Grading Obama on Cybersecurity

It’s time for that mid-term report card. Just hearing the phrase could send shivers down one’s spine. We’re not talking about that grade you received in middle school algebra. Instead, it’s time to review President Barack Obama’s first year in office from a cybersecurity and information security perspective.

To do that, let’s return to May 2009 when the new president brought the cybersecurity topic to the national stage, declaring “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation”. Some say 2009 marked a year of both old and new, with a review of former President George W. Bush’s Comprehensive National Cyber Security Initiative (CNCI) and the introduction of the nation’s first security czar in December 2009, along with the 10-Point Cyber Security Action Plan.

Nearly everyone agrees that results won’t happen overnight, but the groundwork has been laid and a call to action made for what many hope will be a bright future. “I think this administration has repeatedly sent the signal that information security and cybersecurity are top national security and economic priorities for the country”, says Shannon Kellogg, director of information security policy for the office of Government Relations at EMC.

Campaign Beginnings

In July 2008, then-candidate Obama promised Americans that he would name a national adviser for IT security if he became president, noting, “we need to prevent terrorists or spies from hacking into our national security networks”.

“He certainly put a fair amount of focus during the campaign on cybersecurity”, says Kellogg. “And he had a pretty developed policy document around critical infrastructure protection, with cybersecurity really at the center”.

Hord Tipton, executive director of information security non-profit organization (ISC)², agrees and believes Obama has so far “followed through on his promises”, adding, “maybe not as quickly as some would like. But nevertheless, he didn’t forget about it.”

Many agree that going in, Obama understood he would have to tackle the cybersecurity issue, which included a review of the Bush administration’s CNCI.

The Bush Administration and its Policies

Partly due to a heavy focus on physical security, including the war on terrorism, it wasn’t until the end of Bush’s second term that policies surrounding cybersecurity surfaced. Greg Garcia, security advisor to the Information Security Forum (ISF), helped develop the CNCI while serving as assistant secretary for cybersecurity and communications with the US Department of Homeland Security from 2006–2008.

There are 12 sub-initiatives under the Bush policies”, says Garcia, with the first three “focusing on protecting [the] .gov [domain] from cyber attacks and building up security around that, focusing on deterrence, counter intelligence and supply chain management; private sector outreach; and research and development – a multi-faceted strategy”, he explains. He believes the cybersecurity plan was “truly comprehensive”, but “not perfect”.

Gartner analyst John Pescatore argues that CNCI, which aims to protect government security systems, was originally headed in the wrong direction with its focus on “monitoring attacks” versus “reducing vulnerability attacks”. Garcia, meanwhile, says he didn’t necessarily agree with the “top-secret, classified” approach of CNCI, calling it “unnecessary – with a few exceptions”. He adds, “so much of the success of the cyber initiative depends on the engagement of the private sector.”

Obama’s First Six Months

And that’s where President Obama comes in. Five months into his term, Obama addressed cybersecurity in a 20-minute speech, bringing the issue straight to information security insiders and the eyes and ears of US citizens. “Now that has not happened before”, says Garcia, who noted the importance of Obama calling US Internet infrastructure “a strategic national asset”.

Some say Obama addressed the cybersecurity issue immediately, while other experts, including Pescatore, weren’t overly impressed with the first six months, arguing that not much had changed, even in the first year. But Pescatore and others expect increased momentum now that Howard Schmidt, the White House’s newly appointed cybersecurity coordinator, is in place.

Confirming a New Cybersecurity Coordinator

The appointment of Schmidt didn’t come easy though. Perhaps Tipton of (ISC)² puts it best: “A lot of people thought they could do that job, but we know how difficult that job is and will continue to be.” One thing many people do agree on is that Schmidt is the man for the job. “There is probably no one that is more dedicated or held in a higher regard than Schmidt”, says Tipton.

So far analysts remain hopeful that Schmidt will help both focus and implement cybersecurity efforts by working with various government departments and agencies, fostering relationships between the government and private sector, and increasing awareness and education. “I think that’s what President Obama has done for the role of security. He’s found someone to connect the dots”, says Simone Seth, senior research analyst at the ISF. “The dots have always been there. It’s just that they were not connected.”

The government’s plan aims to strengthen the nation’s cyber defenses while protecting civil liberties and maintaining government transparency. So far, Obama has tapped a czar, implemented the 60-day Cyber Action Review and, more recently, declassified CNCI so that its 12 initiatives are made public.

During the RSA Conference held in March, Schmidt provided an update on the government’s Near Term Action Plan, which includes creating a domestic and international security awareness policy and developing an international framework, among other goals.

EMC’s Kellogg says there has been movement in all of the 10 near-term initiatives. “I think what the Obama administration has been able to do over the last year is lay the groundwork for a broader, more comprehensive strategy that will not just be domestically focused but will also have more international collaboration”, he explains.

Gartner’s Pescatore highlights the need for the government to set an example by “becoming a model citizen”, especially in the age of transparency. “There are two things the federal government can really do to increase cybersecurity”, says Pescatore. “The first is to focus on increasing the security of government systems. The second thing: Can the government use its buying power to drive demand for the highest [quality] security products?”

Additionally, ISF’s Garcia notes three priorities he believes should be addressed first, starting with putting intrusion technology detection policies and procedures in place across .gov sites. Secondly, he says, it’s necessary to build cyber response capability, and lastly, engage the Congress and ensure it understands the strategy so government can receive the necessary resources.

Looking at the Challenges Ahead

Pescatore expects that we will begin to see more concrete changes by October 2011. “There’s going to be a lot of political infighting from the intelligence community side”, he predicts. “It’s going to take a lot of inside organizational and political work.”

“You’ve got to be optimistic about this. People are working, in many cases, as hard as they can”, adds Tipton. “It’s clear we can’t do everything all at once, and there will always be risk out there that we’re going to have to accept.”

“Clearly, you’ve got the administration out there not only talking about these issues, but starting to execute the nearer-term strategy elements that President Obama laid out at the end of last May”, says Kellogg.

This ‘report card’ only scratches the surface of what happened over the past year. But it does suggest one thing – whatever ‘grade’ you give Obama on his first year in office, the White House has placed information and cybersecurity on its list of priorities for the years to come.