After announcing in May that defending the nation's digital networks was among his administration's top priority, it took President Barack Obama seven months to finally name a cybersecurity chief, not exactly an urgent response.

Obama has named Howard Schmidt, a veteran in computer security with both government and private sector experience, to the post. Among Schmidt's prior jobs — he headed Internet security operations at both eBay and Microsoft.

Some will no doubt note the irony since Microsoft hasn't historically had the best reputation on Internet security issues.

Another irony, even as Smith was being introduced as the new cybersecurity czar, The Wall Street Journal was reporting that Citibank was hacked by Russian bad guys and that the Federal Bureau of Investigation was on the case. Citibank denied the story.

Schmidt was most recently president of the Information Security Forum which describes itself as "the world's leading independent authority on information security."

It took Obama so long to name a cybersecurity czar, some observers had concluded it likely wasn't going to happen this year.

To wit, an excerpt from a Dec. 18, 2009 Computerworld.com piece:

Today, with less than two weeks left in 2009, seven months after the announcement, there appears little chance that the Obama administration will name someone to the post. Even if it does, chances are high that the appointee will wield little clout in influencing real change on information security issues.

 

The writer Jaikumar Vijayan did a deft job of covering his bases by allowing the possibility that someone could be named before the year was out.

But his point, that the person wouldn't have enough power to make things happen, is a concern many experts have had ever since it became clear that the new post would be something of a Pushmi-pullyu between the National Security Council led by Marine Gen. James Jones (ret.) and Larry Summers, chair of the National Economic Council.

Stewart Baker, a partner at Steptoe and Johnson who was an assistant secretary at the Homeland Security Department during the Bush Administration, told me a few months ago one major problem was the conflicting goals of the White House's national security team and economic teams.

Baker said:

My sense is there are still parts of the Obama White House that are still in that mode, if you regulate here, if you try to do anything about this, you national security guys, you're just so ham-handed you'll screw up the economy. You'll screw up innovation in IT.

The NEC would say 'Our job is to make sure you don't actually do that.' And so when they announced that whoever got this job was going to have to report to the NEC and the NSC, well that was basically a determination that this person wasn't going to do anything really serious. It means that people looking at this job are going to say 'What can I accomplish if I have to achieve consensus between Gen. Jones and Larry Summers?' And it's not easy to do. You don't see an easy way to find the consensus.

The only reason to take that job is if you think expectations are so low that if I do anything people will think I overachieved. But they're having trouble finding people I think that want to take the job."

The Computerworld piece has a few names of some who turned down the post:

The manner in which the role has been defined has left the White House with few takers for the job, with numerous high-profile individuals reportedly declining offers, including Microsoft's Scott Charney, Virginia Sen. Tom Davis, and RSA's Art Coviello.

Clearly aware of the skepticism about how effective the new post can be given the competing agendas of the NEC and NSC, the White House made the following point through an e-mail from John Brennan, Assistant to the President for Homeland Security and Counter Terrorism:

Howard will have regular access to the President and serve as a key member of his National Security Staff. He will also work closely with his economic team to ensure that our cybersecurity efforts keep the Nation secure and prosperous.

When I talked with Baker months ago, however, he anticipated the arrangement would have a fatal design flaw.

(Obama) has basically said 'I'm the guy in charge. I'm the czar of cybersecurity. I'm going to fix this problem. He's made a high stakes bet that he can do something about it. I'm not sure he can. This problem is very bad. It's going to require some pretty dramatic action. The way the position has been organized and the way the battle lines have been drawn, the most likely outcome is that everybody cancels themselves out. And you end up with the status quo for a long period of time. Sooner or later we'll get a bad outcome."

One of the lessons of Washington, sometimes there's good reason for this, you don't usually do anything until there's a crisis. We obviously changed our approach to the border when we had 9/11 even though prior to that there had been just lots of resistance, stasis and status quo.

And I think with cyber right now we have all the stasis and the status quo and the conflicts. The sort of trench warfare of Washington policymaking. And it's only if there's some disaster that makes people realize that the status quo is not sustainable that will produce changes in policy.

My guess is you'll have to have some kind of pretty severe security meltdown. I don't know what that will be.

Knowing the history of how cybersecurity has been handled in Washington, Baker wasn't optimistic.

"We've been hearing for ten years that cybersecurity is a big problem. This is the third president who has said 'I'm going to do something about this' (Baker pounded the table the way a president would for emphasis) and not much successful has been done.

And the reason is, the press, the public, business have said 'Oh, you guys, go take a shower. We'll handle it from here. There's probably some privacy problem with what you're trying to do. Just cool your jets. Privacy campaigners who've been putting a stick in the spokes of this for the last ten years have ironically guaranteed that governments are turning on their cameras, turning on the mics in their homes watching them at home. The full 1984 nightmare. It's just not the U.S. government, it's any other government that is willing to use these tools.

Baker pointed me to the hacking of the computer network of the Dalai Lama's Tibetan government-in-exile, a particularly nefarious one since the malware was distributed along the network and among the Dalai Lama's allies by electronically hitchhiking on ostensibly benign files like Word documents that recipients were expecting from people they knew and trusted.

The malware took control of computers, turning on their mics and cameras and effectivelly transforming them into bugging devices. Investigators saw indications the pilfered data was being sent to a servers in China.