The departure last week of a senior civilian cybersecurity official just days after a well-publicized denial-of-service attack has increased jitters about the whether the Obama administration is devoting enough bandwidth to the issue.
Yesterday, Steven P. Bucci, a former Deputy Assistant Secretary of Defense, Homeland Defense who oversaw cybersecurity efforts at the Pentagon during the Bush administration, took to Twittering: "The continuing exodus of cyber sec leaders from the Obama Admin is even more vexing given the POTUS's emphasis on the key area. What is up?"
Earlier this week, the Navy's chief information officer said that a White House-level coordination was needed -- and soon.
In interviews, officials acknowledged that the delay in appointing a cyber security coordination director at the National Security Council has contributed to the perception that the White House is a few nodes short of a hub.
"We can't get this done soon enough," a White House official said last week. Another official said the delay was less significant than it seemed, noting that the National Security Council convened a top-level meeting last week on cybersecurity to review the status of classified cross-government collaboration.
In the presence of a leadership vacuum, the Department of Homeland Security is bolstering its ranks and streamlining its cyber chain of command. Last week, DHS Secretary Janet Napolitano drew chuckles at a cybersecurity conference in Washington when she suggested to a group of private sector consultants that she was coming to recruit away their best talent.
But Napolitano was being serious: according to a DHS spokesperson, the department expects to employ twice as many as cybersecurity staffers by the middle of next year.
DHS recently convinced Bruce McConnell, a well-regarded industry mandarin, to return to government after 15 years in the private sector. He is now the counselor to the DHS's protections and programs directorate, which oversees its cybersecurity center. Coordinating DHS cybersecurity efforts is Philip Reitinger, formerly a senior Microsoft executive. In a bit of consolidation, Reitinger is also the director of the National Cyber Security Center, reporting directly to Napolitano and to her chief counselor, Rand Beers. A third hire from industry is Greg Schaffer, the former chief risk officer for Alltel Communications.
Still, the resignation announcement last week of the head of DHS' U.S. Computer Emergency Readiness Team, Mischel Kwon, underscores the challenge DHS faces.
For months, Kwon, like other cybersecurity officials, had been courted by private companies. The pace of the revolving door between government and industry is especially quick in this arena, and given the choice between a government bureaucracy where progress was slow and incremental and a plum assignment at RSA, a leading infrastructure protection company, the choice for Kwon was obvious. Unfortunate timing: her resignation letter leaked the day after Twitter, which hosts a large cadre of cyber security wonks, experts and officials -- grumpy or otherwise -- was hit with a distributed denial of service attack.
The potential for brain drain is real. Contractors will staff many user-end positions, and companies like CACI and General Dynamics are aggressively seeking to hire cyber-wise experts, luring them with the promise of salaries and perks that the government can't offer. Niche companies like Cyber Coders are already struggling to handle the demand from the military alone.
Nick Shapiro, a White House spokesperson, said that Kwon's departure was not related to the recent resignation of Melissa Hathaway, who had coordinated a cybersecurity review for the National Security Council. Hathaway was detailed to the White House staff from the Office of the Director of National Intelligence, and that secondment expired last week.
According to an administration official, Hathaway was not a finalist for the NSC cybersecurity post. But she did want the job, and her bosses at the NSC apparently did not inform her that she was not in contention.
Administration officials said that some of the president's top national security advisers, including John Brennan, the counterterrorism chief, were disappointed that Hathaway's 60-day policy review, announced with much fanfare, posed questions that it did not answer; the public release of the document was scheduled -- and delayed -- at least twice while it was rewritten.
One key recommendation that was changed: Hathaway's team wanted the cybercoordinator to report directly to the president. Her report, when released, recommended simply that the official have "direct access" to the president, which, in bureaucratese, is less impressive. Hathaway's defenders noted that she had a tiny staff -- fewer than 10 people -- and an entire government to cover in less than 60 days.
Whoever gets the White House job will coordinate policy across the government without having budget authority. The three major government domains are not integrated. Dot.gov is now protected by the DHS, dot.mil, which is protected by the National Security Agency, and dot.ic, a sub domain used by intelligence agencies and falls under the purview of the ODNI.
Civilian cybersecurity experts worry that the savvy, lumbering giants -- the NSA and the military -- are outfoxing the much newer DHS, which to them is troubling because they don't believe the military culture of secrecy is well-suited to the more transparent realm of cyber-infrastructure protection.
DHS uses NSA technology to protect the dot.gov domain now, but it remains firmly in control of how the technology is used. Still, NSA is adding cybersecurity staff as quickly as -- if not more quickly than -- DHS, and cyber security officials inside and outside government worry that unless the White House asserts its management prerogatives, NSA will win internecine battles by default.
As for how DHS formally interacts with the Pentagon's cyber command, a DHS official concedes that "the answer to the question isn't known yet."
Shapiro, the White House spokesman, in a statement, said that "the President is personally committed to finding the right person for this job, and a rigorous selection process is well underway."