and the laws in this country. A new president could come up with another executive order or policy, but those are very difficult. I mean, it's easy to write, but then it's all about the execution. And there's really no penalties associated with those, even within the government.

DR: What are your concerns about China as a threat?

Hathaway: They are a leading cyber power and probably have more manpower of meeting their overall national objectives than we do in the US or anywhere. Part of that is a percentage of the population, but they have made it a strategic priority as part of their five-year plan, and as part of their overall strategies.

Among their strategies, they are using one industrial espionage [element] that was featured on 60 Minutes just two weeks ago, with the Five Eyes. Industrial espionage has been going on for more than a decade, and they're continuing to move that path forward.

Through the Belt and Road Initiative, they are positioning their national champions for the delivery of telecom, data services, and other things. And they are one of the leading providers in the Global South. And that's all part of their economic strategy and changing some of the global, I would say world order of things.

They're also leading in central bank digital currencies. They saw Bitcoin as an opportunity, and they started their policy development and experimentation with it more than about a decade ago. And now they've since rolled out a CBDC [central bank digital currency], and they have more than 300 million people using it. If you start to think about that [as] a transition in the financial services systems around the world, they've got an interbank digital currency exchange that's outside of the US dollar through the CBDCs. And so, they have a longer-term strategy.

DR: What can policymakers do about that?

Hathaway: We have to look at Russia, China, Iran, [and] North Korea in different lenses. They are worthy opponents. And it's not like they're second rate, they're actually all first rate in different categories. And that requires us to think about things differently. Some of the initiatives of the Biden administration are important, like secure development lifecycle, which means your code better be good. We've got too many bad products in the market that are easily exploitable. We need to really be thinking about the next generation standards — we lost on 5G, are we going to lose on 6G too? And that requires us to really think about international standards differently.

I think we also need to be thinking about what are some of the cases that we're going to have to be thinking about — when you move to 5G and you're moving to the cloud, and you've got autonomous everything, you're going to have edge compute — that's going to have a whole very different set of policies on that data movement, from my driverless car to your driverless car, and what's processing them at the edge, so neither of us will have a problem. We're not really addressing that security, the data security, data privacy, the data movement, and this edge processing that's going to go forward. That requires us to really think about a different architecture about resilience, safety, privacy, and security. And that conversation I don't really think has started in our country, and we need to start it now.

DR: Has the war in Israel already changed the equation of the threat landscape?

Hathaway: Absolutely. I think things are unstable. It adds three things: First, you're starting to see new malicious software being developed and I would say swift synthetic media, deep fakes, and other things. It's causing a lot of confusion, but there's a lot of experimentation happening from a lot of groups, not just Hamas or Hezbollah — there's a lot of experimentation happening with, I would say, the malicious activities' disinformation as well as malicious software.

I think second, we're going to see a supply chain disruption of the Israeli IT and cyber industry that I don't think we've thought through what's going to happen. As you mobilize 300,000 reservists, some of which are in that industry, some of these industry providers are going to have a slowdown or a disruption. So, we have to think through that.

Israel is a leading innovator in some of these things; I think that there's going to be a supply chain disruption coming because they are a leader in IT.

Third, I just worry about the overall stability of the region; we've got a lot of geopolitical instability [and] too much around the world right now.

DR: Obviously, there are a lot of Israeli cybersecurity companies or even companies like Microsoft, Check Point, Google, and many others.

Hathaway: Well, you have the tech innovation center at Beersheba, but then you have a very large IT tech cyber industry in Israel that serves and works and partners with all Silicon Valley, and Seattle, Boston, and such. So, I think that there's going to be a disruption that we need to anticipate because this war is not going to be done anytime soon.

About the Author(s)

Jeffrey Schwartz, Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights