While cybersecurity would likely have been on the agenda of any prescient, or at least any responsible, U.S. president governing during 2016, Barack Obama has proven himself a modern thinker on cyber.
He has made it a priority this year by introducing the Cybersecurity National Action Plan (CNAP) and establishing a nonpartisan Commission on Enhancing National Cybersecurity to evaluate the current state of cyber and recommend what he termed to be “bold, actionable steps” for the public and private sectors to take to improve the nation's cybersecurity posture.
The report, released Dec. 2, “makes clear that cybersecurity is one of the greatest challenges we face as a nation,” Obama said in a written statement. “That is why I have consistently made cybersecurity a top national security and economic security priority, reflected most recently by the Cybersecurity National Action Plan I announced in February and my 2017 budget, which called for a more than 35 percent increase in federal cybersecurity resources.”
While true that CNAP is hardly a perfect plan or broad enough to satisfy security pros and policy makers, it has been instrumental in dragging cyber out into the mainstream, advancing the discourse and forcing action.
The scheme “takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security,” the White House says, calling for “a bold reassessment of the way we approach security in the digital age” to meet ever-growing threats and an increasing reliance on technology in our personal and professional lives.
The White House called CNAP “the capstone of more than seven years of determined effort by this Administration, building on lessons learned from cybersecurity trends, threats, and intrusions.”
The plan includes a $3.1 billion Information Technology Modernization Fund aimed at modernizing government IT and the management of cybersecurity, which is critical in the wake of the devastating OPM breach. And per the CNAP directive, the U.S. has named its first federal chief information security officer (CISO) to spearhead the modernization effort.
The plan also called for the empowerment of “Americans to secure their online accounts by moving beyond just passwords and adding an extra level of security” in the form of multifactor authentication.
The Commission on Enhancing National Cybersecurity report underscores the importance of security in even stronger terms. It lays out six imperatives that are charges to protect, defend and secure today's information infrastructure and digital networks, build cybersecurity workforce skills, better equip government and innovate and accelerate investment for the security and growth of digital networks and the digital economy. At least one explicit action item is attached to each imperative along with a suggested timeline for implementation
Obama's legacy on cyber will likely draw mixed reviews typical of that of a president grappling with any nascent hot button issue. For instance, he has advocated for stronger privacy protections but came down on the side of law enforcement during the FBI's push to force Apple to essentially provide a backdoor into the iPhone during an FBI investigation of the San Bernardino shooters.
As well, the Russians have seemingly mucked around in America's business during his watch, most recently during the presidential election. Obama publicly promised retaliation for those intrusions but has not yet released any details of what the country's operatives did, although a group of lawmakers is pressing him to do so. It's also unclear what that retaliation might entail and if it will occur before he leaves office.
Despite those inconsistencies and vagaries, Obama has won the praise of experts for increasing awareness and talking openly – and knowledgeably – about cybersecurity. Phyllis Schneck, the deputy under secretary for cybersecurity and communications for the National Protection and Programs Directorate (NPPD) and chief cybersecurity official for the Department of Homeland Security (DHS), recalls a meeting with Obama during 2012, an early indicator that cyber was on his mind. “I remember President Obama mentioned cybersecurity in the meeting,” she says. “He was the first president to do that.”
And Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), which was charged under CNAP with creating a National Cybersecurity Awareness Campaign to raise consumer awareness and provide them with information on the ways they can protect themselves, applauds Obama's focus on multifactor authentication.
While it is unclear what the incoming administration's priorities will be, Obama leaves a firm foundation to build strong cybersecurity policy and his influence on cyber – as well as his legacy -- will live on long past the day he leaves the White House for the last time.
“As the Commission's report counsels, we have the opportunity to change the balance further in our favor in cyberspace – but only if we take additional bold action to do so,” Obama said, noting that his administration had “made considerable progress” in cybersecurity during his presidency. “Now it is time for the next administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change – both in the United States and around the world.”