Who runs cyber policy?

Who runs cyber policy?

Whether it’s Chinese hackers breaking into the Gmail accounts of leading dissidents, or Russian hackers sniffing around the Pentagon, the cyber wars are heating up. Barack Obama entered office vowing to wage them more effectively than ever before.

"From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be: as a strategic national asset," Obama said in May, "Protecting this infrastructure will be a national security priority."

So, is the United States finally getting its act together?

The short answer is yes, but there’s much more to be done, and the Obama administration’s first-year efforts have been undermined with infighting, sudden resignations, and some confusion about who is doing what. The administration has vastly increased the resources dedicated to cyber security, completed a full internal review, and moved to reform the bureaucracy. But there are still large gaps between the level of the threat and the government capability to meet it, as the actors inside the system jostle for positioning and power.

"This administration has paid more attention to the problem than any proceeding administration, but they’re just at the starting point so we’ll have to see how it all fits together," said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.

Any discussion of Obama era cyber policy has to begin with the Defense Department, the part of government with the most resources, the most vulnerable assets, and the most power and influence over the issue. Leading that effort politically is Deputy Secretary Bill Lynn, who is not well known as a "cyber guy" but has taken a personal interest in the issue and is extremely active. As the most senior government person with direct involvement, he gives DoD top cover and profile, and is also heavily involved in the creation of DOD’s new Cyber Command, which will be based at Fort Meade, the home of the National Security Agency, expected to open soon.

Lt. Gen. Keith Alexander, the head of the NSA, will lead the Cyber Command, assuming he gets confirmed by the Senate. When that happens, almost all of DoD’s cyber resources will fall under his purview, greatly increasing the already hefty cyber portfolio he had at NSA, which houses the government’s most secret cyber warriors, the guys who go on offense against international threats.

Also crucial to mention is Gen. James Cartwright, the vice chairman of the Joint Chiefs of Staff and former commander of Strategic Command, where many cyber attacks are defended. Cartwright has been talking about what he calls the "dysfunctional" U.S. approach to cyber security for years and he’s regarded as a smart, independent, and important voice inside the Pentagon.

The non-military networks, which DoD doesn’t control, fall to the Homeland Security Department, which has had a rough time on cyber policy in its first years. When DHS’s cyber czar Rod Beckstrom resigned last March after only a year, he blamed the NSA in his resignation letter for not cooperating with him and seeking to hoard the issue inside DOD.

DHS is also supposed to be forging the relationships between the the government and private corporations to share info on cyber attacks. That initiative is led by Deputy Under Secretary Phil Reitenger, who works under Rand Beers and is aided by former Office of Management and Budget official Bruce McConnell and Rear Adm. Mike Brown.

Outsiders lament that Reitenger, a former Microsoft executive, has announced no real policy on the issue and few public-private partnership exist. Google is working on cooperation with the NSA, but some observers believe companies are wary of linking with DHS because that department is so dependent on contractors, which might be sharing intel with their competitors.

McConnell provides DHS with a valuable link back to OMB, a link the DHS folks will need if they plan to fund their expansion of cyber efforts, which could include 1,000 new cyber personnel. Brown, who is expected to move at some point over to the new Cyber Command, is credited with greatly improving the management of the effort at DHS but is not really a policy guy, per se.

Over at the White House, the president finally named Howard Schmidt as the new cyber coordinator in December after reportedly offering the position to over two dozen people who turned it down. Schmidt, the holder of two degrees from the University of Phoenix,is said to have lobbied hard for the job. Bush holdover Melissa Hathaway, who led the Obama administration’s review, had been expected for the role, but quit the administration shortly after the review came out.

Insiders said that Hathaway had personality clashes both with her staff and with the administration, leading them to tell her she would not be appointed, which prompted her resignation. "She talked herself out of the job by fighting with everyone," one insider said.

One Bush era holdover who is still on the job is Schmidt’s deputy Chris Painter, who was acting coordinator after Hathaway left. A former Los Angeles criminal prosecutor, Painter became famous when he brought down notorious cyber hacker turned consultant Kevin Mitnick. Painter also worked at the Justice Department, giving him a great sense of the legal issues involved in cyber security.

Painter’s other claim to fame is his work with a cyber official everyone praises, the FBI’s Sean Henry. The pair took the initiative to build bilateral agreements with a host of countries to allow cooperation on investigating and prosecuting cyber crimes. Henry is also said to have brought the FBI’s cyber operation into the 21st century and was recently promoted to head up the FBI’s Washington field office.

Other notable Obama-era cyber officials Vivek Kundra, the Federal Chief Information officer, Robert "Bear" Bryant, the cyber counterintelligence guru who runs the Office of the National Counterintelligence Executive, Chief of Naval Operations Adm. Gary Roughead, who leads a nation-wide cyber recruiting effort, and the State Department’s Chief Information and Security Officer John Streufert, who is credited with reducing cyber risk by moving State towards a paperless cyber system so that files could be updated in real time.