A mixed legacy on cyber for Obama

President Barack Obama has shepherded billions of dollars of investments toward cybersercurity programs, created senior federal IT positions, and set up a blue-ribbon panel to explore the issue years down the road. But will that be enough for history to judge him favorably on cyber policy? 

A group of former federal officials on May 18 delivered a mixed verdict: the Obama administration has done well to make cybersecurity relevant to top agency officials and not just techies, but should have done more to follow through on key policies.

At the center of the Obama legacy will be a voluntary framework that companies can use to assess their cybersecurity risk. The National Institute of Standards and Technology oversaw the development of the framework following a 2013 executive order from Obama. Administration officials have touted the framework's adoption in the U.S. private sector, and promoted it as a model for other countries. Nonetheless, some in industry say implementation of the framework has been slowed by a lack of clear data on its cost effectiveness.

Larry Clinton, president of the Internet Security Alliance, a trade association and lobbying group, credited the Obama administration with being the most "creative" and "forward-looking" of any administration on cybersecurity. However, Clinton said at the panel discussion hosted by Information Security Media Group, the NIST framework is sorely in need of a measure of its cost effectiveness.

"If you're going to have a voluntary system for industry to use, industry will do what is cost effective," he said at the event in McLean, Va. "We have to demonstrate this."

Steven Chabinsky, a former cyber official at the FBI under Obama, agreed. Despite the virtues of the NIST framework, "we still have been left with a legacy of no metrics" for businesses large and small to measure their effectiveness in cybersecurity, he said. Chabinsky is an executive at CrowdStrike and also a member of a cybersecurity commission charged with delivering recommendations to the administration by December.

Ari Schwartz, a former White House adviser (and 2015 Federal 100 winner) who oversaw the framework's development, reflected bluntly on what he said were the administration's shortcomings on cybersecurity. Schwartz, who left the White House for the private sector in the fall, hailed the administration's work to automate cyber-threat information sharing. But it wasn't until Tony Scott was hired as federal CIO in February 2015 that the administration really started holding agencies accountable for their cybersecurity posture, he said.

Until recently, "we failed… [in] getting accountability of agencies for their own cybersecurity," Schwartz said.

Make America cybersecure again

The conversation also turned to how presidential hopefuls Donald Trump and Hillary Clinton would handle cybersecurity policy as president.

Cybersecurity has not played a prominent role in the campaign so far, but the candidates have offered telling observations.

Trump has suggested shutting down parts of the internet to foil the Islamic State terror group, which would, technically and practically speaking, be very challenging. He has also described the United States' cyber capabilities as "obsolete" and behind other countries, an assessment with which most experts would disagree.

Clinton, meanwhile, has labeled cybersecurity "one of the most important challenges the next president is going to face" because of advances in the offensive capabilities of China, Russia, Iran, and North Korea. Clinton's use of a private email server for official business as secretary of State from 2009 to 2013 has drawn sharp criticism of her credibility on cyber issues.

There are signs that hackers, perhaps at the behest of foreign governments, have targeted both candidates, Director of National Intelligence James Clapper said May 18. The FBI and the Department of Homeland Security are educating both campaigns about cyber threats, Clapper said at the Bipartisan Policy Center, according to multiple news reports.

The panel of former federal officials, however, largely ducked a question on the cybersecurity acumen of the candidates.

"I don't think that either of the candidates right now is in a position to be able to do anything more than basically a continuation of what we've been doing for the last 20 years, and that's just not going to work," Chabinsky said. A change of course, he added, would require a clear definition of what success looks like.