After several weeks of delays, the Obama administration is preparing to release the results of its long-anticipated review of U.S. cybersecurity policy, and with the results, a sketch of billion-dollar bureaucracy that will be created to contain the growing threats to national security, private and commerce.
The review was prepared by Melissa Hathaway, the acting senior director of the National Security Council for cybersecurity and was submitted internally three weeks ago. Since then, NSC officials have been rewriting parts of it, responding to concerns that it did not make clear why previous cybersecurity efforts had failed and why the approach favored by this White House makes more sense.
What that approach will be is the subject of serious speculation. Almost certainly, another "czar" will be created, with staff, and reside in the executive office of the president. That's a mere detail, though, when compared to other questions: does the $50 billion or so that the government plans to spend each year on cybersecurity come from the Pentagon's budget? if so, who controls it? Will the new cybsercurity director be like the "drug czar" and posess a title with little power? Or will the new position take on the structure of the Office of the Director of National Intelligence, which has some budget authority and what the feds like to call "programming power" -- the DNI can point his finger at a problem and direct government resoruces to it.
It's been widely reported that Lt. Gen. Keith Alexander, the Director of the National Security Agency, will recieve his fourth czar by jumping to the new U.S. Cyber Command. Though Alexander has insisted that the NSA doesn't want to be the cybersecurity cop, he also wants to co-locate the cybercommand at NSA headquarters and would people his command by borrowing from existing NSA resources. Conversely, the Department of Homeland Security, the logical office from which to run a domestic cybersecurity task organization, doesn't have a good record of managing new initiatives like this.
Some hybrid is likely; the Pentagon will control large swaths of the budget; the DHS might pay for the salaries of domestic employees; the White House will probably want to retain as much centralizing authority as possible.
That's one reason why the identity of the new cyber security chief will be so key. This person will have credibility among all stakeholders -- the tech industry, civil liberties groups, the military, international organizations -- and will have to have the bureaucratic knowhow to force everyone to work together.
The White House has big plans for cybersecurity, and some will be controversial. At some point, they'll want this new cyber security entity to obtain the authority to shut down servers or websites that pose a systemic risk. Without a good system in place, without a good person to run that system, the chances for abuse, waste and failure are high.
And that's why the White House is reviewing the review so carefully.