Obama Introduces National Hacker-Defense Plan


President Barack Obama signed two executive orders on Tuesday about cybersecurity and described his Cybersecurity National Action Plan in a Wall Street Journal op-ed.

Critics will wonder why many of the ideas in the National Action Plan were not implemented years or decades ago and also ask how a government that spends so much money could have such a shabby record on computer security.

USA Today describes the White House plan to create a Commission on Enhancing National Cybersecurity, which will be made up of “business, technology, national security and law enforcement leaders who will make recommendations to strengthen online security in the public and private sectors.”

The commission is scheduled to deliver a report by December 1, which seems rather a long time in the fast-moving world of cybersecurity and is also just a matter of weeks before the conclusion of President Obama’s term in office, with time off for the holiday season.

There will also be a Federal Privacy Council, which will “bring together chief privacy officers from 25 federal agencies to coordinate efforts to protect the vast amounts of data the federal government collects and maintains about taxpayers and citizens.”

“Obama’s cybersecurity adviser, Michael Daniel, said the structure allows the administration to move forward even without additional authority from Congress by ‘driving our executive authority to the limit.'” USA Today reports. Enthusiasm for pushing executive authority to the limit has never been a problem for Obama, and government-wide cybersecurity is not something Congress should be cut out from.

Daniel also said that although Obama wants a 35 percent increase in funding for cybersecurity, bringing it up to $19 billion, “We can do quite a bit of it even without the additional resources.”  We may ask why it hasn’t been done already, then.

For $12.5 billion, we got huge amounts of secret data sucked from the Office of Personnel Management by foreign hackers and other federal data-management horrors — many of which were management errors instead of outmoded hardware and software. The President’s new cybersecurity initiative is rolling out the day after hackers took the personal data of 30,000 FBI and DHS employees hostage.

Wired took a look at the new Cybersecurity National Action Plan and noticed much of it was “standard advice you’d give a tech novice.”  Such advice includes staying current on software updates, taking passwords seriously, training up more cybersecurity experts, and exercising basic computer security competence at every level. One of the tallest orders ahead for the calcified federal government will be getting rid of Windows XP.

One encouraging idea in the new proposal is the creation of a Chief Information Security Officer for the government, echoing a position found in many large private-sector operations.  The government has a habit of papering over problems by announcing the creation of new high-level positions, with attendant staffing and budgets, which appears to the cynical eye like a gambit to exploit failure as a means of securing more funding. In this case, a central office to coordinate security efforts makes sense, as the government’s many disparate computer and human systems interact with each other.

It will be essential to ensure the Chief Information Security Office isn’t turned into another patronage position for the President’s political supporters — it should be a tough job, filled by a highly qualified candidate.

President Obama’s Wall Street Journal op-ed contains his usual mixture of rhetoric about the urgency of increased funding to combat a serious problem, and passive denials that his administration did anything wrong in the past. His description of the current situation will win no applause from anyone who remembers how he and his appointees handled each of the crises he recalls:

Networks that control critical infrastructure, like power grids and financial systems, are being probed for vulnerabilities. The federal government has been repeatedly targeted by cyber criminals, including the intrusion last year into the Office of Personnel Management in which millions of federal employees’ personal information was stolen. Hackers in China and Russia are going after U.S. defense contractors. North Korea’s cyberattack on Sony in 2014 destroyed data and disabled thousands of computers. With more than 100 million Americans’ personal data compromised in recent years—including credit-card information and medical records—it isn’t surprising that nine out of 10 Americans say they feel like they’ve lost control of their personal information.

These cyberthreats are among the most urgent dangers to America’s economic and national security. That’s why, over the past seven years, we have boosted cybersecurity in government—including integrating and quickly sharing intelligence about cyberthreats—so we can act on threats even faster. We’re sharing more information to help companies defend themselves. We’ve worked to strengthen protections for consumers and students, guard the safety of children online, and uphold privacy and civil liberties. And thanks to bipartisan support in Congress, I signed landmark legislation in December that will help bolster cooperation between government and industry.

It’s curious that Obama didn’t mention these urgent cyberthreats in his final State of the Union address, after four straight years of addressing the topic. Perhaps his government’s cyberwar record would have clashed with the sunny portrait of accomplishment he was trying to paint in his last SOTU. He certainly didn’t need anyone remembering the HealthCare.gov launch.

It’s also interesting that Obama’s cybersecurity op-ed didn’t mention the number one electronic security issue currently gripping America’s attention: Hillary Clinton’s unsecure email server. She’s hardly the only Obama official to jeopardize data security by fooling around with unofficial email accounts, but she took it to a level previously undreamed of. How can the President write about the urgent need to follow “best practices” in computer security when his former Secretary of State, and aspiring successor, had the worst practices anyone has ever seen?

The President boasts in his WSJ op-ed that his government is “doing more to help empower Americans to protect themselves online,” by which he means a “national awareness campaign to raise awareness of cyberthreats.” More education never hurts, but the measures he talks about are already being implemented by private-sector concerns, as he acknowledges. People are learning about double authentication, biometric security, online account protection, and credit-card security from their private providers, not waiting for the government to spend a billion dollars on public-service announcements.

CNN reports mixed political signals on the new cybersecurity initiative, noting that Obama’s gigantic overall budget is dead on arrival in Congress, but “Obama said he had already discussed the cybersecurity initiative specifically with House Speaker Paul Ryan, and expressed optimism lawmakers would take up his proposal.”