The release of Comprehensive National Cybersecurity Initiative’s 12 key goals is part of the Obama administration’s quest for transparency, said Cybersecurity Coordinator Howard Schmidt in a March 2 White House blog post announcing the declassification. Bush created the initiative in 2008 and few details were available about it before the March 2 release.

Schmidt wrote:

We will not defeat our cyber adversaries because they are weakening, we will defeat them by becoming collectively stronger, through stronger technology, a stronger cadre of security professionals, and stronger partnerships.”

Portions of the initiative outlining cyberwarfare plans remain classified.

To read the 12 initiatives, click here.

That’s the scenario former senior administration officials will operate under Tuesday as they show how the government would respond to a potential cyber crisis.

More than a dozen officials will participate in the exercise Tuesday at the Mandarin Oriental Hotel in Washington, D.C., where they will illustrate tactics and processes government officials may use during a major cyber attack. The event is open to the media, and the Federal Times will cover it.

The event is sponsored by the Bipartisan Policy Center, a Washington-based policy think tank. The center says the drill will be realistic and show the pressures officials would face in the event of an attack.

The participants, whose mission is to advise the president and mount a response to the attack, will not know the scenario in advance. They will react to the threat in real time, as intelligence and news reports drive the simulation, shedding light on how the difficult split-second decisions must be made to respond to an unfolding and often unseen threat.”

Former senior administration officials participating include:

• Former Homeland Security Secretary Michael Chertoff as National Security adviser;

• Former Director of National Intelligence John Negroponte as secretary of State;

• Former White House Homeland Security Advisor Fran Townsend as Homeland Security secretary;

• Former Central Intelligence Director John McLaughlin as director of National Intelligence;

• Former Sen. Bennett Johnston as energy secretary;

• Former National Economic Council director Stephen Friedman as treasury secretary;

• Former deputy attorney general Jamie Gorelick as attorney general;

• Former White House press secretary Joe Lockhart as counselor to the president;

• Former National Security Agency general counsel Stewart Baker as cyber coordinator;

• Former deputy commander, U.S. European Command Charles F. Wald as Defense secretary.

Schmidt spent about 18 months in the Bush administration, from December 2001 to May 2003, before returning to the private sector. He has also worked as Microsoft’s chief security officer, and eBay’s chief information officer; the White House says Schmidt’s close ties with industry were a factor in his appointment.

The Washington Post first reported the news of Schmidt’s nomination last night. Schmidt was long considered one of the two front-runners for the job, which Obama announced he would create during a White House speech on cybersecurity in May.

We’ll have more details about the announcement, including reactions from the cybersecurity community, throughout the day.

One other item of note that didn’t quite fit into the TSA story: Sen. Jay Rockefeller, D-W.Va., offered a bit of insight into his thinking on cybersecurity. Rockefeller said he was worried about President Barack Obama’s plan to name a “cyber czar” — but, unlike other legislators, he’s not concerned that the czar will be unaccountable to the Senate. Rather, he’s worried that the new cyber coordinator, who will report to the National Economic Council and the National Security Council, will have too many bosses:

We say there ought to be somebody who reports only to the president. If that’s another “czar,” then that’s the kind of czar you want to have, because that [cybersecurity] is the number-one national security threat to the United States. I feel there ought to be somebody who reports directly to the president… otherwise we’re going to drift away from cybersecurity being the top priority.

Rockefeller and Sen. Olympia Snowe, R-Maine (they’re the “we” in that quote) have introduced legislation that would create a “czar” accountable directly to the president.

But that’s not the only important decision on which Obama has delayed. There’s also the question of appointing a “cyber czar,” a White House official to coordinate cybersecurity policy. Obama announced the new position in May, during a White House speech on cybersecurity, but the position has remained vacant for more than five months.

The delay is starting to attract criticism. Rep. Jim Langevin, D-R.I., said last week that he was frustrated with the delay. TechAmerica, an IT industry group, put out a press release this afternoon calling on Obama to appoint a czar “at the earliest possible opportunity.”

Why is the decision taking so long? I’ve posed this question to a few people in recent weeks.

The consensus seems to be that, at first, nobody wanted the job. Several cybersecurity officials have resigned in frustration this year: Mischel Kwon, formerly in charge of US-CERT, stepped down in August; and Rod Beckstrom, the former director of the National Cybersecurity Center, resigned in March.

There’s a general sense that cybersecurity officials don’t have the authority and resources they need to do their jobs — and that scared off a number of would-be applicants for the cyber czar job.

But it seems the White House is finally close to a decision. Several sources told me it could come by the end of the month — perhaps timed around Thanksgiving, when Congress is out of town. (The announcement will surely prompt cries of “what took you so long,” and the administration wants to minimize those.)

The Homeland Security bill provides $42.63 billion for the agency, compared to President Barack Obama’s $42.83 billion request for fiscal year 2010. In 2009, the agency received $39.98 billion.

The bill cuts $135 million requested for agency operations due to “staffing vacancies, redundant policy initiatives and poorly justified request to consolidate DHS headquarters for those agencies not moving to St. Elizabeths,” according to a committee news release.

The bill includes:

• $10 billion for Customs and Border Protection, $82 million less than Obama requested, due to slight cuts in funding requests for multiple programs. This is $147 million more than the 2009 funding.

• $5.4 billion for Immigration and Customs Enforcement, $30 million less than the president’s request but $439 million more than 2009.

• $382 million for cybersecurity, $19 million less than the president requested and $68 million more than 2009.

The committee also approved the $3.7 billion draft bill to fund the Legislative Branch, $300 million than requested but $600 million more than 2009.

The bill includes:

• $559 million for the Government Accountability Office, $9 million less than the president’s request and $28 million more than 2009.

• $45 million for the Congressional Budget Office, $1.2 million less than Obama requested and $1 million more than 2009.

The House plans to take up the Homeland Security bill Friday and the Legislative Branch bill June 24.

He did, however, rattle off a few interesting statistics about the cost of cybersecurity:

Cyber attacks on our military networks have not cost any lives, not yet. But in a six-month period, the Defense Department spent more than $100 million defending its networks… and we spend billions annually in a proactive effort to protect and defend our networks.

$200 million annually on cybersecurity — and just at one department. (The largest department, I know, but still…)

Hathaway confirmed her candidacy for the “cybersecurity czar” position to reporters after a speech at the Center for Strategic and International Studies, a Washington, D.C. policy group. Hathaway said the administration is considering several candidates but President Barack Obama has not yet conducted any interviews.

Hathaway, who led the White House’s 60-day review of cybersecurity policy, said Obama is deeply interested in improving cybersecurity and his leadership will help institute change.

“It’s personal to him … they’ve tried to hack into his BlackBerry on a regular basis. This president is going to drive this forward, and it’s being raised on a weekly basis,” Hathaway said.

Nonetheless: In the next five days, the Obama administration is probably going to release a more detailed 2010 budget proposal, its cybersecurity review, and the details of the bank “stress tests.”

Busy week. The details of the stress tests have been slowly leaking out — Citigroup and Bank of America both need more capital — and it’s an open secret that the cybersecurity review will call for a big White House role in cybersecurity. But it will be interesting to dig into the specifics. And, of course, there’s the budget, which will surely set off a political firestorm on Capitol Hill. (We’ll have full coverage of the budget after it’s released on Thursday.)

But the government is also improving its offensive capabilities, a story that gets far less coverage. The New York Times has an interesting article about it this morning:

President Obama is expected to propose a far larger defensive effort in coming days [...]

But Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and the nation’s intelligence agencies have been spending billions. In interviews over the past several months, a range of military and intelligence officials, as well as outside experts, have described a huge increase in the sophistication of American cyberwarfare capabilities.

The whole thing is worth a read. There’s a lot of concern about U.S. defensive capabilities — justified concern, in this reporter’s opinion — but it sounds like the offensive side is in much better shape.

Unfortunately, that didn’t happen, apparently because the administration hasn’t read the final report yet. I’m told that the White House deputies committee is meeting to review it today or tomorrow. So we’ll probably see a final copy early next week.

Hathaway did confirm that the final report calls for the White House to coordinate governmentwide cybersecurity policy. (If you want to watch her whole talk, it’s posted here.)

There was one other item from the RSA conference that caught my attention — details after the jump.

You might remember Adm. Dennis Blair’s testimony (pdf) before the House intelligence committee in February. He said the NSA should run governmentwide cybersecurity:

I think there’s one key aspect of this future cyber strategy which this committee and your counterpart in the other body can really help us with, and that is the role of the National Security Agency outside of the intelligence, its intelligence functions. I agree with you; the Department of Homeland Security is finding its footing in this area. The National Security Agency has the greatest repository of cyber talent.

But on Tuesday, during his speech to the conference, Lt. Gen Keith Alexander, the NSA director, said this:

We do not want to run cybersecurity for the United States government. That’s a big job.

Who’s going to be in charge? We’ll find out next week…

U.S. government systems are still popular targets (nearly a quarter of attacks on government systems target the U.S.); most of the attacks come from China, it seems.

NSA effectively controls DHS cyber efforts through detailees, technology insertions, and the proposed move of… the NCSC to a Fort Meade NSA facility. NSA currently dominates most national cyber efforts… I believe this is a bad strategy on multiple grounds… the intelligence culture is very different than a network operations or security culture…

We’ve posted the whole letter; you can read it here.

The hacker breached 48 FAA files, two of which contained the personal information. Only employees on the payroll as of the first week of February 2006 are affected. Those individuals will be notified by letter and law enforcement has been notified, FAA said.

In a statement FAA said:

The FAA is moving quickly to prevent any similar incidents and has identified immediate steps as well as longer-term measures to further protect personal information. The agency is also providing a toll-free number and information on the employee website for those who believe they may be affected by the breach.

Air traffic control systems and other FAA operational systems were not compromised in the breach, according to the agency.

The president officially made that announcement last night, just before his prime-time press conference. Melissa Hathaway, currently the top cybersecurity official at the Office of the Director of National Intelligence, will lead the review; she’s expected to become the nation’s first “cyber czar” after the review is complete.

The White House’s full announcement is after the jump.

President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security.

This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.

“The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties,” said Assistant to the President for Counterterrorism and Homeland Security John Brennan.

Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period.

Gilligan said the current approach is too focused on compliance with hundreds of pages of NIST regulations. He said the next administration should focus on “letting offense inform defense”:

We should leverage experts from across the hacker-defender communities to help us determine, as we did in the Air Force… where should we be focusing our investments?

He was referring to an exercise the Air Force did with hackers from the National Security Agency, who found that 80 percent of the service’s vulnerabilities came from poorly-configured commercial software. That exercise led to what eventually became the Federal Desktop Core Configuration.

Gilligan said the government should do more of those exercises, and focus on fixing the vulnerabilities they identify.

Or, as Paller put it, the focus should be on “trying to secure systems, rather than securing compliance.”