President Obama’s Cybersecurity Legacy
President Barack Obama will leave office next year having enacted significant new measures to improve cybersecurity in the United States, including a cornerstone policy to strengthen cyber-threat information sharing between government and private industry.
Last December, the president signed the Cybersecurity Act of 2015, which directed the creation of official procedures for cybersecurity information sharing and granted liability protection to private-sector entities that share cyber-threat data and defensive measures in accordance with the law.
Further, the president set the stage for the bipartisan legislation last year by issuing an executive order that called for the creation of information sharing and analysis organizations (ISAOs). This new class of industry hubs will broaden cybersecurity information sharing beyond sector-specific efforts and provide a uniquely powerful model for putting the new law into practice.
“The administration deserves a lot of credit for taking this action and accomplishing it in a very short period of time,” says David Burg, global and co-U.S. cybersecurity and privacy leader at PwC, which is working with the White House, the Department of Homeland Security and industry stakeholders to make ISAOs a reality.
The president unveiled the ISAO initiative last year at a White House cybersecurity summit in Silicon Valley in February 2015. Within a matter of months, officials awarded a federal grant to establish a private-sector standards body for ISAOs. Several public and private sector entities have already announced plans to form ISAOs.
PwC has produced studies on ISAO-related issues that require prompt deliberation and agreement. PwC is also participating in the industry-led process of drafting voluntary guidelines for ISAOs.
Years of effort
The push to improve information sharing is only one of several Obama administration cybersecurity initiatives that have been rolled out in recent years:
– In 2013, President Obama issued his first executive order on cybersecurity, which focused on critical infrastructure and directed the National Institute of Standards and Technology (NIST) to develop the federal framework of cybersecurity standards. The framework, published in 2014, continues to draw high praise from industry for enabling significant improvements in the private sector’s management of cyber risks.
– In 2015, the president directed the creation of the Cyber Threat Intelligence Integration Center (CTIIC) to coordinate intelligence from all agencies on foreign cyber threats and incidents affecting U.S. national interests and provide “all-source” analysis to policymakers.
– In addition, the president issued an executive order last year authorizing the imposition of sanctions on individuals or entities found to be involved in cyber attacks threatening national security, the economy or U.S. financial stability.
– The administration’s cybersecurity policy has often sought to address the global nature of cyber threats. These efforts have included legal actions by the Justice Department against hackers abroad, as well as international agreements on international norms of behavior in cyberspace. The complexity of the intersection of cybersecurity and foreign policy was underscored last year when it was disclosed that the Office of Personnel Management had suffered a major data breach that U.S. officials suspected originated in China. Administration officials concluded the OPM breach fell within the realm of state-on-state spying, as opposed to cyber-enabled economic espionage. In September 2015, President Obama and Xi Jinping, his Chinese counterpart, reached a historic agreement stating that neither government would conduct or condone cyber-enabled economic espionage. Other nations, including Russia, agreed to abide by the same norms at a G-20 economic summit two months later.
– The White House released in June 2016 a National Privacy Research Strategy that calls for research in science and engineering intended to enable the United States to benefit from innovative data use while protecting privacy.
Looking ahead
This year, President Obama has requested $19 billion as part of his final federal budget proposal to fund a new Cybersecurity National Action Plan (CNAP) aimed at tackling the rapidly evolving threats posed by cyber attacks to U.S. businesses, the economy, national security, key infrastructure, and individual privacy.
Further, to provide advice to the next administration, President Obama established a cybersecurity commission, which is scheduled to issue recommendations later this year. The commission is being overseen by Thomas Donilon, a former national security adviser to President Obama, and Sam Palmisano, former chief executive officer of IBM.
The Obama administration also created a new federal Chief Information Security Officer (CISO) position.
“I think the leadership portion is the most important – that you have a culture of making it clear that thinking about security isn’t just a trade-off with convenience,” says Michael Sulmeyer, director of the Belfer Center’s Cybersecurity Project at the Harvard Kennedy School, who recently served in the Obama administration as director for plans and operations for cyber policy in the Office of the Secretary of Defense.
For companies, “it’s also going to affect the bottom line: appreciating how security affects revenue will be the biggest priority going forward,” Sulmeyer adds. “There is also the question about how to structure accountability within a company.”
Sulmeyer also highlighted the importance of key roles such as the federal CISO not being relegated from the sphere of influence after President Obama leaves office. The CISO will oversee one of the actions of the CNAP, spending $3.1 billion to modernize the government’s own IT systems and improve cybersecurity by retiring hard-to-secure legacy software and hardware.
David Burg of PwC concurs that strong leadership will be a key part of ensuring the new cybersecurity measures achieve their potential.
“Someone has to oversee strategy, sequencing and, after that, plan for accountability about performance and how to adjust going forward, in the same way corporations oversee big transformative projects,” says Burg.
Published on July 12, 2016.
