President Obama announced Friday that he has appointed the first chief information security officer (CISO) of the federal government, part of a continued effort to bolster cybersecurity during the latter years of his administration.
Gregory Touhill, who is currently the Department of Homeland Security’s deputy assistant secretary for cybersecurity and communications, has accepted the job to protect federal infrastructure and data from hacks and analyze potential security risks – a position that serves to underscore how much cybersecurity issues have become a top White House priority.
"In the past there has been the federal cyber security 'czar' who reported directly to the White House, but that position was all about outward-facing policy and talking about cyber security," John Pescatore, the director of emerging security trends at the SANS Institute, a cybersecurity company, tells The Christian Science Monitor. "What the federal government has lacked was an inward-facing chief security officer whose goal is to make the federal government more secure, versus to talk about cyber security in general or to weigh in on policy matters."
Mr. Touhill, a retired US Air Force brigadier general, will begin his new job later this month, Reuters reports. Because it is a political appointment, the 45th president of the United States could choose to replace him.
Grant Schneider, a career government employee who is the director of cybersecurity policy at the White House’s National Security Council, will be Touhill’s acting deputy CISO.
The position itself was announced in February as part of Obama’s Cybersecurity National Action Plan (CNAP), but has remained unfilled in the intervening months. Along with the installation of a federal CISO, CNAP included plans to create the Commission on Enhancing National Cybersecurity, to run a cybersecurity awareness campaign, and to encourage Americans secure their online accounts. The president's fiscal year budget proposal for 2017 called for $19 billion to boost cybersecurity.
Although CNAP was announced well before the server hack of the Democratic National Convention or the state election hacks, which US intelligence officials believe Russia was behind in an attempt to influence the Nov. 8th election, those security breaches will create ripples throughout the government.
"All of these other organizations – the DNC, campaigns – that are not part of the government, but are also part of the political system, they also need to have CISOs and they need to take the issue more seriously in terms of what they are doing," Tom Cross, the co-founder and chief technology officer of the cybersecurity firm Drawbridge Networks, tells the Monitor. "There seems to be a leadership gap there, and the appointment of the federal CISO is an important step in terms of having better information security leadership in the federal government, it is sorely needed."
The DNC and state election hacks have served as a wake-up call, not just for the federal government, but also for the American public, which is becoming keenly aware of what a breach in cybersecurity could really mean.
"It really scares me that the Russians are starting to interfere in American elections," Herb Lin, a senior research scholar at the Stanford Center for International Security and Cooperation and a research fellow at the Hoover Institution, told the Monitor in July. "The idea that we might elect a president in part because Putin favored him is a little bit mind-boggling to me. But I'm just one of 323 million people.... Could it shake public confidence in an election?"
With a public that is increasingly aware of what is at stake in cybersecurity threats, and a government that is anxious to get the upper hand on the situation, Touhill will have his work cut out for him – assuming that he will have the authority and resources to be effective in the position, which Mr. Cross and others in the information security world are worried about.
"The challenge of any CISO is to get an organization to appreciate the value of the changes that they are proposing and be willing to accept additional security control and to understand why those controls are worth the effort and the money," he says.
[Editor's note: In the original story Tom Cross was incorrectly identified.]