Privacy Working Group

The resignation last week of two of the government’s top cybersecurity officials has raised questions about President Obama’s much-touted effort to fix policy for defending the nation’s computer networks.

Officials say the decisions by Melissa Hathaway of the National Security Council and Mischel Kwon of the Department of Homeland Security are not related, but some observers have linked them to suggest the White House is faltering in its effort to implement a new cybersecurity strategy and appoint a high-level national coordinator for the issue.

Rep. Bennie Thompson, Mississippi Democrat, chairman of the House Homeland Security Committee, said in a statement he was “troubled with the apparent loss of momentum on cyber-security, an issue that is critical to our national and economic security.” Former officials said the resignations, though their timing was coincidental, were indicative of the strain on top cybersecurity staff.

“This says a lot about the barriers and negative job conditions that cyber-security professionals within the U.S. government face,” said former Department of Energy cybersecurity official Eugene Schultz in an e-mail posting for the SANS Institute, an industry nonprofit that does research and education on computer security.

Rod Beckstrom, who quit a senior cybersecurity post at DHS earlier this year, told The Washington Times: “I know from firsthand experience how tough these federal cybersecurity jobs are.”

Read More

The Obama administration is proposing to scale back a long-standing ban on tracking how people use government Internet sites with “cookies” and other technologies, raising alarms among privacy groups.

A two-week public comment period ended Monday on a proposal by the White House Office of Management and Budget to end a ban on federal Internet sites using such technologies and replace it with other privacy safeguards. The current prohibition, in place since 2000, can be waived if an agency head cites a “compelling need.”

Supporters of a change say social networking and similar services, which often take advantage of the tracking technologies, have transformed how people communicate over the Internet, and Obama’s aides say those services can make government more transparent and increase public involvement.

Some privacy groups say the proposal amounts to a “massive” and unexplained shift in government policy. In a statement Monday, American Civil Liberties Union spokesman Michael Macleod-Ball said the move could “allow the mass collection of personal information of every user of a federal government website.”

Even groups that support updating the policy question whether the administration is seeking changes at the request of private companies, such as online search giant Google, as the industry’s economic clout and influence in Washington have grown rapidly.

Two prominent technology policy advocacy groups, the Electronic Privacy Information Center and Electronic Frontier Foundation, cited the terms of a Feb. 19 contract with Google, in which a unnamed federal agency explicitly carved out an exemption from the ban so that the agency could use Google’s YouTube video player.

Read More

During the Open Government Initiative outreach, Federal employees and the public have asked us questions about the federal government’s policy on cookies. As part of our effort to create a more open and innovative government, we’re working on a new cookie policy that we’ll want your input on. But before we get into that, let’s provide some context.

In June 2000, the OMB Director issued a memorandum (M-00-13, later updated by M-03-22, http://www.whitehouse.gov/omb/memoranda_default/) that prohibited Federal agencies from using certain web-tracking technologies, primarily persistent cookies, due to privacy concerns, unless the agency head approved of these technologies because of a compelling need. That was more than nine years ago. In the ensuing time, cookies have become a staple of most commercial websites with widespread public acceptance of their use. For example, every time you use a “shopping cart” at an online store, or have a website remember customized settings and preferences, cookies are being used.

This past June, we blogged about ways to enhance citizen participation in government through basic policy changes, including revisions to the current policy on web-tracking technologies. We heard a lot of informal comments on that blog, so we decided to pursue the more formal comment route through the Federal Register (pdf). The goal of this review is to develop a new policy that allows the Federal Government to continue to protect the privacy of people who visit Federal websites while, at the same time, making these websites more user-friendly, providing better customer service, and allowing for enhanced web analytics.

Read the rest of the post here.

By focusing on the economy, the administration may have turned away its top candidates.

America’s cyber czar, despite the impressive title, may not be such a coveted job after all. As early as this week, President Obama is expected to appoint a national cybersecurity adviser, who will report to the oval office and run the White House’s efforts to defend the government from hackers and cyberspies. But for those hoping to get a sense of the cyber czar’s place in Washington’s pecking order, the appointee’s name may not be as important as the names of those who have politely declined the role.

According to cybersecurity industry insiders monitoring the appointment process, at least three people were informally offered the cyber czar post and turned it down, including former Virginia Sen. Tom Davis, Microsoft ( MSFT – news – people ) security executive Scott Charney and Good Harbor Consulting Executive Paul Kurtz. One reason that the czarship has remained unfilled for the six months since Obama has taken office, those sources say, may be that the position has taken a back seat to another issue: the economy.

When Obama delivered his landmark speech on cybersecurity in May, the president reiterated the need for stronger cybersecurity and called for a top White House position focused on the issue. But the 60-day review of government cybersecurity that was released at the time described the cyber adviser as “dual-hatted,” reporting to both the National Security Council and the National Economic Council, the White House agency headed by economist Larry Summers. The decision to subordinate the cyber czar to the NEC, seemingly in an effort to ensure that cybersecurity measures don’t hamper economic recovery, may have made the position less desirable, says Alan Paller, director of the security-focused SANS Institute.

“It’s hard to work for two bosses,” Paller says. “It’s not unreasonable that the NSC and NEC both oversee the cyber czar’s activities, but a powerful person may not want to be in that position. If you take a big pay cut, you want to make a real difference.”

Read More

WASHINGTON — The flagship system designed to protect the U.S. government’s computer networks from cyberspies is being stymied by technical limitations and privacy concerns, according to current and former national-security officials.

The latest complete version of the system, known as Einstein, won’t be fully installed for 18 months, according to current and former officials, seven years after it was first rolled out. This system doesn’t protect networks from attack. It only raises the alarm after one has happened.

A more capable version has sparked privacy alarms, which could delay its rollout. Since the National Security Agency acknowledged eavesdropping on phone and Internet traffic without warrants in 2005, security programs have been dogged by privacy concerns. In the case of Einstein, AT&T Corp., which would test the system, has sought written approval from the Justice Department before it would agree to participate, people familiar with the matter say.
No Genius

An AT&T spokesman declined to comment.

The total cost of the system, designed to protect all nonmilitary government computers, is classified, but officials familiar with the program said the price tag was expected to exceed $2 billion.

The Obama administration has made combating threats to the nation’s computer networks a top priority. President Barack Obama recently called such attacks “one of the most serious economic and national security challenges” facing the country. Attacks on the government have been intensifying, and thousands of federal networks have been breached, including that of the Homeland Security Department, security officials say.

Homeland Security officials say they are pressing ahead with deliberate speed. Because the program is the first of its kind, “we’re trying to get things as right as possible,” a senior Homeland Security official said. It takes time to get all the other government agencies on board, the official added, but their buy-in will lead to a more effective system in the long run.

The Obama administration is now re-examining plans for a third iteration of Einstein to review its privacy protections and effectiveness, said Paul Kurtz, a cybersecurity specialist who led a review of the topic for President Obama’s transition team.

Read more

The Obama administration could ask Congress for regulatory changes to create “far-reaching incentives” for prioritizing cybersecurity in the private sector, which controls much of the nation’s critical IT infrastructure, a high-ranking Department of Homeland Security official said Thursday.

Acting Assistant Secretary for Cybersecurity and Communications Michael Brown said a range of proposals are being considered by the White House and the department as their cybersecurity plan unfolds.

The department is moving quickly to streamline its cyber processes, Brown told an Armed Forces Communication & Electronics Association conference. The agency is on track to collocate its U.S. Computer Emergency Readiness Team and other key components of the National Cyber Security Division by November. Officials hope the synergies of sharing a physical space will enhance their operational capabilities. NCSD’s primary base of operations is in Arlington, Va., but it has staff in Pensacola, Fla., and employees detailed to other agencies.

Homeland Security Secretary Napolitano’s selection of under secretary Philip Reitinger to head the National Cybersecurity Center this month, was another step forward, he said. The center’s first director, Rod Beckstrom, resigned abruptly in March. The Silicon Valley entrepreneur was tapped today by the Internet Corporation for Assigned Names and Numbers to become the organization’s president at a meeting in Sydney, Australia.

Read More