The Cybersecurity Moment?

I have a piece in the forthcoming edition of the Phoenix on cybersecurity. But first, a little preview here - and some thoughts that didn't make it into the piece.

For the uninitiated, cybersecurity entails protecting the country's computer networks against largescale theft of intellectual property and the sort of attack that can take down an electric grid or destroy bank records.

Those who follow Rhode Island politics know that cybersecurity is a big issue for Congressman James Langevin. Senator Sheldon Whitehouse has also taken a keen interest. But both men, and all of official Washington, were in a holding pattern until recently - waiting for the Obama Administration to weigh in.

Well, the president finally pushed out his proposal a couple of weeks ago. At its center: a requirement that companies controlling the nation's critical infrastructure - the electric grid, banking, and the like - develop stronger cybersecurity plans subject to third-party audit. Those that come up short could be named and shamed by the federal government. And the Department of Homeland Security could intervene to amend their plans.

Congressman Langevin and Senator Whitehouse, among others, suggest the proposal doesn't do enough to impose responsibility for cybersecurity on American business. And analysts say the Senate, which is taking the lead on cybersecurity, is likely to be a bit more aggressive on that front.

But Langevin's signature proposal - a cybersecurity office in the White House, run by a Senate-confirmed director and designed to whip a flailing federal government into shape - could be in for tough sledding. Among the obstabcles: the Obama Administration's proposal would put the locus of power not in the White House, but in the Department of Homeland Security, an agency that Langevin and others have criticized as too young and too weak to do the job.

I spoke with James Lewis, a former State Department official now with the Center for Strategic & International Studies in Washington. He is an authority on the topic and an occasional adviser to the White House. He offered an interesting, and counterintuitive, theory on administration officials' hesitation around creating a cybersecurity directorate in the Executive Office of the President: they don't want anyone telling them what to do.

At present, the White House has a cybersecurity coordinator in Howard Schmidt. But he does not have the authority that Langevin and others would like him to have - and he doesn't require Senate confirmation. Lewis suggests there is something attractive, for the administration, in that relative freedom from Congressional control.

Whatever the rationale, does it make sense to forgo a more potent cybersecurity czar? Langevin has suggested that only a powerful coordinator in the White House, with budgetary authority over governmental departments that have done a poor job protecting their networks, can adequately guard the .gov domain against intrusions.

Given the federal government's cybersecurity ailings to date, it's not clear that any bureaucratic configuration would provide the sort of protection we need. But the Congressman has a point. His proposal, which passed the House last year, should get another vote shortly.