Cybersecurity

A mixed legacy on cyber for Obama

President Obama at SXSW in Austin, Texas, March 11, 2016. Photo from WH.GOV video stream.

President Barack Obama has shepherded billions of dollars of investments toward cybersercurity programs, created senior federal IT positions, and set up a blue-ribbon panel to explore the issue years down the road. But will that be enough for history to judge him favorably on cyber policy? 

A group of former federal officials on May 18 delivered a mixed verdict: the Obama administration has done well to make cybersecurity relevant to top agency officials and not just techies, but should have done more to follow through on key policies.

At the center of the Obama legacy will be a voluntary framework that companies can use to assess their cybersecurity risk. The National Institute of Standards and Technology oversaw the development of the framework following a 2013 executive order from Obama. Administration officials have touted the framework's adoption in the U.S. private sector, and promoted it as a model for other countries. Nonetheless, some in industry say implementation of the framework has been slowed by a lack of clear data on its cost effectiveness.

Larry Clinton, president of the Internet Security Alliance, a trade association and lobbying group, credited the Obama administration with being the most "creative" and "forward-looking" of any administration on cybersecurity. However, Clinton said at the panel discussion hosted by Information Security Media Group, the NIST framework is sorely in need of a measure of its cost effectiveness.

"If you're going to have a voluntary system for industry to use, industry will do what is cost effective," he said at the event in McLean, Va. "We have to demonstrate this."

Steven Chabinsky, a former cyber official at the FBI under Obama, agreed. Despite the virtues of the NIST framework, "we still have been left with a legacy of no metrics" for businesses large and small to measure their effectiveness in cybersecurity, he said. Chabinsky is an executive at CrowdStrike and also a member of a cybersecurity commission charged with delivering recommendations to the administration by December.

Ari Schwartz, a former White House adviser (and 2015 Federal 100 winner) who oversaw the framework's development, reflected bluntly on what he said were the administration's shortcomings on cybersecurity. Schwartz, who left the White House for the private sector in the fall, hailed the administration's work to automate cyber-threat information sharing. But it wasn't until Tony Scott was hired as federal CIO in February 2015 that the administration really started holding agencies accountable for their cybersecurity posture, he said.

Until recently, "we failed… [in] getting accountability of agencies for their own cybersecurity," Schwartz said.

Make America cybersecure again

The conversation also turned to how presidential hopefuls Donald Trump and Hillary Clinton would handle cybersecurity policy as president.

Cybersecurity has not played a prominent role in the campaign so far, but the candidates have offered telling observations.

Trump has suggested shutting down parts of the internet to foil the Islamic State terror group, which would, technically and practically speaking, be very challenging. He has also described the United States' cyber capabilities as "obsolete" and behind other countries, an assessment with which most experts would disagree.

Clinton, meanwhile, has labeled cybersecurity "one of the most important challenges the next president is going to face" because of advances in the offensive capabilities of China, Russia, Iran, and North Korea. Clinton's use of a private email server for official business as secretary of State from 2009 to 2013 has drawn sharp criticism of her credibility on cyber issues.

There are signs that hackers, perhaps at the behest of foreign governments, have targeted both candidates, Director of National Intelligence James Clapper said May 18. The FBI and the Department of Homeland Security are educating both campaigns about cyber threats, Clapper said at the Bipartisan Policy Center, according to multiple news reports.

The panel of former federal officials, however, largely ducked a question on the cybersecurity acumen of the candidates.

"I don't think that either of the candidates right now is in a position to be able to do anything more than basically a continuation of what we've been doing for the last 20 years, and that's just not going to work," Chabinsky said. A change of course, he added, would require a clear definition of what success looks like. 

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

Reader comments

Fri, May 20, 2016 Glenn Schlarman Annandale, VA

Mixed legacy alright. The article indicates that only Ari Schwartz brought up performance rather than producing paper and even then not much was said (or reported anyway). Among the many (and there have been many) successful attacks on federal agencies over the past 7 years, two unconscionable failures occurred: One was from the outside -- the hack of OPM personnel security files. I guess we're all supposed to forget that now and feel better because OPM leaders suffered consequences? Sorry, it's an example of actual performance and part of the legacy. The other was an inside job -- three-year rogue email server at State and a complete breakdown in identifying and marking classified national security information. I don't care about the FBI investigation. I want to know how so many truly significant security violations could have taken place in one agency for so many years. So far, the White House has been silent. Both the 3 year long breach and the lack of Administration action are, again, a big part of it's security legacy. I know security is a tough job and keeping ahead of cyber attacks is tougher still, but really, before having a conference to publicly Count Coup or run victory laps, one should make sure you've actually won.

Thu, May 19, 2016 Bob Barker Austin, Texas

RE: "we still have been left with a legacy of no metrics for businesses large and small to measure their effectiveness in cybersecurity," I respectfully disagree. Auditing an organization's internal cyber measures has been demystified through automation of the NIST Framework in all its complexity, thereby allowing corporate directors to actively engage in cyber risk oversight.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group