By Ellen Nakashima and Brian Krebs
Washington Post Staff Writers
Saturday, May 30, 2009
President Obama used a White House speech yesterday to try to raise national concern about threats to computer networks, drawing praise from some industry executives and lawmakers but criticism from others who said his initiatives do not go far enough.
Obama said he will name a senior White House official to coordinate government efforts to protect a "strategic national asset": the digital networks that handle phone calls, e-mails, government and military data, and also control power grids, nuclear plants and airplane traffic.
Obama was doing what his predecessors had not: addressing the issue in a highly public way, under the chandeliers of the East Room, before an audience of Cabinet members, industry executives and privacy advocates. He noted that the very networks that allow Americans to bank and shop online are also targets for those who can turn a computer into a "weapon of mass disruption."
"We're not as prepared as we should be," he said, "as a government or as a country."
His speech was nearly in line with a campaign promise to make the issue a priority and appoint what he then called a national cyberadviser who would report directly to him.
Obama said yesterday the new cybersecurity coordinator would have "regular access to me." His speech, which was accompanied by the release of a strategy report, comes as the Pentagon plans to set up a new cybercommand to develop cyber weapons for use in responding to attacks from foreign adversaries.
"It's a thoughtful report that is cautious about what needs to be done," said Stewart A. Baker, assistant secretary for Homeland Security under President George W. Bush. "But it doesn't try to provide substantive answers to some of the security concerns that quite legitimately the government has."
Left unanswered in the White House's 38-page Cyberspace Policy Review are several major questions: How will the nation respond in the face of a major cyberattack? How can the United States persuade other nations to help defend the global Internet? What should be the role of the U.S. intelligence community in protecting private-sector networks?
To assuage concerns that a government agency such as the National Security Agency might tap into phone calls or e-mails, Obama stressed: "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private networks or Internet traffic." He noted that the new office will have a privacy and civil liberties officer.
The military's effort will be led by Lt. Gen. Keith B. Alexander, director of the National Security Agency, and will be launched in early June, according to several cybersecurity experts who spoke on the condition of anonymity. Obama did not mention the Pentagon cybercommand in his remarks yesterday.
The White House had said the report, which was the result of a 60-day review of cyberprograms, would not offer detailed policy prescriptions.
The cybercoordinator will be a member of the National Security Council and the National Economic Council, Obama said, an acknowledgment that the threat is both to national security and to the economy. The official will coordinate government cybersecurity policies, work with the Office of Management and Budget to ensure agencies have enough money to defend their systems, and coordinate the response to a major cyberattack, Obama said.
Obama stressed the gravity of the threat, noting that in one act alone last year, thieves illegally obtained credit card information in order to steal millions of dollars from 130 automated teller machines in 49 cities around the world -- in 30 minutes. Last year, cybercriminals stole data from businesses worldwide worth up to $1 trillion, he said.
In a serious attack on a military network, he said, several thousand computers were infected last year by malicious software, forcing troops to abandon use of thumb drives. And Obama described how his presidential campaign network had been compromised last fall, with hackers gaining access to policy position papers and travel plans. No donor's personal or financial information was stolen, he said.
The report issued yesterday was the fourth White House cybersecurity strategy or road map, dating to the Clinton administration. In stressing that his plan will be transparent, Obama effectively drew a distinction with the Bush administration's 2008 Comprehensive National Cybersecurity Initiative, which was mostly classified and aspects of which raised concerns on the Obama transition team. Yesterday's report called for "continued evaluation" of CNCI activities.
Several experts raised red flags, saying that Obama sidestepped the issue of funds required for the effort, the need to set national computer safety standards for companies that provide critical services, and what incentives would get companies to comply with cyberpolicies.
"Nice words, but mostly a rehash of what we've seen before -- and that hasn't worked," said Jeffrey A. Hunker, a Carnegie Mellon University professor who helped draft the first national plan on cybersecurity, under President Bill Clinton.
Enrique Salem, chief executive of Symantec, said he is concerned that the coordinator would have to answer to "so many masters" that he or he would not "be able to move efficiently."
Sen. Susan Collins (R-Maine) said in an e-mail that "placing a strategy 'czar' in the White House will hinder Congress's ability to effectively oversee federal cybersecurity activities and will do little to resolve the bureaucratic conflicts, turf battles, and confusing lines of authority that have undermined past cybersecurity efforts."
Other industry officials and lawmakers said they were heartened by the speech and report.
Obama is sending "a clear message to our adversaries that the United States will no longer tolerate attacks against our federal or critical infrastructure networks, and we are prepared to defend these networks by all means necessary,'' said Rep. Bennie G. Thompson (D-Miss.), House Homeland Security Committee chairman.
"It's a good first step," said Ed Amoroso, chief security officer for AT&T, the world's largest telecommunications company. "Now we have to go and figure out how to implement these good ideas."
John Stewart, chief security officer for tech firm Cisco, said Obama gave a "very blunt assessment" of the "unacceptable" state of the country's networks. "I've not heard that before," he said.
The review suggests incentives and, "as a last resort," regulations, to get companies to share information that can improve overall network security.
"Obama ended up setting down a set of principles that he will navigate by," said Paul Kurtz, a cyberexpert who served in both the Clinton and Bush White Houses. "He seemed to be pushing the system to say we must and we can do more."