The White House has postponed the rollout of Michelle Hathaway's national cyber security review for scheduling conflicts, we were told last week. As of this morning, the administration offered no guidance about the announcement, or whether any concrete policy recommendations will accompany it.
Judging from Hathaway's remarks last week, administration officials aren't ready to make the key decisions, including budget size, procurement procedure, operational authority, scope and even how best to sell the new entity to the public. Major defense and IT contractors may be frustrated with the lack of detail.
From press reports and some of my own reporting, it does appear that the governing authority for cyber security will rest within the White House, that he Department of Homeland Security will be tasked with creating, from the existing National Cyber Security Center, a large operational entity, and that NSA will play a significant support role.
Various cyber security elements from across the government, with the notable exception of the Department of Defense, will be pulled into this new entity.
If this assemblage -- a new White House chief overseeing patched-together government agencies not directly under his or her control -- sounds familiar, it's because it reminds may in the national security community of the process through the Office of the Director of National Intelligence was created.
Struggles with Congress, the Defense Department, the CIA and other members of the intelligence community made the office much less bureaucratically relevant than it used to be. In theory, Dennis Blair is the President's chief adviser on all intelligence matters and supervises operations and analysis and some fusion centers. Blair has more authority than President Bush's first DNI, John Negroponte, but there remains duplication and inefficiency. (When John Brennan was advising Obama on intelligence matters during the campaign, he regularly pitched the idea of significant ODNI reform.)
So -- the fears, to put them more concretely, are: Congress will never give the cyber security person the authority she or he will need won't fund the agency properly, and various other government entities, like DoD's cyber command and NSA, not to mention the various cyber security elements of Commerce, OSTP, etc. - will not play along. And since time is of the essence, the Defense Department (and the NSA) will simply assume much of the responsibility over time because they're funded and equipped to handle it.