The Cyber Coordinator: Let the Dog Bite

Former New York Mayor Rudy Giuliani has been tapped to be the President’s new “cyber security czar.”  The appointment has been met with trepidation among those in the information security business who point out Mr. Giuliani’s lack of expertise in anything cyber-related, despite being Chair of the Cybersecurity, Privacy and Crisis Management Practice at a Miami-based law firm and advising companies on information security since 2002.  In fact, critics cite recent reporting revealing that passwords used by Giuliani and 13 other top staff members have been leaked in mass breaches of websites like LinkedIn, MySpace, and others between 2012 and 2016.

Former Czars’- was there any impact on cybersecurity posture?

However, there is little evidence to suggest that the two prior individuals occupying the position – one of which whom had substantially more cyber security experience – has had any noticeable impact in the improvement of the United States’ overall cyber security posture.  In a September 2016 Commission on Enhancing National Cybersecurity meeting, it was found that “responsibility, accountability and capability” were poorly aligned in cyber security policymaking up to that date.  

As noted, the first Cybersecurity Coordinator (2009-2012), Howard Schmidt, had extensive experience in information technology and security, serving as the director of information security, chief information security officer, and chief security officer at Microsoft.
In addition, during his career Schmidt served in many senior roles both in the private and public sector in similar capacities.  Schmidt was succeeded byMichael Daniel, a 17-year veteran of the Office of Management and Budget (OMB). Previously, Daniel worked on cyber issues in OMB’s intelligence branch – albeit from mostly a policy side – for more than 10 years, before assuming the position in which he has served until the recent Giuliani appointment.

Despite both previous czars having practical technological and policy background in cyber security, there appears not to have been any significant advances to improve the cyber security posture of the United States, particularly on the government side of the house.  Indeed, during Schmidt’s tenure, while a National Cyber Security Institute report card covering the period 2009-2010 gave the U.S. government passing marks for strategic planning-related and performance metrics activities, the study revealed that it fared poorer in the implementation of these activities.

Not so much… (according to official reports)

During Daniel’s tenure, a U.S. Government Accountability Office (GAO) reached a similar conclusion finding that between 2013 and 2014, most agencies had the necessary policies in place for managing risk but the number of agencies that reported deficiencies in their handling of information security controls was a “material weakness” or a “significant deficiency.”  Similarly, while a February 2015 Office of Management and Budget report on a 30-day cyber sprint for federal agencies showed improvement (specifically, in getting two-factor authentication for privileged users, most agencies were still vulnerable to the most common cyber attacks.  A 2016 report by Sentar, an organization helping businesses and government entities in leveraging advanced technologies, echoed these sentiments, ranking the U.S. government last of 18 industry verticals in cyber security.  

But is lack of expertise the biggest setback in this position or more of a lack of authority?   As a former mayor of the largest city in the United States, Giuliani served in the executive branch of government, administering all city services, public property, police and fire protection, most public agencies, setting and allocating budgets, and enforcing all city, state and federal laws.  His job was to ensure that the city fulfilled its duties under the law and exercised its powers. As an executive of a city, a mayor wields substantial influence and authority over a city.  

Criticism over Cyber Coordinator roles and responsibilities

The Cyber Coordinator has been more of a policy position without any day-to-day authority over any of the groups working on cyber security.  Critics have pointed out that while the Cyber Coordinator can make recommendations, the position has no direct authority as far as budgeting is concerned, nor can the position compel agencies to comply with guidelines.  This seems to be the biggest point of failure about the position: the inability of the dog to supply the “bite” to its “bark.”  What happens is a repeated failure of agencies in implementing guidelines and recommendations set forth by the Coordinator or organizations such as the GAO, OMB, and the National Institute of Standards and Technology.  This conclusion was echoed in a 2015

What happens is a repeated failure of agencies in implementing guidelines and recommendations set forth by the Coordinator or organizations such as the GAO, OMB, and the National Institute of Standards and Technology.  This conclusion was echoed in a 2015 GAO report that focused on U.S. agencies’ need to correct weaknesses and fully implement security programs.  Even Schmidt acknowledged after his resignation that U.S. cyber security efforts suffer from a lack of execution, and that many organizations have the capability do what is necessary, but lack the focus in following through on those capabilities.

Case and point: in the aftermath of the June 2015 OPM hack, the American Federation of Government Employees and National Treasury Employees Union announced they were suing OPM on behalf of its combined 450,000 members, alleging that that the agency knew for years that its network security was weak and vulnerable, but failed to do anything about it.  Bolstering this claim is the February 2015 report in which OMB found OPM consistently at the bottom of basic security standards.  Similarly, the Internal Revenue Service experienced two significant data breaches in 2015 and 2016, a disconcerting revelation considering that the IRS has been frequently cited as struggling the same serious cyber security issues for years, according to a 2014 report prepared by the Minority Staff of the Homeland Security and Governmental Affairs Committee.  Indeed, a 2016 GAO report focusing on the information security practices of the IRS concluded that the agency still needed to place taxpayer and financial data at risk.

Conclusion

Therefore, it appears that it may not really matter if a knowledgeable “1s” and “0s” cyber security official helms the Coordinator position, a policy wonk, or an individual well-versed in managing large, multi-sectional enterprises.  Without the proper authorities in place to compel agencies toward significantly improving their cyber security postures through enhanced defensive practices, policy mandates, and/or budgetary penalties, the Coordinator will largely remain a symbolic figure.  

This is the part that has to change; it’s not the type of people that have been selected, it’s the fact that the position itself lacks clear goals about what it’s supposed to do and how it’s supposed to do it successfully. This position needs to either have more power or at least be extremely influential with the individual (e.g., the President) or entity that does have power.  

Otherwise, it will be another four years of tolling the bell of cyber security with fewer people and organizations listening to its call.

This is a guest post written by Emilio Iasiello.