Obama taps Bush aide Melissa Hathaway to review federal cybersecurity efforts

President asks Hathaway, who led multiagency security initiative launched by Bush, to recommend changes in existing programs

Melissa Hathaway, a Bush administration official who is credited with helping to develop a multibillion-dollar classified initiative aimed at better securing federal systems and critical-infrastructure networks against online threats, has been named by President Barack Obama to lead a 60-day review of the government's cybersecurity efforts.

Hathaway was named acting senior director for cyberspace for the National Security Council as well as the Homeland Security Council. She has been tasked with conducting the governmentwide review of ongoing cybersecurity programs and developing recommendations for ensuring that they are aligned with government and private-sector needs, according to a statement released by the White House this evening.

A story posted online yesterday by The Wall Street Journal, quoting unnamed government sources, said that Hathaway was expected to be chosen to head up a new White House cybersecurity office after the review was completed. The statement about the review from the White House didn't address that possibility.

Hathaway has been working as a cybercoordination executive for the Office of the Director of National Intelligence (download PDF). She chaired a multiagency group called the National Cyber Study Group that was instrumental in developing the Comprehensive National Cyber Security Initiative, which was approved by former President George W. Bush early last year. Since then, she has been in charge of coordinating and monitoring the CNCI's implementation.

Amit Yoran, a former director of the U.S. Department of Homeland Security's National Cyber Security Division, said today that although Hathaway isn't very well known outside of Washington, she is a "known entity" within the federal cybersecurity community.

"She has been really charging and moving forward with CNCI for the past 24 months," said Yoran, who currently is CEO of NetWitness Corp., a vendor of network-traffic analysis tools in Herndon, Va. He also was a member of a commission, set up by the Center for Strategic and International Studies (CSIS) in Washington, that recommended major changes in the federal government's approach to cybersecurity in a report issued in December.

If the reports about Hathaway becoming Obama's cybersecurity chief are correct, she will have "pretty strong leverage" to influence policy and bring together various government entities as part of the CNCI, Yoran said. Her immediate assignment to review the work that has been done thus far as part of the initiative and other cybersecurity programs is a good idea, he added.

"Just because she has been managing it doesn't mean the direction she has taken shouldn't be reviewed," he said. The review is especially needed, according to Yoran, because much of the work that has gone on under the CNCI has been classified. "I wouldn't be surprised if there weren't some adjustments to the current portfolio that need to be made," he said, while noting that he also thinks "a lot of the activities that are under way" likely are aligned with national cybersecurity objectives.

Tom Kellermann, another member of the CSIS commission, also expressed satisfaction about Hathaway's involvement in the review and the possibility that she will take the lead on cybersecurity issues afterward. He said that Hathaway has a keen understanding of the international nature and scope of the cybersecurity problem and the nexus that exists between cybercriminals and unfriendly governments.

Kellermann, who is vice president of security awareness at Core Security Technologies, a Boston-based vendor of security testing tools, added that he hopes the cybersecurity job will eventually be elevated "to a higher level" — that of a special adviser who would report directly to Obama.

John Pescatore, an analyst at Gartner Inc., agreed that Hathaway's choice to lead the cybersecurity review is a good one but said that her previous work on the CNCI could be somewhat problematic. While the initiative has some good points, the effort is well behind private-sector norms in dealing with issues such as intrusion prevention and detection, Pescatore said.

He also thinks that the CNCI is weighted too heavily toward building centralized "situational analysis" capabilities, and that its combined antiterrorism surveillance and infrastructure protection goals are too broadly focused. "I don't think it's a very good model for how the government should move forward," he said.

Copyright © 2009 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon