The end of White House terms are often about trying to shape historic legacies, and President Obama is out to build his in the new area of cybersecurity. Yesterday, he released a new “Cybersecurity National Action Plan” that argues it is “Taking bold actions to protect Americans in today’s digital world.”
There are a lot of easy jokes to make about issuing such a plan after incidents that range from the breach of the Office of Personnel Management to the Pentagon, as well as in every business sector, from banks to movie studios. The new plan seeks to close a barn door that left open the personal records of some 22 million Americans, while programs that range from jet fighters to critical infrastructure have been repeatedly breached. But in both the real world and cybersecurity, there is not much value in crying over hacked milk, other than to score cheap political points on a president who isn’t running for re-election.
Instead, three aspects are notable about the new plan. First, it has a series of long, overdue elements that mirror many of the best practices from the private sector, which unfortunately are also overdue for most firms in the private sector.
Second, its specificity stands out compared to the relatively thin proposals put forward by presidential candidates of both parties. As a recent Pell Center study concluded, cybersecurity is in a strange place of being considered important by voters, but a topic “lacking from the 2016 campaign trail.” We certainly now know a lot about what candidates think of having a web server in your home, but new and substantive policy proposals for the nation are either totally absent or can be summed up as little more than vague commitments to lead better.
And, finally, and maybe most notably, there is very little in it that one couldn’t imagine a Republican in the White House also proposing. That is, the plan is actually a great illustration of how cybersecurity is one of those rare issues yet to split down a clear right/left partisan divide. And that may well be why it has a chance to work.
There are several key elements to the strategy. There will be a bump in planned federal cybersecurity spending by roughly 35 percent, up to just over $19 billion, on new areas that range from public awareness campaigns to research projects to end vulnerable passwords (sorry, no more 12345). DHS will double the number of cybersecurity advisers, while agencies will be required to audit their most valuable, and vulnerable, digital assets.
At the center the plan, however, is the creation of several new positions and entities to build a more strategic emphasis on digital security needs. Perhaps the most important new position is a Chief Information Security Officer (CISO). The CISO is a position that less than half of major firms had a decade ago, but is now standard in industry and needed for the sprawling federal government. Just like inside companies, however, the cyber rubber will meet the policy road in how empowered this new CISO will be, especially in working with the OMB to disburse the various new funds.
There will also be the creation of a new Commission on Enhancing National Cybersecurity, “comprised of top strategic, business, and technical thinkers from outside of Government.” This group could bring in great insight, but like any advisory board in business and government, the issue to watch is how wide it sets its scope (will it stay limited to topics like creating best practices for government or also be pulled into wider debates on everything from encryption to deterrence strategy?) and whether its proposals are both actionable and actually implemented. Reflecting the post-Snowden world, the plan also assembles a “Federal Privacy Council,” which will bring together all the different players within government working on privacy guidelines.
But perhaps the most significant part to both our cybersecurity in the near term, and Obama’s true impact in the long term, is the aspect that often gets short shrift in cybersecurity discussions: the human side. Building an actual state of cybersecurity is about technology, organization, AND people. Yet, we have a looming human resources gap in the field of some 1 million plus workers. Indeed, while it is valuable to create new cybersecurity positions inside government, there are already a wide array of important ones already open. At the FBI, for instance, nearly 40 percent of the cybersecurity experts jobs are unfilled, with many field offices lacking a professional for their cyber units. There is also a massive diversity problem, with minorities and women under-represented, even compared to the already low numbers in the technology workforce (only 10 percent of the cybersecurity field is women, a number that actually went down from 11 percent the year before). The new plan creates incentives to start to tackle this problem area that range from scholarships for cybersecurity education to loan forgiveness programs for experts that join the government. They are nowhere near enough, but it’s a valuable start.
Even if everything in the plan is implemented, which is a big “if” in the final year of a presidency with a restive Congress, much would remain to be done in cybersecurity policy. There are gaps that range from Capital Hill clarifying just how the information sharing legislation it just passed actually is to be implemented to the need for a cyber deterrence strategy at the Pentagon that builds resilience, rather than following old Cold War models.
But in this plan, Barack Obama just set his marker on how he wants to be remembered on what he has called one of “the most serious economic and national security challenges of the 21st century.”
In the coming years, when cybersecurity is no longer considered some new, hot topic, it will be these new structures he leaves in place for future presidents that will determine his historic legacy.
Want to bring Peter to your next event? Let us know here. We'd love to help you make it happen!