The long-awaited and much-delayed results of the review called for a cyber security policy official that would be able to co-ordinate policy reviews between agencies. A key task for the new official, who has not yet been selected, will be to work out who is in charge of which aspects of cybersecurity in federal government, and to help delineate those roles.
"No single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge," said the President, who also mentioned the Conficker worm, arguing that agencies were unprepared for the chaos that could have occurred had the botnet been activated to deliver a payload on April 1, as was predicted. "Indeed, when it comes to cybersecurity, federal agencies have overlapping missions and don't coordinate and communicate nearly as well as they should -- with each other or with the private sector."
However, the cyber-czar would not be able to develop policy unilaterally, said the Hathaway review:
"Using interagency coordination processes, the cybersecurity policy official should harmonize cybersecurity-related policy and technology efforts across the Federal government, ensure that the President’s budget reflects federal priorities for cybersecurity, and develop a legislative agenda, all in consultation with the Federal government’s Chief Technology Officer and Chief Information Officer," it advised. It advocated bringing together the Office of Management and Budget, the Office of Science and Technology Policy, and the National Economic Council.
The cyber-czar would review the operation of the Department of Homeland Security's National Cyber Security Center, which was the focus of much controversy earlier this year, after head Rod Beckstrom resigned citing a lack of resources.
The report outlined some other cybersecurity goals, including the creation of an effective response framework, and improved cooperation between the government and the private sector. It also called for the creation of a national strategy that boosts the efforts of the Comprehensive National Cyber Security Initiative (CNCI).
Many of the recommendations are in keeping with the recommendations made by the Center for Strategic and International Studies' Committee on Cybersecurity last December.
The Hathaway report, which emphasised consumer education initiatives around cybersecurity, also outlined privacy measures designed to shore up civil liberties in a digital age. A privacy and civil liberties official is to be appointed to the National Security Council cybersecurity directorate, and an identity management strategy will be developed to support privacy interests.
Obama's decision to appoint a new official was praised in the industry. "President Obama’s cyberspace policy review contains necessary mid and long term plans that build on work already going on," said Howard Schmidt, president of the Information Security Forum and a former cybersecurity advisor to the White House. "It is important that the public is more educated and aware of cyber security and authorities need to be better prepared for cyber incidents that will require both commitment from the very top and investment in research and development."