Creatively Securing IT: Melissa Hathaway, White House Cybersecurity Policy Review Leader
"The thing that worries me the most is that the threat is outpacing our defenses at a volume and velocity never imagined," Melissa Hathaway, the onetime acting White House cybersecurity director, said in an interview with GovInfoSecurity.com (transcript below). "Without bringing together the best of government with the best of the private sector, we are going to continue to be behind in that threat posture and security posture."
It's not that the government isn't doing enough, Hathaway said, but it takes time to get all parties working together to address the challenges of securing government systems and the nation's mostly privately owned critical IT infrastructure. "I certainly feel that there is a sense of urgency every day that I read something else that has happened to our networks, either in the government or in the private sector," she said.
In the first of the two-part interview, Hathaway also discussed:
- The need to think creatively in employing technology to defend critical systems. "We need to start to look at the technology of how certain things can be dual purposed."
- Getting government and the private sector to collaborate on cybersecurity. "The private sector really needs to step up and help own the problem."
- Resisting the urge to over regulate industry, and instead using the government's massive purchasing power to require security-ready IT wares. "Using procurement as a market lever is a better than regulations."
Hathaway was interviewed by GovInfoSecurity.com's Eric Chabrow.
President Obama in February assigned Hathaway to lead a wide-ranging, interagency review the government's cybersecurity plans and activities. Her review resulted in the administration's cybersecurity policy agenda the president unveiled in May.
Hathaway is a protÃ©gÃ© of retired Adm. Mike McConnell, who served until earlier this year as the National Intelligence director. Under McConnell, Hathaway served as a senior advisor and cyber coordination executive. She chaired the National Cyber Study Group, contributing to the development of the Comprehensive National Cybersecurity Initiative. That led to her appointment as director of the Joint Interagency Cyber Task Force in January 2008. At the business consultancy Booz Allen, where she first worked with McConnell, Hathaway served as a cybersecurity strategist, leading the information operations and long-range strategy and policy support business units.
She resigned her White House job in August, and shortly thereafter started the consultancy, Hathaway Global Strategies, and this fall joined the Belfer Center for Science and International Affair at Harvard University's Kennedy School of Government as a senior adviser.
Hathaway holds a BA from American University and a special certificate in information operations at the U.S. Armed Force Staff College.
ERIC CHABROW: What worries you the most about the federal government's and our nation's cyber security posture?
MELISSA HATHAWAY: The thing that worries me the most is that the threat is outpacing our defenses at a volume and velocity never imagined. Without bringing together the best of government with the best of the private sector, we are going to continue to be behind in that threat posture and security posture.
CHABROW: Our government is not doing enough to get that kind of collaboration going, or is it just something that takes time?
HATHAWAY: It is something that takes time and I certainly feel that there is a sense of urgency every day that I read something else that has happened to our networks, either in the government or in the private sector, the amount of cyber crime that we are experiencing. There was a report just released out of the FBI that said that the United States has lost over $100 million this year to cybercrime and I know the statistics that I have currently been using is that the underground economy is more than $1 trillion dollars, and I think that that's only a fraction of the losses that we are experiencing from just the private sector alone.
It is important that we begin having a broader national dialogue of what is happening to our networks, both in the government and in the private sector and that we really start to translate it into what individuals can do, what corporations can do and what the government really needs to do to help secure our nation going forward.
CHABROW: Let's talk a little about that. You recently joined the Belfer Center for Science and International Affairs at Harvard University's Kennedy School of Government as a Senior Advisor. The center just published a paper you authored entitled, Strategic Advantage: Why America Should Care About Cyber Security. You write that the federal government should work creatively and collaboratively with the private sector to tailor and scale solutions to take into account the need to exchange information and protect private and public interests.
First off, what do you mean by creatively?
HATHAWAY: We need to start to look at the technology of how certain things can be dual purposed, how technologies could be fast tracked into other sectors and that traditionally we look at technology really as point solution, or what we really designed it for and that there are some technologies that we could start to look at that could be creatively tailored for not necessarily their original purpose, but what is needed maybe more broadly for other sectors.
CHABROW: Can you give me an example or two?
HATHAWAY: I'll give you an example of something that is happening in other countries that I think is creative. ATM fraud is significant in many countries, including the United States and point of sale terminals, which is basically when you pay the grocery store with your credit card or your ATM or at the Starbucks or at the McDonald's, those are all kind of point of sale terminals when you swipe your card.
In the United States, we are trying to ask for a second piece of information to ensure that it is you so that if you are at the gas station and you use your credit card there, often times it is asking for a second piece of data like your zip code and you put it in and then it allows the transaction to go forward. Eastern Europe and northern Europe, they are using their cell phone technology to geo-locate you at the actual place so that the cell phone has to be one when you are going to use the ATM or be using the transaction at the point of sale terminal and, of course, that is not what cell phones were originally designed for. But I thought it was a creative solution of how to defeat the fraud, or at least make it much more complicated for the criminals or thieves to take our information and take our personal data. And, I think that there are other creative solutions that could be thought through in the United States to start to reduce the amount of exposure that we have as individuals and as corporations and as government.
CHABROW: How should this collaboration work? Obviously, it is not just one panel that is assembled by the Obama administration.
HATHAWAY: Right. I think that this requires really the whole of country and probably private partnerships at an unprecedented level. America's cyberspace strategy is and will remain a public/private partnership and the cornerstone of that strategy has to be the private sector. The government needs to look at ways in which we can enhance the innovation. We need to creatively look at as a partnership how can we pool our research and development dollars toward a common goal and we have to look at incentive mechanisms and other market levers to help enhance and accelerate the point of innovative development to start to look at and solve some of these problems.
CHABROW: It sounds like you are recognizing that a lot of our critical infrastructure is owned by the private sector and that is why it is important to have the private sector actively involved. Are they the ones who should take the leadership in this?
HATHAWAY: I think it can't be done without leadership within the private sector. Certainly it depends on who you talk to, 80 to 90 percent of our critical infrastructure is owned and operated by the private sector, and I think that one, the government needs to do a much better job sharing information with the private sector on what exactly are the threats that we see and that they are experiencing and give them understanding of what being targeted and for what purpose to the extent that the government knows it, and I think that the private sector really needs to step up and help own the problem.
There are a number of different things that they can do to help solve the problem, whether it is increasing innovation and research and development, to designing better software that has less vulnerabilities and is less vulnerable to attack or to viruses to stronger hardware capabilities, to just not point solutions but enterprise-wide solutions.
The Internet service providers and the telecommunications providers have a unique ability to tell us when we as individuals or customers have been infected and help us remediate or clean up our networks or home computers when we have in fact been infected. There is a lot more that the private sector can do to help address the problem in a more immediate way.
CHABROW: This brings up a good point that some people have raised: who knows the systems better than the private sector, but at the same time, the private sector is often motivated by profit and there is a feeling that there will be needs of regulation because otherwise many businesses won't take the steps needed to secure critical IT infrastructures. Were do you stand on that?
HATHAWAY: You could regulate, and some of the markets that are already regulated and that could be telecommunications, it is certainly energy. ... But I personally think that we should be looking at the government's buying power combined with perhaps other vertical markets like the financial services sector. The government spending budget on IT alone for this fiscal year is $77 billion, and if you were to combine that with the IT buying power of other markets, and start to design or demand a higher security posture, I think the market will actually start to deliver the services that are being requested for those funding lines. Using procurement as a market lever is a better lever than further regulation. Regulation sometimes will have second and third order costs and then second and third order consequences, which make our industry less competitive.