Posted by: Keith Epstein on February 9, 2009
She’s not quite a cyber czar yet, but Melissa Hathaway – a top cybersecurity advisor who helped craft a multibillion dollar, partly clandestine initiative to defend the nation’s computer networks from hacking, espionage and theft – has been asked by President Obama to review the federal government’s computer security practices and policies.
Hathaway is a protégé of former National Intelligence Director Mike McConnell. After bringing her with him from Booz Allen Hamilton into the Bush administration, McConnell kept her under tight reins, though she acquired many supporters among network security consultants. Until late in the Bush administration, McConnell allowed Hathaway to speak only in classified settings.
In one of her first public speaking engagements, to a cyber security commission that has made a number of recommendations to the Obama Administration, her rundown of threats and calls for a meaningful response was met with enthusiastic applause from a roomful of security consultants, government officials and high-level military officers.
Hathaway knows better than many within the federal government the extent to which recurring intrusions afflict both government and corporate networks, at times compromising not only private and proprietary information but also national security.
She was privy to many of the details, and as head of a National Cyber Study Group urged costly improvements – among the Bush administration’s so-called 12-point Comprehensive National Security Initiative. Many of its provisions are classified, but BusinessWeek in April 2008 provided some details of the $30 billion effort.
One unanswered question is how much authority Obama will give to cybersecurity officials such as Hathaway. The President promised during the campaign to create a new top-level White House position, and many insiders anticipate that Hathaway will become that “cyber czar.” That could happen, though in her current role, she’ll work at the National Security Council as a senior director but be a few steps below Obama in the chain of command. She has 60 days to make recommendations to Obama.
During the presidential campaign, Obama said he took hacking threats as seriously as nuclear or biological weapons and vowed to make cybersecurity “the top priority that it should be in the 21st century.” If so, his request that Hathaway review cybersecurity and make a recommendation in two months indicates a more methodical than rapid response many tech professionals expected.
Some security professionals are applauding Hathaway’s selection. “An excellent choice,” says Tom Kellermann, a member of the U.S. Commission for Cyber Security, which made recommendations to Obama after dozens of open and closed-door meetings with top officials and cybersecurity specialists in 2008. “This is a significant step in reversing the tide of cybercrime and cyberwarfare.”
But a key question is whether Htahaway – or any eventual “cyber czar” – will have sufficient authority across bureaucratic boundaries to make a difference; after all, recent cyber intrusions have demonstrated that sophisticated hackers bound traditional frontiers with disturbing ease.
“I would have hoped that she would directly report to the President and/or the Cabinet,” says Kellermann, vice president of security awareness at Core Security Technologies. “But alas Ms. Hathaway is a seasoned Washingtonian who can affect change – change which will proactively restructure the defenses of our nation’s critical infrastructure.”
Hathaway has argued for heightened international cooperation on cybersecurity, and emphasized the need to work more closely with the private sector. “The same devices that thieves use to sneak into bank accounts, the same techniques that hackers use to disrupt Internet service or alter a digital profile, are being used by foreign military and spy services to besiege information systems that are vital to our nation’s defense,” she has written. “Because defense and other national security contractors share data and systems with their government partners, an attack on one can be an attack on many.”