Obama’s Cybersecurity Plans Work, But Change Has Been Slow. Nearly five years into his presidency and one year into his second term, experts agree that U.S. President Barack Obama’s cybersecurity goals are well-defined. Progress toward those goals, however, has stagnated due to a lack of political will to pass meaningful cybersecurity policies, and because the president has only so much room on his plate, experts say.
Obama began his first term with three cybersecurity goals in mind: raising public awareness about what cyber threats are and how they can harm people, investing more in cybersecurity research and development so the U.S. can develop better digital-protection tools, and working with private businesses to ensure they have a high level of cyber defense while still maintaining their independence.
That last goal has the most potential for lasting impact on the way companies and the public perceive the importance of cyber defense, according to Eric Chapman, deputy director of the University of Maryland’s Cybersecurity Center. His reasoning is that if major companies comply with uniform cybersecurity standards, the public will view the issue as important. However, Chapman also said this is where Obama’s plan has faltered most.
This past August, the White House unveiled a draft framework of incentives for companies that adopt the voluntary set of more stringent standards and procedures designed to reduce risk of a cyber assault.
“If it’s voluntary, it still doesn’t have any teeth,” Jonathan Katz, director of the University of Maryland’s Cybersecurity Center, told Mashable. “If enough companies follow that, then other companies will follow, but you need someone to start to convince everyone else to go along.”
The National Institute of Standards and Technology drew up a draft of the optional regulations earlier this year after Obama issued an executive order to do so; his administration plans to finalize them by Feb. 2014. Currently, some of the incentives include a better shot for compliant companies to get federal grants, cyber insurance that would pay for damages caused in an attack and limited liability in other business aspects.
All of this could be facilitated through the Cybersecurity Act of 2013, which is co-sponsored by North Dakota Republican Senator John Thune, as well as West Virginia Democratic Senator and U.S. Senate Commerce Committee chairman Jay Rockefeller.
“I think the approach we’re taking this year in the Senate by having each committee work on the key sections under their jurisdiction will be successful,” Rockefeller told Mashable in an email. “In fact, we’re already seeing this process has great potential for success. For example, the bill that Senator Thune and I introduced was passed out of the Commerce Committee unanimously.”
It’s a good sign, but the bill’s prognosis is still not much better than its predecessor, the Cybersecurity Act of 2012, which Republicans filibustered out of Congress.
Part of the problem companies have with adopting a more comprehensive set of cybersecurity standards is that they’re not sure it’s cost-effective, Katz said.
“Ultimately, companies are going to do what’s in their financial interest,” he said, adding that they are probably worried about eventually being liable for a leak in their security, and that businesses may need significant financial incentives to comply.
Obama recently met with the heads of Bank of America, Mastercard, Visa, Pepco Holdings, Lockheed Martin, Northrup Grumman, Intel and Symantec to discuss cybersecurity. Although few details of the meeting emerged, Cheri McGuire, Symantec’s vice-president for global government affairs and cybersecurity policy, told Mashable that an agreement between the White House and her company could be within sight.
“As far as full implementation goes, that’s obviously something we’re looking at, but we have some of our own way of doing things, as you can imagine as a security company and as a technology company,” McGuire said. But she added, “We feel this is a very reasonable, measured approach that has been industry-driven.”
Every other company mentioned above was contacted regarding their feelings about working with the government on cyber defense, but all either replied with a blanket statement, declined to comment or did not respond.
Chapman worries that, despite McGuire’s positivity, it will take a borderline catastrophic event for some businesses to realize that putting cash in cybersecurity is a good investment — even if they’re never directly attacked.
“The power on the East coast would have to go out for, like, four days,” he said.
Alhough Chapman said public awareness about cybersecurity isn’t great, he is also concerned that people are becoming desensitized to digital assaults because while they see plenty of attack reports in the press, many haven’t been affected.
Yet Katz said that these reports may provide their own type of education. Some educators are interested in teaching cyber defense to kids as early as elementary school, he said, adding that such a curriculum would take time to implement, and that the Obama administration has yet to even focus on the topic. Until then, Katz said the media is teaching the public about what lurks online, building a public knowledge base that Rockefeller believes will provide the foundation for future change.
“Public awareness, in particular, can do so much to protect companies and consumers from cyber attacks,” Rockefeller said. “Things as simple as using complex passwords for bank accounts and knowing not to click on email links from people you don’t know can prevent attackers from gaining access to computers and websites. When more people know the easy steps we can take to protect ourselves, personal cybersecurity will become stronger.”
Rockefeller, Katz and Chapman all agreed that the president has done about all he can to build the average person’s understanding of cybersecurity. They also said he’s pushed for a healthy amount of research and development in the field.
Sweeping change, however, must come from the political realm. That will be the barometer by which Obama’s impact on U.S. cyber preparedness is measured, Chapman said. The results have not yet been determined, but at the moment, he and Katz said that Obama’s goal to strengthen the digital defenses of private industries has been watered down.