Computerworld online –
The Bush administration plans to create a board of senior national security officials to oversee the federal government's critical infrastructure protection efforts, effectively doing away with the idea of designating a single cybersecurity "czar," sources said.
The move was said to have been agreed upon during a July 2 meeting with President Bush, who gave National Security Adviser Condoleeza Rice and other officials the green light to prepare a draft executive order setting up a Cybersecurity and Continuity of Operations Board. The sources said the meeting lasted for more than an hour, after initially being scheduled for 20 minutes, and resulted in a proposed plan that's now being circulated for agency comment.
A final version of the order is expected later this year. Sources on Capitol Hill, who asked not to be identified, said the proposed structure eliminates the notion of giving cybersecurity responsibility to one official in favor of appointing a board with representatives from the Defense, State and Commerce Departments plus the intelligence community and other agencies.
Richard Clarke, the longtime national coordinator for security, infrastructure protection and counterterrorism at the White House, is seen as the leading contender to be named chairman of the proposed panel. Under the new structure, Clarke would likely give up his counterterrorism role in favor of exclusive cybersecurity duties, according to the sources.
Ken Watson, director of critical infrastructure protection at Cisco Systems Inc. and president of the private-sector Partnership for Critical Infrastructure Security (PCIS), said the general reaction from corporate officials to the draft presidential order has been positive.
"No single government agency can do all that's needed [to protect technology infrastructures], especially when that includes liaison with industry, oversight of federal budgets and international cooperation," Watson said. "We [think] that a board headed by a presidential adviser provides the right breadth and emphasis."
Kim Kotlar, an assistant to Rep. Mac Thornberry (R-Texas), said establishing a high-level cybersecurity office would be a good first step in the government's effort to tackle the issue. However, "there are many unanswered questions on how such an organization would work and what its mission would be," she said.
The new plan also leaves open the option of allowing the tenures of the National Infrastructure Assurance Council (NIAC) and the National Security Telecommunications Advisory Committee (NSTAC) to expire on Oct. 1, according to sources familiar with the draft order. Just before he left office in January, former President Bill Clinton appointed 21 people, many of them longtime Democratic Party supporters, to the NIAC. Terminating those appointments would simply be a way for the Bush administration to put its own team in place, the sources said.
Harris Miller, president of the Arlington, Va.-based Information Technology Association of America and a member of the NIAC, said he would still prefer to see Bush name a cybersecurity czar in order to give companies and trade groups a single point of contact on security issues.
But the proposal to create a centralized, coordinated security effort based in the White House "makes sense" if done properly, Miller added. "The crucial challenge of this effort will be to ensure that the leadership from the White House is meaningful and that a new 'talking shop' is not created where problems are discussed, but solutions not found," he said.
Sources close to the White House said the executive order is likely to be issued in September, when the next version of a national plan for protecting information systems is scheduled for release. The update is supposed to further refine how the federal government and the private sector should cooperate on IT security.
However, the sources said publication of the next version of the national plan, which is being prepared by PCIS members with coordination by the Commerce Department's Critical Infrastructure Assurance Office, will likely be delayed in order to allow the proposed new board to put its own imprint on the document. The plan was initially released in January of last year.