Cyber Coordinator Comes Out for Transparency

Howard Schmidt's first speech promises more openness -- but does he need to focus on more urgent concerns?

Howard Schmidt, the cyber coordinator, will deliver the keynote address to the RSA Conference in San Francisco -- his first major speech since taking the difficult job.  The news he's bringing is full of symbolism: he'll announce that the government is revising its classification of the Comprehensive National Cybersecurity Initiative, which outlines the steps the federal government is taking to protect the country from cyber warfare.
The CNCI includes twelve components, including cyber counterintelligence and deterrence strategies. A fuller description of each of the parts will be available to the public for download. The Obama administration has requested nearly $3.6 billion to fund the program. CNCI was developed by the Bush Administration in 2008.

After a lengthy internal debate, it was classified TOP SECRET -- the White House at the time did not have the bandwith to think about a responsible way to release the information at the same time it was fighting to convince Congress to modify the Foreign Intelligence Surveillance Act and was in the process of rewriting the executive order dealing with intelligence activities.

The CNCI funds a number of sensitive projects, including the government's Einstein II technology, which will allow the government to better detect intrusions and disruptions to the "" domain by implementing deep packet inspection nodules and by reducing the number of access points from 8,000 to around 100. Its secrecy has prevented industry and Congress from helping to devise a legal framework to regulate the cyber domain.

A White House official said that Schmidt's remarks today would focus on how transparency and security "go hand in hand," noting President Obama's commitment to an "unprecedented level of openness in government.

"Transparency is particularly vital in areas, such as the CNCI, where there have been legitimate questions about sensitive topics like the role of the intelligence community in cybersecurity," the official said.

Schmidt, on the job since the beginning of the year, was very quiet during the Google/China dust-up.  He was quiet when CNN was aired a two hour simulation on the government's lack of legal architecture to deal with a cyber attack -- an event the administration privately derided as lacking context.

Former Homeland Security Director Frances Townsend, whose office issued the CNCI,  called Schmidt's decision a "good development."

"The public is skeptical when they hear public private partnership and especially so when it involves their communications," said Townsend, now a homeland security consultant.  "Witness the recent Google NSA cooperation. Google built in tremendous protections but that was not the story!"

If the government wants private sector cooperation, "they need to reduce the potential business risk for their private sector partners and this is a good first step," Townsend said.

That his first speech doesn't focus on legal architecture or structure or chain of command will be noticed by front-line warriors.  He focuses instead on "Partnerships and Transparency". Mr. Schmidt seems to be framing the discussion before having the discussion: if you are going to tout partnerships with industry and tout the need for great capability in this area...maybe transparency becomes the necessary counter balance.
But the legal issues are urgent. The government has put out an endless number of reports arguing for a legal framework, and has yet to fill in the details. Exactly what changes are needed? What programs must be funded? Who has liability for mistakes? What can the administration do on its own (through, say, the Office of Legal Counsel at the Department of Justice) and what does it need Congress to authorize?

It has always been easy to write task forces and promise transparency -- and that makes for a good press splash, but the interagency and interbranch slogging is hard.

The head of US CERT oversees the .gov domain for the Secretary of Homeland Security and the head of Cyber Command oversees the execution of military operations in the cyber command.  And the head of NSA oversees the collection and analysis of signals intelligence.  And the Homeland Security Advisor is the President's point man for security issues related to cyberspace.  So...what does Schmidt oversee?  What is he in charge of?  And what is he doing?