President Obama is only a couple of weeks out of office, but his legacy on cybersecurity is already getting reviews – mixed reviews.
According to a number of experts, Obama said a lot of good things, did a lot of good things and devoted considerable energy to making cybersecurity a priority, but ultimately didn't accomplish the goal of making either government or the private sector more secure.
The most recent, stark illustration was the series of leaks, enabled by hacks that US intelligence agencies attribute to Russia, that undermined both the credibility of Democratic presidential candidate Hillary Clinton and the election itself.
As Kevin Murray, director of Murray Associates, a counterespionage consultancy, put it, “government can make as many policies as it wants, but if it doesn’t solve the problem, what good is it?”
Or, as Paul Rosenzweig, founder of Red Branch Consulting, former Department of Homeland Security (DHS) official under President George W. Bush and frequent contributor to the Lawfare blog, put it, “they had the tools, they just chose not to use them when the chips were down. I don’t know why.”
Government can make as many policies as it wants, but if it doesn’t solve the problem, what good is it?
Kevin Murray, director, Murray Associates
That is significant, given that one of the prime constitutional responsibilities of government is to “provide for the common defense.” Over the past decade, cybersecurity has approached the same level of importance as military or law enforcement security. The potential damage from cyber attacks has grown from the nuisance level to crippling.
At the physical level, top government officials have warned multiple times of the risk of a "cyber Pearl Harbor" attack from hostile nation states, terrorists or criminal gangs. There are continuing, and persistent, reports of vulnerabilities in the nation’s critical infrastructure.
At the economic level, Gen. Keith Alexander, former director of the National Security Agency (NSA) and head of US Cyber Command, said in 2012 that economic espionage – mostly by China – had led to, “the largest transfer of wealth in human history.”
Certainly this was not due to a lack of attention from Obama, who declared cybersecurity a priority at the beginning of his presidency and mentioned its importance in nearly every State of the Union address.
The list of initiatives, orders, policies and legislation coming during his watch is long and impressive. It includes:
- In February 2009, Obama ordered a review of the state of cybersecurity in government. In May, he announced the "Cyberspace Policy Review," which he said would result in a “coordinated cybersecurity plan” to be run from the White House, and intended to, “deter, prevent, detect and defend” against cyber attacks.
- In June 2009, what had been a provisional US Cyber Command since 2006 became permanent. The goal is a staff of 6,000, but as of last year, it was reportedly still at about two-thirds of that. However, there is general agreement among experts that the US has, "the most powerful cyber arsenal in the world."
- In response to a 2013 Executive Order from Obama, the National Institute of Standards and Technology (NIST) issued a "Cybersecurity Framework" in February 2014 – a document that set standards for both the private and public sector, and that has undergone various updates. The latest draft update, aimed at improving security for critical infrastructure, was issued in January, shortly before Obama left office.
- In June 2015, the administration released M-15-13, a “Policy to Require Secure Connections across Federal Websites and Web Services,” which set a deadline of Dec. 31, 2016 for all agencies to use encrypted HTTPS websites and web services.
- According to the General Services Administration, as of this month, while compliance is far from 100 percent – ranging from 43 percent to 73 percent for government domains and subdomains – “the government now outpaces the private sector on HTTPS.”
- In September 2015, Obama reached what was described as “a common understanding” with Chinese President Xi Jinping to halt economic espionage. Their joint announcement stated that, “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property (IP) …” While that has not eliminated the problem, it has reportedly reduced it.
- Congress passed, and in December 2015 Obama signed, the Cyber Information Sharing Act (CISA), designed to improve the sharing of threat information between government and the private sector. Opponents still call it a “surveillance bill,” but advocates say any hope of improving the nation’s cybersecurity will require cooperation between the private and public sectors.
Sign up for CIO Asia eNewsletters.