What I'll be looking for in Melissa Hathaway's report on cybersecurity

Computerworld - The big talk in Washington's cybersecurity world is Melissa Hathaway's magical 60-day review, which is supposed to recommend how U.S. government cybersecurity efforts should be pursued. The technical press and lobbyists are all abuzz over whether or not there will be a cybersecurity coordinator who reports to the president. In certain circles, this is even more gossiped about than what Michelle Obama is wearing, but frankly the discussion is even less useful.

What makes it pointless is the fact that "federal cybersecurity coordinator" could describe the supposed positions already held by such luminaries as Richard Clarke, Howard Schmidt, Paul Kurtz, Amit Yoran, Andy Purdy and, of course, Rod Beckström. Some of those people worked in the White House, some didn't. Either way, these well-qualified people accomplished relatively little in the grand scheme of things.

Nonetheless, all most people seem to be looking for in the forthcoming report are a title and a reporting structure. They want to know who will have authority and where that authority will derive from. I am looking for something completely different: responsibility and accountability.

Certainly, some authority is needed. The person in charge of cybersecurity needs to have the authority to tell people what to do and to set the policies those people are supposed to follow. Does that mean we need a cybersecurity czar who reports directly to the president? Of course not. The federal government would truly be ineffective if all authority had to trace a short and direct path back to the White House.

Responsibility is closer to the heart of the issue. We don't just need someone who has the authority to set policies and tell people what to do. We need staffers with the necessary technical skills who are responsible for implementing those policies (and I am making a very broad leap of faith that the policies will be useful). Right now, it doesn't seem likely that those people are going to be available. Part of the reason for that is funding. After all, Beckström resigned as director of the National Computer Security Center partly because the Department of Homeland Security didn’t provide the NCSC with its congressionally allocated funding. How responsible is that?

Even more important is accountability. I cannot think of a single case where a senior official was held accountable for any of the major compromises of government systems that have occurred over the past few decades. Hathaway's recommendations must spell out the punishment that will result from poor security. If senior officials don't think their jobs and reputations are on the line, there is no accountability. And let’s face it, senior officials are the ones who should be held accountable. There may be a few instances when lower-level people are guilty of gross negligence, but staffers generally take their cues from above and do what they are told.

So, when this report comes out, don't judge it based on whether it recommends the appointment of a cybersecurity czar. Look for the recommendations it makes regarding what will happen when there are cybersecurity failures. Authority only gives you the power to tell people what to do. Holding executives personally accountable is the only thing that guarantees that things will be done.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, www.irawinkler.com.

Read more about security in Computerworld's Security Knowledge Center.