|
The United States is soon to have a “Chief Information Security Officer”(CISO). The position was announced this past February; the White House has completed its search for candidates and claims that its choice will be announced within the next few weeks. The position will be located within the Office of Management and Budget, and it will serve as liaison between the White House and the many computer security officers and experts within the government. Will it do any significant good?
My sense is that it will not. The winning job candidate will lack staff, access, and authority.
According to the job description, the new official has three basic duties: advising the White House, coordinating existing agency CISOs, and providing “oversight of relevant agency cybersecurity practices.”The White House already has a “Special Assistant to the President and the Cybersecurity Coordinator.”It is unclear whether the new official will supplement or subsume the existing post, and it is also unclear why the new official would be more successful.
The new CISO does not control an organization. While they might have a small personal staff, there has been no mention anywhere of building a centralized security oversight organization. As a result, the advice they give (and the oversight they conduct) will be limited by the time and expertise of the CISO and just a few other people. This means that they will be necessarily more in the role of passing along advice and analysis from others, rather than generating original insights. To the extent that the White House needs more advice than current federal talent can supply, the new official will not close the gap.
The new CISO does not report directly to the president. Rather, they are overseen by “the Office of the Administrator, Office of E-Government and Information Technology”in the Office of Management and Budget. That puts an awful lot of offices between the CISO and the power to actually give orders to a government department. If the new CISO objects to something, they may not have enough visibility and clout to have their concerns considered and addressed.
Furthermore, the relationship between the new CISO and existing federal agency CISOs is ambiguous. The new official is tasked with ensuring “effective coordination and alignment among agency CISOs”by engaging with “other committees as appropriate.”One can imagine substantial friction and delay if the new CISO tries to impose their will on recalcitrant agency CISOs. These officials, after all, work for their agency heads and not for the US CISO; press coverage suggests that agency CISOs envision the new CISO being more of a committee chair than a boss.
While the new official may do more good than harm, this post is not the major reform that federal information security clearly needs. For some years, we have had a “special advisor and coordinator”for computer security. Moving those tasks into OMB and changing the title from “Czar”to “CISO”is not a major reform.
What we need is not primarily a “chief”information security officer, but a suitable staff of subordinate security officers. We need an agency responsible for federal information security that can take responsibility for strategic technical decisions and that can oversee agency security policy. Appointing a third-level administrator in the OMB is a sign that security is a niche function and not a major priority.
The Obama administration is leaving office in just over seven months. Any CISO appointed this close to the end of an administration is not going to be in a position to conduct major reforms. If we are fortunate, the new official will spend much of their limited time studying the problems of federal IT. The most useful thing the CISO could supply is a proposal for how to replace their current office with a better-designed one. This post was originally published on TechPolicyDaily.
Elon Musk announced plans to reach Mars by 2018, and he is not alone among private entrepreneurs aggressively advocating for more R&D into space exploration. I spoke with Allen Steele about the possibilities for space travel and exploration, and in his words, “the idea that if we just don’t spend all of that money on space, we’d be able to take care of X, Y, and Z problems, is a false paradigm.”
|
