The Obama administration can check off a long list of accomplishments around cybersecurity. But most of these achievements have only superficially improved the security of agency networks, say industry experts and former government executives.
“Most people don’t think the administration has lived up to expectations. There was a lot of enthusiasm based on the cyberspace policy review for several different reasons,” said Larry Clinton, president of the Internet Security Alliance, an industry association.
“One, the process the cyberspace policy review went through was open, collaborative and a detailed process. I think certainly industry was very enthusiastic. They didn’t love everything in the report, but they felt like there was as real understanding at the White House of what we were doing and how we had to do this collaboratively. The wisdom that was in the cyberspace policy review needed to take a new approach to cybersecurity and the realization that a traditional regulatory model just wouldn’t work in this space, these were the things that eventually brought down the legislation.”
Why cybersecurity was rated ineffective
Reason #1: White House, DHS took two years to require continuous monitoring
Reason #2: DHS issued requirements for CM in June, many agencies just figuring out how to implement
Reason #3: Failure to pass any cybersecurity bill in the House or Senate led to the administration’s draft cybersecurity EO
(More primary source material available on The Obama Impact Resource Page)
But the administration also fell short in keeping the momentum going around federal network cybersecurity and in significantly improving information sharing with the private sector.
Former agency executives and industry experts point to several plans and strategies, but must dig deep to find initiatives that have made a real difference across the landscape.
For these and other reasons, Federal News Radio has rated the Obama administration’s efforts to address cybersecurity as ineffective. The ratising is part of our special week-long multimedia series, The Obama Impact: Evaluating the Last Four Years. Throughout the series, Federal News Radio examines 23 different administration ideas and initiatives and ranks them as effective, ineffective or more progress needed.
“It seems to me standing up U.S. Cyber Command was a concrete step forward. They did do that and that wasn’t just a piece of paper. But there were a lot of strategies. And to be fair, sometimes you have to figure out what you are about before you run off and start doing things,” said David Smith, a senior fellow and director of the cyber center director at the Potomac Institute, a defense and intelligence think tank. “There’s clearly a fair criticism that there are a lot of strategies, 12-point plans and so on and so forth, and there still isn’t a lot of action. The agencies still are fighting among themselves. There needs to be strong leadership from the White House. The cyber coordinator needs to have some real clout. The next administration has to get engaged and it seems to be there is a pretty clear agenda of what needs to get done in 2013.”
Expectations were clear
Just as Smith said there is a clear agenda for the next year, the Obama team came in knowing what needed to be done in 2009. And almost from the start set high expectations for themselves.
In his 2008 campaign, Barack Obama reveled in being called the “Tech President.” He issued a cyberspace policy review within 60 days of taking office and named the first White House position to focus solely on cybersecurity.
The President laid out his vision for improving cybersecurity in a May 2009 speech, the first by a President on this topic.
“This new approach starts at the top, with this commitment from me. From now on, our digital infrastructure, the networks and computers we depend on every day, will be treated as they should be, as a strategic national asset,” the President said at the time. “Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect and defend against attacks and recover quickly from any disruptions or damage.”
Obama named Howard Schmidt to be the cyber coordinator, who also was on the National Economic Council as well as the National Security Council.
Smith said Schmidt’s office faced some unexpected challenges and that may have slowed down progress.
The Obama administration set 10 near-term goals as part of its cyberspace policy review in May 2009. The White House said it completed all 10 major actions by May 2011.
Appoint an official who will oversee U.S. cybersecurity policy. This official will coordinate the development of a cybersecurity-related policy and strategy.
Write an updated strategy for securing the U.S. communications and information infrastructure.
Make cybersecurity a key management priority with performance metrics.
Assign an official to the NSC cybersecurity directorate to oversee privacy and civil liberties’ issues.
Set up appropriate interagency mechanisms to conduct analyses of cybersecurity issues identified in the process of developing a policy. Also, establish agency authorities overseeing cybersecurity across the government.
Launch a public awareness campaign promoting cybersecurity.
Establish U.S. policy for an international cybersecurity policy framework.
Assemble a U.S. cybersecurity response plan.
Establish a framework for R&D strategies targeted on “game-changing technologies.”
Develop a cybersecurity-based identity management plan focusing on privacy and civil liberties’ issues.
“What it sounds like what’s happening was sort of a NSC versus NEC kind of clash,” he said. “We have to have strong regulations to have cybersecurity versus we have to have the freest economy we can have because we have to have economic growth. I think it’s a false dilemma because the lack of cybersecurity is costing American businesses billions and billions of dollars and can undermine their technological edge over the rest of the world. I think the notion that cybersecurity is somehow bad for business is a false notion. I think we need to get together as a country and figure out what we have to do and move forward.”
Repeated requests to the White House for comment on the administration’s progress in improving cybersecurity were not returned.
Debate over regulation brought the bill down
In the end, the regulation versus cost debate was one of the main reasons the administration’s signature effort to get comprehensive legislation passed by both houses of Congress has failed so far.
“Part of the problem is that there isn’t sufficient integrated collaboration between government and industry on a lot of these initiatives,” said Bob Dix, vice president for government affairs and critical infrastructure for Juniper Networks. “Frankly, when there is, we get good results. When there isn’t, we get poor results.”
Dix said there are plenty of examples of both sides. The implementation of the federal desktop core configuration for computer operating systems and the work with the National Institute of Standards and Technology to implement their security controls more widely show the benefits of public-private collaboration, Dix said.
“We see other examples where actions are being taken where the private sector is not a full partner in determining frameworks, determining approaches and in determining solutions to address these challenges,” he said. “Until we come to a place where we are full partners and we all understand the meaning of partnership, on behalf of the safety and security of this nation, we will not make the progress that we can.”
Dix and others say the lack of partnership and the administration’s desire to take a more traditional regulatory approach is one of the main reasons the legislation collapsed.
Little chance of passage
ISA’s Clinton said the White House’s approach to the legislation was doomed from the start.
“The process they took was very behind closed doors, there were all these meetings and it was not a legitimate, normal legislative process, where you have a bill introduced and there are hearings on the bill,” Clinton said. “Even the bill that eventually got to the floor, no one had seen that particular bill until that very week. So the notion of getting a complicated, brand new approach through the U.S. Senate with 60 votes with less than a week was clearly drawing to an inside straight. I thought it had very little chance. I thought they made a strategic error.”
Phyllis Schneck, a vice president and CTO at McAfee and a member of the Information Security and Privacy Advisory Board, said the administration did a good job telling the story about why cyber legislation is needed. There were more than 50 bills that addressed some cyber need. But she said the last mile was the most difficult.
“It’s probably the nuances that are more difficult than we could ever imagine, but it’s probably the nuances of putting together a bill that collectively makes both sides of the aisle happy enough to pass it and a bill that has enough in it to make sure we take a step forward,” she said.
Sen. Susan Collins (R-Maine), one of the principle authors of the bill, put the blame at the feet of her fellow lawmakers.
“I know of no area where the threat is greater and where we have done less,” she said in an emailed statement. “I hold out hope that Congress will still act. I am deeply disappointed that the Senate failed to pass our bipartisan bill before the August recess, but it remains imperative that this Congress address this issue.”
Smith said the administration may have been a little slow in understanding just how hard it would be to pass a comprehensive bill.
Others say the White House’s desire to have an all-or-nothing bill also led to their ineffectiveness. The administration easily could have gotten agreement with lawmakers to update the Federal Information Security Management Act (FISMA), which addressed the cyber workforce and other non-controversial issues.
Giving DHS control biggest success
Experts could only list off a few other significant accomplishments, such as the move to continuous monitoring, giving the Homeland Security Department operational authority over the .gov domain and the cloud computing security effort known as FedRAMP.
But all three — and many others — are in the nascent stage after three years.
Patrick Howard, a former chief information security officer at the Nuclear Regulatory Commission and now a senior cybersecurity consultant for SecureInfo, a Kratos company, said a lot of the administration’s progress has gone under the radar because the legislation received so much attention.
Howard said putting DHS in charge of the operations of the .gov domain was among the administration’s biggest successes.
“CISOs are meeting on a monthly basis, sharing information about problems and common solutions and best practices, and being informed about what’s coming up and what’s to be anticipated,” he said. “It’s not one-sided either. I get the honest feeling that DHS listens attentively to what agencies have to say and makes adjustments in their plans to accommodate what the agencies would like.”
Howard said the changes at the top with the White House and in the middle at DHS haven’t eased the process to secure agency networks.
“It’s really a difficult job to get the major federal agencies to work together. They all have their own separate, distinct and unique operational requirement and largely it’s one of culture too,” he said. “I think DHS has done a really good job to mitigate a lot of that. DHS staff got talking and sharing ideas and getting people engaged in moving things forward. I think that was a huge success to get the agencies to work together.”