Obama makes progress on three-pronged cyber strategy
America got a taste of its cyber vulnerabilities during the 2016 presidential election, when Russian hackers stole Democratic leaders' emails.
President Barack Obama has since directed the intelligence community to investigate "malicious cyber activity" connected to elections going back to 2008.
Ahead of his first term, Obama promised to develop a cybersecurity strategy for the country. Eight years later, he has made significant gains, though there's room to grow.
"He has a national strategy for cyberspace, and an action plan, so all in all, I think he has tried to deliver," said Heather Roff, a researcher at the University of Oxford and Arizona State University.
The administration defines its cyber strategy as: "1) Raising the level of cybersecurity defenses in the public and private sectors; 2) Deterring and disrupting malicious cyber activity aimed at the United States or its allies; and 3) Effectively responding to and recovering from cybersecurity incidents when they occur."
National Security Council spokesman Mark Stroh sent PolitiFact a list of 18 executive orders, administrative policies and laws that he said address these three strategic goals.
This list includes, for example:
Reaching agreements with China and other nations to discourage intellectual property and business secret theft;
Establishing the Cyber Threat Intelligence Integration Center, which coordinates cybersecurity strategy across the intelligence community;
Codifying the federal government's plan for responding to significant cyber incidents;
Signing the National Cybersecurity Protection Act of 2014, which promotes information sharing between the private and public sectors;
And issuing an executive order intended to make financial transactions more secure.
Most recently, in February 2016, Obama directed his administration to implement a Cybersecurity National Action Plan. The plan establishes a Commission on Enhancing National Cybersecurity, calls for working with Internet companies to protect Americans' identities, and proposes over $22 billion in spending on cybersecurity measures.
The White House called the plan "the capstone of more than seven years of effort" to ensure Americans can have confidence in their digital security. Since that announcement, the White House has appointed members to the commission and hired the country's first chief information security officer.
"The Obama administration has taken more steps than any previous administration at attempting to comprehensively address cybersecurity," said Susan Hennessey, managing editor of the Lawfare blog and former lawyer for the National Security Agency.
But she said a gap remains between identifying solutions and putting them into action, such as convincing consumers to have better passwords or encouraging companies to invest in cybersecurity before a data breach happens.
Congress hasn't passed fully comprehensive cybersecurity laws, so Obama has had to work mostly through the executive branch, Roff said.
And the private sector is still reluctant to fully coordinate with the government, said Jamie Winterton, director of strategy for Arizona State University's Global Security Initiative. She specifically noted the dispute between the FBI and Apple over unlocking an iPhone belonging to one of the San Bernardino shooters.
Winterton said she'd like to see the government foster better relations with private companies, develop more metrics for measuring progress, and have a more public conversation about balancing privacy and security.
Over the course of Obama's presidency, she's noticed more emphasis on how to protect critical infrastructure and a better ability to detect cyber attacks and more progress on figuring out who needs to be involved in these conversations.
But it's a complex problem to fully solve, involving social, technological and legal elements.
"We've signed up for a marathon, bought some nice training shoes and done a good three-mile warm up run, but we've got a long way to go," Winterton said.
Obama pledged to develop a cybersecurity strategy. Although this hasn't blocked cyber attacks on the country — as evidenced by Russian hackers meddling in the election — and there remains room to improve, he has moved the country many steps forward in this arena. We rate this Promise Kept.
White House, "Statement by the President on the Report of the Commission on Enhancing National Cybersecurity," Dec. 2, 2016
White House, "The President's National Cybersecurity Plan: What You Need to Know," Feb. 9, 2016
Email interview, Lawfare Managing Editor Susan Hennessey, Dec. 9, 2016
Phone interview, Jamie Winterton, ASU Global Security Initiative strategy director, Dec. 9, 2016
Email interview, Heather Roff, researcher at ASU and Oxford, Dec. 8, 2016
Email interview, NSC spokesman Mark Stroh, Dec. 9, 2016
Progress on a framework, but trust shattered by Snowden revelations
During his 2008 presidential campaign, Barack Obama promised to "ensure that his administration develops a Cyber Security Strategy that ensures that we have the ability to identify our attackers and a plan for how to respond that will be measured but effective."
In the year since our last ruling, the attention devoted to cybersecurity has only increased, partly due to well-publicized breaches of customer data but especially from revelations about National Security Agency surveillance of electronic and telephone traffic.
On Feb. 12, 2013, Obama signed an executive order on "Improving Critical Infrastructure Cybersecurity," which called for the implementation of a cybersecurity framework launched one year later.
The framework, developed by the Commerce Department's National Institute of Standards and Technology, is designed to help critical infrastructure sectors such as power plants, public transportation and communication systems, as well as other organizations, reduce and manage their risk of cyber-intrusions.
Organizations are encouraged to use the framework to manage their cybersecurity risk, though it is not designed to replace existing processes — an organization can keep its current process while incorporating aspects of the framework to determine gaps in its cybersecurity.
The adoption of the framework is voluntary, but the Department of Homeland Security has established the Critical Infrastructure Cyber Community Voluntary Program, C-Cubed for short, to increase awareness and use of the framework.
According to a White House briefing on the topic, C-Cubed will connect companies to DHS and other federal government programs and resources that will assist efforts in managing their cyber risk.
So the administration has taken some concrete steps to develop a formal cybersecurity strategy. But the administration's ability to pitch that strategy to private-sector companies and individuals has been hampered by the continuing stream of revelations based on leaked documents from former NSA contractor Edward Snowden. Whatever trust existed between the government and private companies has taken a serious blow in the post-Snowden era.
"On one hand, we had the Obama administration working for development of increased cybersecurity through its 'framework' initiative," said George Smith, a senior fellow at GlobalSecurity.org. On the other hand, Smith said, the administration was "allowing the NSA to aggressively pursue initiatives that destroy the security and trust in global as well as domestic networks."
So while Obama has made meaningful strides in creating a cybersecurity strategy, he faces stiffer-than-ever hurdles in implementing such a strategy, due to resistance in Congress as well as public skepticism. For now, we'll wait to see how this process shakes out, and we'll hold our rating at In the Works.
National Archives and Records Administration, Executive Order on "Improving Critical Infrastructure Cybersecurity," Feb. 12, 2013
National Institute of Standards and Technology, "Framework for Improving Critical Infrastructure Cybersecurity," Feb. 12, 2014
U.S. Department of Homeland Security, "About the Critical Infrastructure Cyber Community C3 Voluntary Program,"
U.S. Department of Homeland Security, "What is Critical Infrastructure?" accessed March 13, 2014
White House, "Launch of the Cybersecurity Framework," Feb. 12, 2014
Politico, "White House unveils cyber plan, implores Congress," Feb. 12, 2014
BarackObama.com, "Confronting 21st Century Threats," July 16, 2008
PolitiFact, "Work still to be done before U.S. is cyber secure," Jan. 17, 2013
Email interview with George Smith, senior fellow, GlobalSecurity.org, March 14, 2014
Work still to be done before U.S. is cyber secure
President Obama vowed during the 2008 campaign to protect the country from cyber threats -- everything from hackers stealing consumers' online information to terrorists tampering with water systems and electric grids. Four years in, the White House has made progress on its goal of implementing a comprehensive strategy but not enough to say we're ready should a cyber terrorist strike.
For evidence, the White House pointed us to the Comprehensive National Cybersecurity Initiative, a set of goals launched during George W. Bush's administration and furthered by the Obama White House.
With funding through federal law enforcement, intelligence agencies and the Defense Department, the initiative sets specific objectives including coordination of research efforts in cybersecurity, deploying "intrusion detection” systems to alert officials of coming threats and increasing the security of classified networks.
The Obama administration in February 2012 also unveiled its plan to protect consumers' privacy online, emphasizing voluntary compliance from companies that handle people's personal data. (PolitiFact has that promise separately rated In the Works because those consumer protections are not solidified in law.) Obama promised to create a cybersecurity coordinator to oversee federal efforts and report directly to the president. Obama appointed Howard Schmidt to the post in 2009, though the position is not directly under the president. We rated it a Compromise.
We checked with Susan Landau, a cybersecurity expert and visiting scholar at Harvard University, for her insights on how Obama has done on creating a comprehensive strategy. She pointed to the National Strategy for Secure Identities in Cyberspace for protecting consumers and the International Strategy for Cyberspace, an outline for nations to promote secure vital networks while opening Internet access as a means of economic prosperity.
So that's what has happened. What hasn't happened: a change in law.
The Cybersecurity Act of 2012 failed repeatedly to pass Congress in 2012. The large-scale measure would have created security standards for owners of the most vital computer networks and provided protection from lawsuits to companies that voluntarily comply with the standards. But Republicans and critics in industry opposed the bill, saying it would have allowed the government to be overly involved in creating security standards on private business and that the liability protection was insufficient. The Republican-led House also passed a series of smaller measures that would not have created any new rules for businesses, but those went nowhere in the Senate.
With no progress on Capitol Hill, reports emerged that the Obama administration was considering an executive order regarding cybersecurity. That order has yet to be issued though, and it's unclear how much authority Obama could wield on securing private computer networks and the like.
George Smith, an expert on the science and technology of national security at GlobalSecurity.org, expressed doubts about the order's potential.
"It was all wishy-washy stuff without much meaning or any means to compel anyone in the infrastructure to do things it had argued were needed,” he said in an email to PolitiFact. "Plus, you had to buy all the arguments the current administration makes about cybersecurity and the potential impacts of cyberwar attacks, which not everyone does.”
Added Landau: "These are not easy problems, and the fixes are technical, policy, and legal, making the challenges even greater.”
Despite Obama's efforts so far on implement a strategy to prepare the country for cyber attacks, it's clear there is still a long way to go. We'll continue to watch for any legislative action by the new Congress and leave this rated In the Works.
Email interview with Caitlin Hayden, spokeswoman for the National Security Council, Jan. 15, 2012
White House website, Comprehensive National Cybersecurity Initiative, accessed Jan. 16 & 17 2012
PolitiFact, "No firm action, but issue remains a priority,” Nov. 27, 2012
PolitiFact, "Coordinator named, but does not report directly to the president,” Dec. 30, 2009
Congressional Quarterly, "Cloture on Cybersecurity» Bill Again Falls Short,” Nov. 14, 2012
Bloomberg, "Limits Seen in White House Cybersecurity Executive Order,” Sept. 28, 2012
Email interview with Susan Landau, Jan. 16, 2012
Email interview with George Smith, Jan. 16, 2012
National Strategy for Secure Identities in Cyberspace, accessed Jan. 17, 2012
International Strategy for Cyberspace, May 2011
Washington Post, "Obama administration outlines international strategy for cyberspace,” May 16, 2011
Obama administration continues push on cyber security
Back in February 2009, we reported on the status of President Obama's campaign promise to develop a comprehensive cyber security and response strategy. At the time, we rated the promise In the Works, since Obama had designated Melissa Hathaway to lead a 60-day interagency review of the resources that the U.S. government had available to fight off cyber attacks. Hathaway previously served as cyber coordination executive to the Director of National Intelligence in the Bush administration.
Since then, several key developments have taken place.
• Hathaway's review is now finished and available on the White House website. It notes that the "architecture of the Nation's digital infrastructure, based largely upon the Internet, is not secure or resilient." After outlining some of the efforts that previous administrations have taken to beef up cyber security, the review provides a list of several near-term and mid-term goals. These goals include appointing a cyber security policy official and preparing a cyber security incident response plan.
• On December 22, 2009, Obama appointed Howard Schmidt to the position of Cybersecurity Coordinator. Formerly a chief security officer at Microsoft and eBay, Schmidt is responsible for coordinating cyber security activities across the government. He will also coordinate policies that encourage economic growth and commerce.
• In May 2010, Gen. Keith Alexander was appointed and confirmed to lead the new Pentagon Cyber Command, which is responsible for coordinating cyber defense and cyber attack operations. The command will run military cyber security operations and provide support to civil authorities.
• In November 2009, the the Air Force announced that 27,000 communications officers were being transferred to provide support for cyber warfare operations from general computer communications, according to the Air Force Times. In April of this year, 3,000 more officers were moved, bringing the total to 30,000.
• In December 2009, the Department of Homeland Security completed a draft of its National Cyber Incident Response Plan. The report outlines the roles and responsibilities of various federal agencies during a cyber attack against the United States. In September of this year, DHS will hold Cyber Storm III, a multi-organization security drill to test the details of the final plan. A spokesman told us that the draft strategy will be revised based on the lessons learned during that exercise.
President Obama's actions move his promise along, but until we get a confirmation that the DHS has a finalized strategy for responding to a cyber attack, we're keeping this In the Works.
The White House, Cyberspace Policy Review (pdf)
U.S. Department of Defense, Senate Confirms Alexander to Lead Cyber Command, May 11, 2010
PolitiFact, Create a national cyber adviser to coordinate security of electronic infrastructure, Dec. 30, 2010
Air Force Times, 3,000 officers switch to cyberspace specialty, by Bruce Rolfsen, May 19, 2010
Federal Computer Week, DHS releases cyber incident response draft plan, by Ben Bain, Dec. 9, 2009
Guardian, US appoints first cyber warfare general, by Peter Beaumont, on May 23, 2010
The Wall Street Journal, Gates to Nominate NSA chief to Head New Cyber Command, by Siobhan Gorman, April 24, 2009
Obama orders review of cyber security
On Feb. 9, President Obama ordered "an immediate review of the plan, programs and activities underway throughout the government dedicated to cyber security," according to a statement from the White House.
"This 60-day interagency review will develop a strategic framework to ensure that U.S. government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector," the statement said.
The president designated Melissa Hathaway to lead the review as acting senior director for cyberspace for the National Security and Homeland Security Councils. Hathaway previously served as cyber coordination executive to the Director of National Intelligence in the Bush administration.
We rate this promise In the Works.
White House Web site, President Obama Directs the National Security and Homeland Security Advisors to Conduct Immediate Cyber Security Review , Feb. 9, 2009
Wall Street Journal, Hathaway to Head Cybersecurity Post , Feb. 8, 2009