Feds Say Ciao to Father of the CIAO

Computerworld - When the Clinton administration leaves office this week, the federal government will say goodbye to one of the national security community's premiere experts on cybersecurity policy.
On Jan. 20, Jeffrey Hunker, the senior director for critical infrastructure protection at the National Security Council, will end a seven-year stint in public service.
What started as a serendipitous move into a senior policy advisory role under Secretary of Commerce Ron Brown in 1993 soon led to an assignment to create a new national security organization that would be at the forefront of the nation's cyberdefenses. In 1998, that organization became known as the Critical Infrastructure Assurance Office (CIAO).
Computerworld's Dan Verton recently sat down with Hunker in his office in the Old Executive Office Building adjacent to the White House. Here's what Hunker had to say about the future of the national effort to protect cyberspace.

Q. What should the Bush administration do differently to make the critical infrastructure protection effort more effective?
A. Part of the challenge is going to be working to educate Congress, ensuring there is budget responsibility and accountability within the executive branch and, equally important, actively working with the insurance and audit industries to integrate the issue of cybersecurity into the corporate risk management framework.
One of the biggest shortcomings in security right now is that there is no commonly accepted set of best practices. One of the things that the federal government should do is adopt a set of defined network security best practices - not just on paper, because there is plenty of guidance. They should then encourage their adoption in the private sector as well. If we do that, it would help jump-start the insurance market as well.
Also, we have virtually no pipeline producing trained cybersecurity experts at this point. Addressing the nationwide shortage of those people needs to be done very close to the top of the next administration.

Q. What have you learned about the government/industry partnership?
A: I'm struck by how new and challenging the issue of cybersecurity is. The government is not organized to deal with a crosscutting issue like this.
Many of the approaches to developing partnerships don't exist, and you have to build them from scratch. I've also learned that it takes a long time to build an operating partnership with the private sector.

Q. What are some of the most significant issues in security that the new administration will face?
A: I look at developing a legal structure as perhaps one of the most important foundationalelements to the future of cybersecurity.
For example, while there are reconstitution authorities that the federal government uses whenever we have an earthquake or a hurricane, there's substantial controversy about whether the federal government in fact has legal authority to provide reconstitution support in the event of a cyberfailure.
Likewise, we don't have a legal structure that can determine how you assign liability for network failures.
We also need to formalize at the highest levels of the government the working partnership between government and corporate executives.
We need to formalize the National Infrastructure Assurance Council and start having meetings between corporate CEOs and the president on this issue. It's time that we bumped it up to a president-and-CEO issue.