News from the White House that a federal chief information security officer would be hired within three months likely spurred a collective cheer among some of the most innovative cyber minds. This is a good thing. Long overdue.
But would any of them even qualify for the job?
I ask not to discredit the effort by the Obama administration to draw from the Silicon Valley tech community. Amid the hype we've seen some success with that – federal offices are sprouting up out west, government executives are paying visits to companies like Google, and West Coast transplants like Tony Scott and Megan Smith are actually shaping tech policy from the White House in a meaningful way.
But there have been letdowns too. Ashkan Soltani, slated to join the White House Office of Science and Technology Policy as a senior adviser to chief technology officer Smith, was not granted the necessary security clearance. We don't know why. But it's a shame. Sotani is an ideas guy – he proved that as chief technologist at the FTC, and even as an investigative reporter at the Wall Street Journal and Washington Post. Now he's out.
And the truth is that such challenges could only be more pronounced for a federal CISO, because of this inconvenient truth: some of the most qualified individuals honed their cyber skills engaging in activities that are less than legal. Federal CIO Tony Scott said as much, as reported by our own senior reporter Aaron Boyd shortly after his return from the Back Hat hacker conference: "In some cases, those folks, because of their background or past experiences just aren't going to be eligible to be federal employees," Scott said.
I'm not advocating for criminal records or even risky behavior to be disregarded for the sake of government innovation. Nor am I claiming that the only qualified individuals for the job would be former hackers. I just wonder whether the pool of qualified applicants – qualified in terms of skills, but also their ability to be hired by White House standards – might prove a bit small. (Now, it's very possible too that the administration already knows full well who they plan to hire. Even if that is the case, were they compelled to eliminate some interesting candidates along the way?)
Five years ago I interviewed Marc Maiffret. He was a founder and CTO of cyber company eEye at the time, credited for discovering the first Microsoft computer worm Code Red, and someone who had testified before Congress about the cyber vulnerability of our nation's critical infrastructure. He was also formerly known as "Chameleon," "Rhino9" and "sn1per" – pseudonyms he used while breaking into some of the nation's computer networks. Who knows whether he'd ever get hired for a federal job. But as he put it to me then, the people from the security and research industries who are invited to brainstorm with the feds have worked on and off in D.C. for 10-plus years and are just as entrenched in the bureaucratic way of doing things.
Again, that was five years ago. It's better than it was. But my hope with this hire is that the White House remembers that government doesn't need another cyber czar – an adviser on policy to respond to global cybersecurity risk. It has that. What government does need is a technologist. A coding genius. A person who can come up with a way to protect networks because he or show knows exactly how hackers would break in.
And they just might know because they've tried it.
Jill Aitoro is editor of Defense News. She is also executive editor of Sightline Media's Business-to-Government group, including Defense News, C4ISRNET, Federal Times and Fifth Domain. She brings over 15 years’ experience in editing and reporting on defense and federal programs, policy, procurement, and technology.
