Federal Internet Law & Policy
An Educational Project

Cybersecurity :: White House

Dont be a FOOL; The Law is Not DIY

"The Administration already has established an Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC), chaired by the National Security Council (NSC) and Homeland Security Council (HSC),19 as the primary policy coordination body for issues related to achieving an assured, reliable, secure, and survivable global information and communications infrastructure and related capabilities." [2009 Review 7]

White House has proposed the position of a Cybersecurity Czar / Coordinator

"The President should consider appointing a cybersecurity policy official at the White House, reporting to the NSC and dual-hatted with the NEC, to coordinate the Nation's cybersecurity-related policies and activities. This individual would chair the ICI-IPC and lead a strong process in consultation with other elements of the EOP to resolve competing priorities and coordinate interagency development of policies and strategies for cybersecurity.20 The cybersecurity policy official should participate in all appropriate economic, counterterrorism, and science and technology policy discussions to inform them of cybersecurity perspectives.

"To be successful, the President's cybersecurity policy official must have clear presidential support, authority, and sufficient resources to operate effectively in policy formulation and the coordination of interagency cybersecurity-related activities. The cybersecurity policy official should be supported by at least two Senior Directors and appropriate staff from the NSC and at least one Senior Director and appropriate staff from the NEC. These directorates would report through the cybersecurity policy official and work together in pursuit of the goals set forth in this paper and established as national policy. In addition, to achieve additional scale and integration across the NSC, each NSC regional and functional directorate should designate an individual to be responsible for following cybersecurity-related issues in the directorate's portfolio and coordinating with the directorate for cybersecurity.

"The cybersecurity policy official should not have operational responsibility or authority, nor the authority to make policy unilaterally. Using interagency coordination processes, the cybersecurity policy official should harmonize cybersecurity-related policy and technology efforts across the Federal government, ensure that the President's budget reflects federal priorities for cybersecurity, and develop a legislative agenda, all in consultation with the Federal government's Chief Technology Officer and Chief Information Officer-along with the appropriate entities within the Office of Management and Budget (OMB), the Office of Science and Technology Policy (OSTP), and the NEC.

"This appointment also would make crisis management more effective by establishing the cybersecurity policy official as the White House action officer for cyber incident response (a similar role to the action officers who help the White House monitor terrorist attacks or natural disasters); departments and agencies would continue to perform their operational roles.

"To facilitate coordination, all federal departments and agencies should establish a point-of-contact in their respective executive suites authorized to interface with the White House on cybersecurity related issues.

"The cybersecurity policy official-through the interagency policy development process-should prepare for the President's consideration an updated national strategy to secure the information and communications infrastructure. The strategy should include continued evaluation of CNCI activities and build, where appropriate, on its successes.24 The national strategy should focus senior leadership attention and time toward resolving issues that hamper U.S. efforts to achieve an assured, reliable, secure, and resilient global information and communications infrastructure and related capabilities.25 The strategy would assist government efforts to raise public awareness, renew and build international alliances and public-private partnerships, establish a more comprehensive national cyber response and recovery plan, and promote an aggressive research and development agenda that has the potential to result in new technologies that will enhance cybersecurity.

"The Federal government should continue the principle of "mission bridging" started under the CNCI. Departments and agencies should expand the sharing of expertise, knowledge, and perspectives about threats, tradecraft, technology, and vulnerabilities between network defenders and the intelligence, military, and law enforcement organizations that develop U.S. operational capabilities in cyberspace. In addition, the cybersecurity policy official should help coordinate intelligence and military policies and strategies for cyberspace-including for countering terrorist use of the Internet-to ensure integration of all mission equities. The cybersecurity policy official should engage external advisory bodies. Many advisory bodies touch on cybersecurity-related issues, including the National Security and Telecommunications Advisory Committee (NSTAC), the National Infrastructure Advisory Council (NIAC), the Critical Infrastructure Partnership Advisory Council (CIPAC), and the Information Security and Privacy Advisory Board (ISPAB). The cybersecurity policy official should review the responsibilities of these bodies and propose changes as necessary to optimize advice and eliminate unnecessary duplication.

"Other structures will be needed to help ensure that civil liberties and privacy rights are protected. Such structures would signal transparency and build trust between the civil liberties and privacy community, the public, and the program for cybersecurity, especially if implemented from the outset.26 It is important to reconstitute the Privacy and Civil Liberties Oversight Board (PCLOB), accelerate the selection process for its board members, and consider whether to seek legislative amendments to broaden its scope to include cybersecurity-related issues.27 Other options include: facilitating regular engagement of government civil liberties and privacy advisors on policy matters for cybersecurity or designating a dedicated privacy and civil liberties officer within the NSC (or, more broadly, the EOP) to engage with the private-sector civil liberties and privacy community, an oversight board, and government civil liberties and privacy officers.28, 29

"Equally important to developing cybersecurity policy, is assuring the effective execution and implementation of that policy to meet the goals of the larger strategy. Accordingly, the cybersecurity policy official, in consultation with OMB and other EOP entities, will need to ensure effective implementation of cybersecurity-related policy and activities. During the course of the 60-day review, stakeholders suggested a variety of options to coordinate and oversee cybersecurity activities. Several commentators identified strong executive leadership as well as focused, multi-year attention across the participating departments and agencies as critical elements to ensure that the U.S. Government has the mechanisms needed for an effective cybersecurity program. Currently, some of these oversight functions for existing cybersecurity efforts are being performed outside of the EOP. For example, the Joint Interagency Cyber Task Force (JIACTF), under the Director of National Intelligence, currently is responsible for coordinating and monitoring the implementation of the CNCI. The cybersecurity policy official, in consultation with OMB and other EOP entities, should develop structural options to perform appropriate oversight, implementation, and other functions. These could include among others, developing a JIACTF-like function30 in OMB or elsewhere in the EOP, creating an entity similar to President Eisenhower's Operations Coordinating Board,31 or establishing some other entity that, among other things, assists in assessing department and agency performance and oversees federal compliance with cybersecurity standards. Unless and until such an office is established, the work of the JIACTF should continue.32" [2009 Review 7]



Executive Order 13636 Improving Critical Infrastructure Cybersecurity, EO Feb. 12, 2013

Presidential Policy Directive (PPD)-21, “Critical Infrastructure Security and Resilience.” 2013

© Cybertelecom ::