There has been a flurry of attention recently about cybersecurity under the new Obama administration.

Last month the federal CIO Council published the charter of the Information Security and Identity Management Committee, which will serve as the official forum for agencies’ data and network protection efforts.

Also in December a report by a Center for Strategic International Studies called for a range of organizational changes, including putting in place a White House cybersecurity czar. The report, prepared by a blue ribbon panel of experts, is an excellent piece of analysis.

There were early indications that the Obama administration might adopt the CSIS approach. In fact, there has been some talk that one of the report’s lead authors, Paul Kurtz, might be asked to assume the czar role. Paul is an outstanding leader in the cybersecurity world and would make an excellent choice.

However, it now appears that senior Obama national security team leaders have cooled on the idea of cybersecurity being run out of the White House. The current scuttlebutt is that there will be an assistant to the president for cybersecurity, most likely positioned on the National Security Council staff. If this ultimately becomes the Obama approach, it would seem that, at least with regard to form, the handling of cybersecurity within the next administration will not differ all that much from prior administrations.

Assuming this glide path, some will criticize the Obama team for not making more significant changes to the form or structure of cybersecurity. To this end, the Institute believes that while a reorganization along the lines of the CSIS recommendations would be a major step forward, a fundamental, substantive change in approach is what is really required. In other words, as appealing as moving the deck chairs can be, a change in course is a more pressing need.

The Bush administration’s approach to cybersecurity has avoided anything that smacks of benchmarks, standards or requirements like the plague. The present administration’s refusal to actually drive cybersecurity was so pronounced that at one point its most promising cybersecurity official, Amit Yoran, abruptly resigned.

Without any impetus to drive cybersecure the government and industry have coalesced around the status quo: an inherently insecure digital world.

“We are more secure than ever before.” Yes, but we are still not secure.

“We are as secure as our competitors.” Yes, but that just means all of you are insecure.

The status quo will not change on its own, sua sponte. Unless something forces a change, nothing will change.

This problem is most pronounced within the private sector, which owns the vast majority of the critical infrastructure systems our society is dependent upon. There are virtually no real cyberscurity standards for the vast majority of the corporate sector—even those companies that are vital to our economy and our lives. A few statutes require some measure of cybersecurity, however these standards are so ill defined as to be toothless. For example, Sarbanes Oxley requires corporate leadership to certify that adequate information control systems are in place. However, there is no minimum standard for what constitutes adequacy. Similarly, Gramm-Leach-Bliley Safeguards Rule requires financial service companies to develop programs to protect information. However, what that standard means is left largely to the companies to decide. As a result, most of our critical infrastructure is inherently insecure.

Across the federal government, there are no baseline security requirements for the vast majority of agency systems and technologies. While our classified systems are better protected, even these systems almost all run on operating systems that are inherently insecure.

The Obama administration needs to look at ways, ranging from sticks (standards and sanctions) to carrots (grants and incentives), to drive a new approach to cybersecurity.

There is a vast range of sticks that the Obama team can choose from to push better cybersecurity, ranging from more traditional command approaches (which may have limitations) to more creative frameworks. For example, almost two years ago I co-authored a paper for the Center for American Progress, which is led by John Podesta who is the head of the Obama Transition team, that called for the use of disclosure requirements under the rules of the Securities and Exchange Commission for corporate security matters. Such an approach could easily be focused on cybersecurity.

Another approach would be to provide companies that implement high-level, proven-secure technologies incentives to offset any cost. Such incentives could be in the form of tax breaks (e.g., allowing additional deductions or faster depreciation). Alternatively, the federal government could fund cyber improvements through direct grants. Such funding might be considered as part of the infrastructure stimulus package now being considered—after all today’s economic infrastructure is as much digital as it roads and bridges.

On a positive note there does seem to be added focus on improving private sector cybersecurity within the agencies as they prepare for their new Obama administration leaders.

Interestingly, within this mix there is a serious move afoot to shift some or all of the lead for critical infrastructure cybersecurity away from the Department of Homeland Security and over to the National Security Agency (NSA). And, a transition period is the perfect time for such a power move.

At first glance putting the NSA in charge of private sector cybersecurity may seem odd. However, upon deeper analysis this shift may have a certain appeal.

At the outset, it should be noted that making the NSA the lead on private sector cybersecurity does raise a number of legitimate concerns. These concerns are clustered around the “Big Brother” aura that many attribute to the NSA. One out growth of that aura is that some are concerned that if you put the NSA in charge, it will swallow up the entire policy area. As cybersecurity is a cross-cutting issue, which will require a host of actors from across government and industry to play a role, that singularity of control could prove a bad thing. Some also worry that the NSA often functions as a black hole, which seems to run counter to the openness of the Internet realm. Finally, some worry that the NSA lacks the institutional knowledge of how to deal with the commercial world and markets—however, this concern is countered by a full grasp of the NSA’s existing involvement with the private sector.

All of these are valid concerns, and if the NSA is given a larger role, they should be balanced and addressed in the new approach.

That said, there is something to be said for shaking things up. If you aren’t shaking the tree all you eat are the rotten apples off the ground.

Cybersecurity efforts are presently spread across a number of departments but are concentrated within the Department of Homeland Security (DHS). DHS has been out front in the Bush administration’s “please walk with me brother” approach to private sector cybersecurity. A shift away from DHS could send a signal to the private sector that the old way has produced inadequate results and insufficient security. Such a message could help break the inertia within the corporate ranks.

Second, the NSA is the laboring oar in the federal government’s technology security certification programs. As a result it has extensive expertise in reviewing and analyzing the real security of IT systems. The agency also has many of the world’s best penetration experts on staff. This would give the NSA a major leg up in managing a set of carrots or sticks, or both, to drive private sector cybersecurity; they would know which systems meet the mark and which fall short. These capabilities means that a shift to the NSA could be much more than a bureaucratic reshuffling of the deck chairs.

Third, the NSA by virtue of what it is and what it does has a certain aura. This is the positive edge of the Big Brother double-edge sword. Companies have become rather comfortable dealing with DHS—gone are the days when companies just saluted like good foot soldiers when DHS called. Being “invited” into a discussion with NSA might help move the dialogue, and real security, along.

Fourth, information security and confidentiality are major concerns the private sector raises at the first mention of any federal cybersecurity program touching on their corporate data and secrets. The NSA is nothing short of masterful at keeping secrets.

Fifth, and perhaps most importantly, even within the private sector, the NSA cybersecurity experts are highly regarded. After all, they guard secrets that make the Colonel’s secret recipe or any other corporate matter pale in comparison. This cache might enable the NSA to work more productively within the tech community.

Sixth, the NSA director also occupies a special place within the national security apparatus—a place that no DHS secretary to date, not even Gov. Ridge, has attained. Putting corporate cybersecurity, and perhaps even federal cybersecurity, into the director’s hands could elevate the issue, which, as a practical matter is vital for progress with the bureaucracy of the federal government. Bureaucrats are much less likely to tangle with someone who has a direct line to the president on his speed dial. In fact, such an elevation was the underlying goal of the CSIS proposal for a cybersecurity czar within the White House. The NSA approach might achieve that same result, albeit in a different way.

This is not to suggest that the NSA approach is the only solution. For example, a DHS approach, with the secretary armed with a strong mandate to make real change could also produce results. In fact, it seems harsh to blame DHS going forward for following the orders of the past president. An energized, empowered DHS could also drive change. At the same time, a White House cybersecurity czar of the sort envisioned by CSIS, but which seems to have fallen by the wayside, could also force progress. However, the NSA approach does have certain pluses and the mere fact that such a change might be in play suggests a level of action that has been lacking to date. And, perhaps most importantly, it seems to at least still be in the mix.

With so much action taking place it seems that there is a strong potential for real substantive progress in the cybersecurity realm. Within that context, moving away from the laissez faire approach to cybersecurity would be a major step forward for the new Obama administration, no matter how the Obama administration opts to do so.