The Job No One Wants: CyberCzar
To be honest, I’ve lost count, but I believe we have had close to eight cyberczars in the last eight years.
The White House’s acting cybersecurity czar announced her resignation Monday, saying in an interview that she is leaving for personal reasons.
Melissa Hathaway, who completed the Obama administration’s cybersecurity review in April, had initially been considered a leading contender to fill the post permanently.
[snip]
Ms. Hathaway said she took her name out of the running for the post two weeks ago.
At this point, you’d think someone smart would take a step back and re-evaluate and–more importantly–have a public conversation about what our country needs to do for cybersecurity.
As I understand it, two factors have been chasing cyberczars back to the private sector as fast as we can hire a new one. First, no one wants to demand that private sector companies meet certain standards for their cybersecurity. As a result, their vulnerability becomes our vulnerability. But in the US of A, you simply can’t ask money-making institutions to sacrifice for the public good, so one after another cyberczar realizes their job is completely unworkable, and leaves.
Then there’s the giant pissing match over turf within the government. The NSA has the best capabilities for taking on this job. But to give them the job would mean the same people spying on our emails would also be (hell, probably already are) spying on our internet use. Plus there’s the whole problem of what is basically a defense function within our day-to-day Toobz.
Now, I know the government doesn’t like to talk openly about how easily the Chinese and Israelis and Russians can waltz into our computers and fuck around. And I know how mandating that businesses do certain things cuts into the donor pool. But perhaps the problem is in the entire way we’re conceiving of the Toobz police. Perhaps it’s time to reconstitute the NSA such that the military isn’t–as they now are–given carte blanche to sneak in my metaphorical panty drawer. Maybe if we rethink this whole thing we can actually keep someone on this job for more than 18 months?
Do we not even demand that companies with defense contracts or White House contracts meet security standards? It seems like there things even Congress isn’t allowed to know that are open secrets in the private sector.
I don’t know how old Melissa Hathaway is but from some reports a person would have to know some of the older systems and languages to even understand how many of the systems still in use function. Homeland Security has gone through several heads of their cyber security unit only to find out that nothing was ever getting fixed and in some cases worse. Take the FBI as a example, by the time their newest system was installed in was already obsolete, overwhelmed, and not made to do what the specs had called for. They had to trash that system and start over again if memory serves me right.
I don’t think the deficit of language and programming is a detriment to the job.
It’s the political component which is a detriment.
We already make all kinds of buying decisions based on security, including the security of our home computing. The public can handle it. It’s the corporations who can’t and they need to be forced into a fish-or-cut-bait scenario.
Frankly, the government should have the power to simply tell the public, “These products meet our security criteria, and these don’t, and here’s why,” in the simplest manner possible, and then let the free market sort it out.
Personally, I think the POTUS should go to Bruce Schneier and ask him to serve as cybersecurity czar, with his first project how to ensure the separation of military and citizen systems to keep both safe.
Hehe. In my constant search for a way to keep food on the table (and the table itself) here in 3rd world FLA, I built quite a few of those FBI computers.
They were sweetheart contracted with a company out of DC area; Iverson Computers. The problem was that they were supposed to be TEMPEST modified, (A still classified radiated intelligence shielding regimen). They decided that they would “field modify” them to TEMPEST standards once they finished the engineering.
Everyone who has had anything to do with TEMPEST modifications just spewed their monitors and is still laughing right now. It takes MAJOR re-boxing and/or internal modifications to bring these up to spec.
We shipped thousands direct to the FBI.
This company was so rife with fraud and theft they used to use temps and turned them over every 6 months so they could hide how much the permanent employees were stealing. There was so much theft going on that there HAD TO BE huge fraud in the contract or the place would have been bankrupted in 6 months.
Preferred supplier don’t ya know.
Also, the “private sector” also includes government contractors.
I can’t imagine why anyone wouldn’t want to dual report to both the National Security Council and to the head of the National Economic Council, Larry Summers, can you?
No, those sound like fair, intelligent and open receptors of information. Who could ask for more than that?
I’m guessing based on Siobhan Gorman’s WSJ article, that in dual reporting to the NSC and the National Economic Council (Larry Summers aside), that the money folks at the NEC trump the security folks at the NSC.
Huh? I thought that it had been removed from Summers’ sticky fingers?
Although, no doubt about the fact that Wall Street will kick up a fuss — particularly after that little item that Matt Taibbi mentioned in his recent GritTV interview: that Goldman Sachs asked the FBI to nab one of their ‘formerly employees’ (a Russian), who’d stolen some ’software capable of manipulating markets’ and had it on his laptop.
So yeah, one item for a cyberczar might require some attention to things like ‘complex credit default derivative codes’ and other shameless frauds. No wonder someone wants things left so that the Larry Summers-WallStreetCheats can have some … ‘input’ into cyberczar priorities and inside info.
Kind of like being chairman of the “motivation committee” and having no one show up at your meetings.
Hate to say it publicly but…isn’t it just possible that govt, ours or anybody else’s, can’t perform this function at all? Sure, you could say they aren’t doing it right and somebody has to learn, but there is the good chance that this is no longer possible, cyber being what it has become: TOO COMPLEX in a number of confusing ways. Increasingly so too.
You are on to something. Think about the problem. You have a huge government with 100,000s of mission-critical IT systems and a huge portion of the internet, plus an slew of internal networks and satellite capabilities. You have maybe 3 million or more PCs in service on federal work, including contractors. Pick a manufacturer; pick a software provider; pick a network provider; there is probably at least one system dependent on them. Every company has a crack at government business, and every company probably has something in service. And that’s just the problem you have to get your mind around. And that is just on the civilian side of the government. The military side no doubt is an order of magnitude greater.
Then you have to get consensus from every agency CIO and every data center manager through cross-agency committees on a strategy to secure information. And there is a lot of politics and budget anxiety involved in those seemingly dry technical discussions.
Finally, once you have a strategy and the buy-in of agencies, you have to get it funded by Congress, make sure that the allocation of the funding goes to the priority projects, and ensure that agency CIOs are not trying to go around the consensus to get their own ideas done.
And you have to make substantial progress within a year.
I think that the idea of a White House cyberczar is looney because there is too much complexity of technology, bureaucratic politics, and Congressional relations to deal with all at once.
And the idea of centralization is the culprit. Direct tasking of the agencies through OMB has been tried and runs aground on the limitations and priorities of funding.
Creating a GSA function to audit cybersecurity fails because it is GSA.
Most like the best approach is one that involves DHS cybersecurity folks (you know, the folks that viruses get reported to, not the other cyber folks at DHS), OMB, GAO, and NTIS. The result should be auditable standards that OMB and GAO can oversee and individual data centers and network administration centers implement. The creation of a unified budget aggregated across agencies in order to arrive at a Congressional budget target could be another product of this sort of task force. The federal CIO should have oversight and directly report to the president on this.
It’s not that difficult. Really. What’s made it difficult is turf war and profiteering.
Take the military for example; there is no one system across the entire military because of turf wars. Army and Navy-Marine systems were separate, and at least one of them was botched up for a period of time because specs got out of hand, oversight was poor, and there was simply too much money running around loose. Each function has its own favored vendors who manage to lock in their own systems, ensuring profitability in perpetuity. The military has been hemorrhaging money on IT.
But look at the corporate world, at all the Fortune 1000 businesses. They all manage to work together seamlessly with far less friction and financial drag with regard to IT. That’s because they have adopted standards which in at least one case were developed with the help of the military. It’s called the internet.
Somehow the military is going to have to migrate to the internet — or a secure closed version of it like a greynet. And they’re going to have to ditch the lock-in by vendors, begin to think like open source enterprises. It will only happen as a direct order from the very top that they begin to map a way out of the maze. A czar won’t be able to do it, will only be able to make recommendations.
Bugs the crap out of me that the military (through the NSA) can keep so much of their domestic spying secret, but they can’t manage to keep a lock on their own system as a single entity, and on ours as citizens and nation.
[Edit: Here’s another example of serious problems which afflict the military. This system was Army-only — WHY??? why isn’t there one damned pay system across the entire military? or the government, but with adequate redundancy for security and disaster recovery? Why is this particular system so different than a commercial system like that which handles payroll for Kelly Services (largest temp employer with 750,000 employees located globally)? This crap has real repercussions on human beings; imagine having PTSD and trying to deal with the Army on a payroll error. Agh.]
Even some private systems are crap. There’s a payroll system set up to handle the outside contractors where I work, and it requires someone to come down from HR or whatever department the expert users work in, to get the new people logged into the system correctly and set up. That’s a sign of bad programming, IMO. (Also, some of the other software we use won’t run with anything more recent than IE6.)
I tangled with an earlier version of it, when it first started, and never could get into the system. Changed agencies to one that wasn’t using it, and was willing to accept a faxed timesheet instead of either the non-working computer or the triplicate-with-carbon (really!) hardcopy. And in the process of trying to get me into that first computerized payroll system, they asked, and received, my personal information, at least three times.
Tremendous irony, that
A United Nations working group on Monday urged Congress to investigate whether the US government used private contractors ( aka Mercenaries ) to secretly transport terror suspects to clandestine prisons.
The group said it has collected “worrying information” about companies being involved in rendition flights, but provided no other details during a news conference held to discuss the conclusion of its two-week visit to the US.
Employing contractors i.e., mercenaries, for such sensitive and classified work can undermine accountability for those operations, the group said. Formed in July 2005, the five-member group of independent experts examines allegations of human rights violations by private military and security companies.
http://www.mlive.com/newsflash…..topstories
wonder what company or companies of Mercenaries are being looked at ???
” . . . can undermine accountability for those operations . . . .”
What’s that phrase about a bug or a feature? Our gubmint has increasingly given signals that it doesn’t want to be held accountable.
You were referring, I presume, to the ex-officio corporate offices of Goldman Sachs, Citigroup, etc in D.C. that are colloquially referred to as ‘the US Treasury’?
I recall how a few years back the government was all obsessed with NOT allowing encryption systems that would lock them OUT of private data. Seems to me that one cannot have truly secure systems without blocking the government from the data, as well. The NSA has more than passing interest in keeping the networks “accessible” to their own prying eyes. That’s another factor in why Cyber-Security will be dumbed down to the level where the government can easily hack in…which means it’s just above the lowest common denominator…and can allow those “technologically advanced” North Koreans to get in, as well.
Remember this White House helicopters security data found on Iranian Computer
Nicely summarized. The title “czar” suggests its holder ought to have at least a minimum amount of power to oversee their topic. Many, if not most, do not. The cyber czar is a nullity. The DoD will never willingly give up its dominant role in domestic intelligence – the one it’s not supposed to play – and intelligence gathering.
Private companies will never willingly adopt external or common standards that might protect their data. The process would require admitting how lax their standards are now and who that benefits (besides themselves, in having outsourced the cost of lax security onto customers and suppliers whose data is at risk).
Those standards would be expensive to adopt. Most of all, adopting them would expose data holders to liability for failing to meet them. Even if they were granted immunity for a transitional period, anything as simple as giving mandatory notice of a breach could bankrupt their public goodwill (if it happened over and over). And how big a gap would there be for law enforcement and national security purposes?
Private companies fought a pitched battle for a decade to avoid adopting European-like data privacy rules, which give citizens rights over who can collect their personal data, for what purpose and for how long. They won’t willing adopt them now.
That’s not to say our government is correct in not demanding that they do. As with universal health care, the US is the only large industrialized country not to have a legal regime that affords greater privacy. In our quest to be a bidnessman’s Disneyland, we are fast becoming a third world nation.
Actually private companies and non-profits as well have been doing a lot, not from pressure from the government so much as from the credit card companies, in the form of the “Payment Card Industry Data Security Standard” (so identified in Wikipedia) or “PCI-DSS”. Ask the IT director of any sizeable organization that accepts credit card payments (or donations) about PCI-DSS, and they will acknowledge the fear and trembling, and all-around pain in the butt, that it brings to their daily operations. They may be already engaging in quarterly “external vulnerability scans” or they may be contracting it out to a certified provider, or they may have their heads in the sand. But most organizations take compliance seriously, because of the huge fines and bad publicity that are the downside risk.
But back to EW’s main point about the job no one wants, I think the main crunch, like much of what goes on at the top levels of gvmt, is the conflict between “rational policy” and “black ops.” At some point these sincere techno-visionaries run into walls of thuggery that can’t be penetrated, so they give up.
Bruce Schneier (Rayne at 13) would be a good choice but he would quickly find himself being asked “which side are you on” at “secret” meetings; at which point I would expect him relatively quickly to become another of the ex-cyberczars.
Totally OT – EFF has some good stuff on their site today:
And in one of the EFF FOIA-requested Automated Targeting System (ATS) documents (page 11 of the 90 page PDF) released by the Department of Homeland Security has this interesting email:
Note: Some acronyms used in the email:
ATS-P – Automated Targeting System – Passenger
USCs – United States Citizens
CDP – Customs and Border Protection, part of Department of Homeland Security
(My Bold)
I especially like these parts:
And if you think this only pertains to international air travel, silly you!
And just to dot the ‘i’ and cross the ‘t’ on this particular point of Brian’s email:
Here’s the official Department of Homeland Security Retention Period policy (page 11 of 30 page PDF) from their Privacy Impact Assessment on the Automated Targeting System (ATS):
Innocent or not, once you’re in the system, you’re in it forever!
And an edit is required here, because this is a cute one in that PIA too:
One of the major problems here is that private companies have a huge incentive to pretend that they don’t have any computer security problems. Makes it hard to get anything done.
Is that the problem, WO? I’d be curious to hear what you think shoudl be done with cybersecurity.
high everybody
jes checkin in
I been innertoobz dysfunctional since I worked my own special brand of magic on dat laptop I had
teh techies don’t know what I did (they never do) but that thing is DEAD
so I been limited to the old beater-of-a-dell, which kinda curtails my commenting abilities
I’m not dead, I jes killed another computer
so, uh, anybody know where I can apply for this “cyberCZAR” job
I’m perfect for the job. the Chinese and Israelis and Russians don’t have a chance of figuring out the magic I got (nobody can figure it out)
I’ll check in for that application later, but till I can afford another
victimcomputer, my comments will be sparseand don’t send any donations thru bmaz, he’ll jes waste it on beer, or donate it to a ball team known to steal young pitchers
we now return you to you’re previously announced topic
the newspaper “Federal Times” (published by the Army Times outfit) has been covering the cybersecurity matter in the federal government for several months now.
you won’t find any surprises, but you will find lots of good reporting – the kind of reporting the wapoop and ny(twi)times MAY have offered a couple of decades ago.
one bit of info: the dept of homeland security and the nsa have been fighting over this for some time.
nsa (”national security admin”, aka, our american government’s bureaucracy for spying on americans by tapping their phone calls) would like to have it all.
my take: great intro for nsa to legalize wiretapping all americans – “it’s for cyber security, don’t you know?”.
good new paper. lots of reporters. lots of useful info. occasional opinions.
$who could ask for anything more?$
OT, sorry folks.
Re: civil liberties – what happens when you’re not Professor Gates?
Family in Prince William, VA (the place that outlawed day labor pick-ups), tasered because of “public drunkenness in their backyard.”
http://rawstory.com/08/news/20…..ism-party/
a more pertinent question is : what is “cybersecurity” beyond a possible hocus pocus word.
some attacks involve attempts at denial of service.
others involve “break-ins” to prove it can be done, i.e., for fun.
yet others involve “break-ins” to get info.
how many of the one or the other are there?
how serious is this problem? or is it serious at all?
when the gov starts to speak about any type or form of “security”
any sensible citizen should begin asking simple, direct, basic questions along the lines of: “what exactly IS the threat “WE” should be frightened about.”
posaune @26
this is precisely the kind of police behavior i would have expected after our president’s cowardly coda to his intervention in the gates arrest.
had the president stayed with and elaborated on his “stupidity” remark ordinary people might have been protected from police depredations of the kind crowley visited on gates.
but of course our prez is buttercup obama, who doesn’t want to cause waves anywhere, anytime even with authoritarian police forces whom he KNOWS have abused americans of all races repeatedly in the decade since 9/11/2001.
“heroes”
“heroes”
“heroes”
hear those echos?
of “heroes”?
heroes tazering a pregnant woman in the back.
“law and order” don’t you know.
i wonder if obama will invite the tasees (”tasered subjects”) for a little lanocanine in the rose garden?
or better still maybe invite the tasers and tasees for a beer.
and prof gates, who certainly knows the harsh, oppressive experience with the police of minority americans in the u.s.?
where is his voice?
why, he had been co-opted.
he has been neutered.
so a family, hispanic i infer, had been mistreated by police in a copy cat fashion of the mistreatment of prof gates.
to bad gates didn’t have the guts to fight.
and buttercup obama didn’t have the guts to stick with “stupidity”.
I always thought the failed FBI conversion could likely have been an oopsie-on-purpose way to keep all those paper files harder to access for as long as possible. Easier access to information is no improvement when you’re invested in controlling who knows what.
matutinal (28) – I’d hope Schneier would answer there’s only one side to be on, that of the American people. Is the government using systems which do not violate the Constitution? are these systems protecting the interests of the American people? And then I’d hope he’d push back and ask in any such secret meetings exactly whose interests those people are serving. Just shouldn’t be this tough.
JohnJ (30) – yeah, I’ve heard a LOT of horror stories like that. Which is why there should not be lock-in to any vendor. Also should be looking at possibility of corruption inside gov’t; why is there such an inadequacy of oversight on these contracts?
TarheelDem (32) – yeah, the very things which make business so effective are the things they’ve forgotten they created. While I’m certain that corporate secrets are being nabbed, the systems we use on a daily basis are still secure enough to prevent rampant theft. Banking for example (don’t laugh, really, put the banksters’ bonuses aside), conducts millions of transactions every day and the leakage is quite small, in spite of the multitude of nodes and the attempted attacks every day. Why is it so bloody hard to get a single, effective and reasonably priced system set up for the government?
May I say that I am in complete awe of the scope of intelligence and insight that the firepups have in these techie matters?
Just an honor to post here.
white papersreports.RFID File Tracking for Military Personnel Records
Published August 2009
The U.S. military is exploring several applications of RFID for file tracking. A 3M pilot conducted by the Personnel Administrative Center on the records of more than 8,000 soldiers at the Marine Corps Base Hawaii (MCBH) suggests the use of RFID can help improve productivity, reduce administrative errors and speed the accepting, deploying and reassigning of personnel. 3M explains how its File Tracking System and procedures can be adapted and implemented to integrate with a company’s existing computer hardware and software applications. (6 pages)
==============RFID Journal
RFID Journal – RFID (Radio Frequency Identification) Technology …RFID Journal is your source for timely, objective news and information about RFID (radio frequency identification) and its many business applications – RFID …
http://www.rfidjournal.com/ – Cached – Similar
Case Studies
White Papers
News Stories
More results from rfidjournal.com »
RFID = the technology Walmart has been trying to mandate all its vendors use to reduce cycle time on receiving and improve inventory tracking.
Personally, I think RFID is too expensive and unwarranted for paper handling. Barcoding would be a much better application for data input, reducing the 1-in-100-keystrokes error frequency related to human data entry. (btw, RFIDJournal has an article on testing RFID for tracking materials — which means they are as much as 6 years behind Walmart and reinventing the wheel to boot on our dime. [sigh])
RFID is really more appropriate to tracking goods, not paper; I could see DOD using RFID on dogtags, but is there better technology than RFID for this purpose, something both more secure and with storage capacity?
@37
Rayne, I have been tracking(no pun intended) the rise in the use of RFID for some time now .It has come a LONG way from just inventory goods.
Even magic dust sprinkles that contain RFID to track movement.
RFID journal is a tremendous ,updated source of info .
I will try to locate a story from a couple of years back involving some BUSHCO bigwigs creating a company that built RFID readers to transmit info received from general population traffic.
Most newer model vehicles have tracking devices already built in,as do the driver’s licenses of some states.
I know about the “pixie dust”, worked for a company which was exploring the possibility of manufacturing it for all kinds of applications, including automotive coatings. Imagine the paint on your car telling you that you’re pulling too close to an object…or telling OnStar exactly what you hit based on the shape of the object which penetrated the paint.
But I was talking with folks in that firm in 2000-2001 time frame about that application. I was also working with IT folks who were working on the infrastructure behind certain pesticide systems, the kind with automated detection systems; as the pesticide lost efficacy, the point of distribution would notify the home office to come and put down more treatment.
You have absolutely no idea what kind of a nightmare that data collection system was in terms of storage. Probably should have hired AT&T to provide this, ask the installed systems to “phone home.”
An RFID system to track paper would be completely off the hook obscene; for an enterprise the size of the military, the support system would be as big or bigger than the system actually storing digital records now. It’s simply another boondoggle.
Bush-41 officials in Chinese cargo-monitor dealGlobeSecNine – a private equity firm composed largely of top-ranking government and military officials from President George H. W. Bush’s administration …
http://www.wnd.com/news/article.asp?ARTICLE_ID=53287 – Cached – Similar
BTW, I wish someone would do some research on LiKa Shing…the dragon in the living room.
@37
The Joplin Globe, Joplin, MO – Wal-Mart’s data center remains mysteryPublished May 28, 2006 12:00 am – JANE, Mo. – Call it Area 71. … A Globe request for information about the Jane data center was referred at Wal-Mart …
http://www.joplinglobe.com/local/local_story_148015054 – Cached – Similar
Heh. Funny. I like the reference to NYT in 2004 and the figure 460 TB. (edit: by this I mean they should have been thinking in petabytes.)
We were dealing with 2 TB on one pesticide product alone, back in 2001.
There’s no way Walmart could do what it does with that one site alone.
Well Rayne, I have no idea what WalMart does to begin with.
YOU are the one who intially brought WalMart into the conversation.
And I thought the related article MIGHT be of interest to you and others.
It is very interesting, glad you pointed out the data center. I brought up Walmart because you brought up RFID, and Walmart has been the single largest driving force behind its development.
The point of the RFID technology and Walmart in this discussion is several-fold, beginning with the fact that the military can’t seem to do what corporations do and with any oversight, and that the challenge is probably smaller than corporations face on smaller budgets.
If folks read the content you’ve linked, it will help them grok the issue.
But even the reporting is challenged, as the one article’s reference to NYT demonstrates; folks outside of IT might not realize it. Maybe that too, is part of the problem: hard to know you have an oversight problem if you don’t know the information being presented is flawed.
Could ultimately be why we lose so many cyber-czars. They may leave just about the time they realize everybody they’re working with is and has been lying all along, and they don’t have the power to do anything about it.
May I suggest Lurita Doan as new CyberCzarina?
(Snark…)
“hard to know you have an oversight problem if you don’t know the information being presented is flawed…..”
Umm, wasn’t that how we got into the Iraq war?
GlobeSecNine’s chairman of the board is Brent Scowcroft, who served as national security adviser to Presidents Reagan and George H. W. Bush. He also was chairman of President George W. Bush’s Foreign Intelligence Advisory Board from 2001 to 2005. From 1982 to 1989, Scowcroft also served as vice chairman of Kissinger Associates
GlobeSecNine – a private equity firm composed largely of top-ranking government and military officials from President George H. W. Bush’s administration – has investment ties with the Chinese firm Hutchinson Ports Holdings that is joint-venturing to place cargo reading sensors on the planned Interstate-35 Super-Corridor.
On April 21, 2005, Savi Technology, Inc., then a private company, created Savi Networks LLC, a new joint venture company, with Hutchinson Ports Holdings to install active RFID (Radio Frequency Identification) equipment and software in participating ports around the world and to provide users with the information, identity location and status of their ocean cargo containers as they pass through such ports.
Tom Ridge, the first secretary of the U.S. Department of Homeland Security, joined the Savi Technology board April 5, 2005, just prior to the deal.
On the same day, April 21, 2005, HPH made a concurrent $50 million investment in Infolink Systems, Inc., the parent company of Savi Technology, which provided HPH with 10 percent of Infolink on a fully diluted basis.
On May 4, 2005, GlobeSecNine, made a $2 million strategic investment in Infolink Systems, Inc., the parent company of Savi Technology.
On June 8 of this year, Lockheed Martin acquired Infolink Systems, Inc., thereby acquiring Savi Technology, Inc.
A spokesperson for Lockheed Martin confirmed that the HPH interest in the joint venture subsidiary, Savi Networks, survived the acquisition of Infolink by Lockheed.———————————————–
Bush-41 officials in Chinese cargo-monitor dealGlobeSecNine – a private equity firm composed largely of top-ranking government and military officials from President George H. W. Bush’s administration …
http://www.wnd.com/news/article.asp?ARTICLE_ID=53287 – Cached – Similar
its seems to me that there may some larger over-riding conflicts associated with the hot-seat cyberczar position than the two mentioned:
1) perhaps the cyberczar would have to cull through all of the security breaches sustained by the NSA and whatever the new acronym of CIFA is. if there is any validity to this conjecture then maybe the cyberczar would have to have a clearance that would be tantamount to that of the new information security overlord b/c everytime there was a breach he would have to be able to eliminate whatever the warrantless wring-tapping folks have recently cooked up in terms of cyber-theft.
2) maybe the hot-seat is so hot b/c of where all the blame will be directed in the event of a major catastrophic breach, e.g., in the economic sector, and in conjunction with emptywheel’s first point (lack of real control) makes the position potentially toxic.
3) lastly, it’s likely that the us of a is the real violator on the international scene and any additional attention drawn to the serious criminals is a sine qua non, i.e., the 12 trillion dollar bank bailout–has any country even remotely engaged in such outright theft on such an audacious scale? The us govt has taken $40,000 from each and every american and given it to the law-breaking and irresponsible banks. (maybe the position is irrelavant b/c the illegality is so rampant that a cyberczar would only be over-seeing the vast electronic robberies and theft of personal information of private citizens, such as that of political opponents and politically unsavory types.)