Federal cybersecurity review drawing to a close

Computerworld - A 60-day review of federal cybersecurity efforts that President Barack Obama ordered in February is scheduled to end this week, although it's unclear when the much-anticipated findings will be publicly released.

The review is being led by Melissa Hathaway, a former Bush administration aide who was tapped by Obama to evaluate ongoing cybersecurity initiatives and analyze whether they're aligned with government and private-sector needs. Many analysts think Hathaway's report will form the basis of the Obama administration's security agenda.

As part of her assignment, Hathaway was expected to review programs such as the multibillion-dollar Comprehensive National Cybersecurity Initiative and issues such as the U.S. Department of Homeland Security's leadership on cybersecurity matters and the growing role of the National Security Agency.

A status update that Hathaway provided to members of the U.S. House Cybersecurity Caucus in late March suggested that she was also considering topics such as whether a cybersecurity office should be set up within the White House and whether federal regulations mandating baseline security standards are needed for critical infrastructure industries. In addition, the review was expected to touch on collaboration between the public and private sectors as well as privacy concerns stemming from security initiatives.

Not everyone is convinced that the review will set the tone for Obama's cybersecurity approach. The report may end up being little more than a list of what the government is doing on security, said Michael Markulec, vice president of technology and operations at Lumeta Corp., a vendor of network security tools in Somerset, N.J.

"What I suspect we are going to get is an inventory of all the cybersecurity efforts across the government, especially what's going on at the NSA, the DHS and the Department of Defense," Markulec said. "I don't expect we'll get any concrete recommendations out of this." In addition to his job at Lumeta, Markulec is a member of an industry group established by the National Infrastructure Protection Plan to foster public-private partnerships on cybersecurity.

While Hathaway's review was under way, two U.S. senators introduced new legislation that would give the federal government sweeping new authority to create and enforce security standards across the public and private sectors.

One of the key provisions in the Cybersecurity Act of 2009, which was proposed by Sens. Olympia Snowe (R-Maine) and Jay Rockefeller (D-W.Va.) on April 1, would give the president the power to disconnect government and critical private-sector networks from the Internet in the event of security emergencies. The bill also would empower the National Institute of Standards and Technology to establish security standards for all networks and systems run by federal agencies, government contractors and businesses that support critical infrastructure services.

Rockefeller and Snowe also introduced a companion bill that calls for the addition of a national cybersecurity adviser within the Executive Office of the President. Many of the provisions in the two measures are based on a set of cybersecurity recommendations that were released last December by an external commission set up by the Center for Strategic and International Studies, a Washington-based think tank.

The big question now is whether Hathaway's report will reinforce the commission's recommendations and the proposals in the Senate bills, or diverge from them.