Obama’s cybersecurity legacy: Good intentions, good efforts, limited results

President Obama is only a couple of weeks out of office, but his legacy on cybersecurity is already getting reviews – mixed reviews.

According to a number of experts, Obama said a lot of good things, did a lot of good things and devoted considerable energy to making cybersecurity a priority, but ultimately didn't accomplish the goal of making either government or the private sector more secure.

The most recent, stark illustration was the series of leaks, enabled by hacks that US intelligence agencies attribute to Russia, that undermined both the credibility of Democratic presidential candidate Hillary Clinton and the election itself.

As Kevin Murray, director of Murray Associates, a counterespionage consultancy, put it, “government can make as many policies as it wants, but if it doesn’t solve the problem, what good is it?”

Or, as Paul Rosenzweig, founder of Red Branch Consulting, former Department of Homeland Security (DHS) official under President George W. Bush and frequent contributor to the Lawfare blog, put it, “they had the tools, they just chose not to use them when the chips were down. I don’t know why.”

Kevin Murray, director, Murray Associates

That is significant, given that one of the prime constitutional responsibilities of government is to “provide for the common defense.” Over the past decade, cybersecurity has approached the same level of importance as military or law enforcement security. The potential damage from cyber attacks has grown from the nuisance level to crippling.

At the physical level, top government officials have warned multiple times of the risk of a "cyber Pearl Harbor" attack from hostile nation states, terrorists or criminal gangs. There are continuing, and persistent, reports of vulnerabilities in the nation’s critical infrastructure.

At the economic level, Gen. Keith Alexander, former director of the National Security Agency (NSA) and head of US Cyber Command, said in 2012 that economic espionage – mostly by China – had led to, “the largest transfer of wealth in human history.”

Certainly this was not due to a lack of attention from Obama, who declared cybersecurity a priority at the beginning of his presidency and mentioned its importance in nearly every State of the Union address.

The list of initiatives, orders, policies and legislation coming during his watch is long and impressive. It includes:

• In February 2009, Obama ordered a review of the state of cybersecurity in government. In May, he announced the "Cyberspace Policy Review," which he said would result in a “coordinated cybersecurity plan” to be run from the White House, and intended to, “deter, prevent, detect and defend” against cyber attacks.
• In June 2009, what had been a provisional US Cyber Command since 2006 became permanent. The goal is a staff of 6,000, but as of last year, it was reportedly still at about two-thirds of that. However, there is general agreement among experts that the US has, "the most powerful cyber arsenal in the world."
• In response to a 2013 Executive Order from Obama, the National Institute of Standards and Technology (NIST) issued a "Cybersecurity Framework" in February 2014 – a document that set standards for both the private and public sector, and that has undergone various updates. The latest draft update, aimed at improving security for critical infrastructure, was issued in January, shortly before Obama left office.
• In June 2015, the administration released M-15-13, a “Policy to Require Secure Connections across Federal Websites and Web Services,” which set a deadline of Dec. 31, 2016 for all agencies to use encrypted HTTPS websites and web services.
• According to the General Services Administration, as of this month, while compliance is far from 100 percent – ranging from 43 percent to 73 percent for government domains and subdomains – “the government now outpaces the private sector on HTTPS.”
• In September 2015, Obama reached what was described as “a common understanding” with Chinese President Xi Jinping to halt economic espionage. Their joint announcement stated that, “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property (IP) …” While that has not eliminated the problem, it has reportedly reduced it.
• Congress passed, and in December 2015 Obama signed, the Cyber Information Sharing Act (CISA), designed to improve the sharing of threat information between government and the private sector. Opponents still call it a “surveillance bill,” but advocates say any hope of improving the nation’s cybersecurity will require cooperation between the private and public sectors.

Unfortunately, those and other initiatives did not always achieve the desired results. Security failures over the past eight years are well known and, in some cases, have been catastrophic.

Perhaps the worst was the hack, attributed to China, of the Office of Personnel Management (OPM), which compromised the personal data of about 22 million current and former federal employees.

Aaron Tantleff, partner, Cybersecurity Practice, Foley & Lardner

Douglas R. Price, a board member of AFIO (Association of Former Intelligence Officers), called it, “a failure of epic proportion.”

The OMB launched a so-called, 30-Day Cybersecurity Sprint to improve everything from authentication to threat detection, but that came much too late – after the breach was disclosed.

Other high-profile lapses include:

- Leaks of millions of classified documents from US Army soldier Bradley (now known as Chelsea) Manning and former NSA contractor Edward Snowden, which not only undermined confidence in the administration’s claims that it wasn’t conducting surveillance on American citizens, but also illustrated that government couldn’t protect itself against insider threats.

- The president tried twice, in 2011 and 2015, to launch legislation that would, "improve cybersecurity for the American people, our nation’s critical infrastructure and the federal government’s own networks and computers.”

But neither proposal went anywhere, in part due to a divided Congress, but also because of opposition from civil rights and privacy groups.

- The federal “Einstein” cyber threat detection and prevention system, which has existed since 2004 and has gone through several iterations since then, was upgraded by DHS to "EINSTEIN 3 Accelerated (E3A" in 2015.

But it has been criticized by experts, former government officials and members of Congress for being hopelessly outdated before it is even fully implemented – the deadline for implementation was this past December.

Greg Touhill, deputy assistant secretary of cybersecurity operations and programs at DHS, famously said in November 2015 that, “Einstein 3 is really where we needed to be 15 years ago.”

- Hacks, attributed to Russia, of the Democratic National Committee (DNC) and the email account of John Podesta, chairman of the Clinton presidential campaign. Wikileaks released embarrassing information from them during the final weeks of the campaign.

There are a number of reasons given for the failures.

First, numerous experts have said it is essentially impossible for government to keep up with the evolution and expansion of the threats. As Rosenzweig put it in an interview with Nextgov, “government moves at 60 miles per hour and Internet innovation moves at 6,000 miles per hour.”

Others say that gap is larger by orders of magnitude.

Aaron Tantleff a partner in the Cybersecurity Practice at Foley & Lardner, added that given, “mass connectivity amongst devices via the Internet of Things, lack of security of all sorts of other devices and the lack of sufficiently trained cybersecurity experts, no wonder there’s vulnerability.”

Second, it is tough for government to manage the online security of critical infrastructure when much of it is in private hands. Instead of mandates, with significant penalties for failure to comply with them, government mainly issues advisories and recommendations.

Third, it is tough for government to compete with the private sector for talent.

“The federal government continues to lag behind because it has to pay IT staff on a government pay scale,” said John Bambenek, manager of threat systems at Fidelis Cybersecurity. “For aspiring and experienced IT staff, the private sector is simply a much more lucrative and attractive career option.”

John Bambenek, manager of threat systems, Fidelis Cybersecurity

But, experts also say there are things government could, and should, do better. Price said security requires both, “protection measures and for our adversaries to be deterred from attacking. We did many things right with regard to the former, but the fact that we are still experiencing foreign hacking says that we have a lot more work to do on the deterrence side.”

Tantleff noted that some vulnerabilities persist, “because we elect to maintain them, presumably – oddly enough – for security reasons.”

He pointed to a blog post by Michael Daniel, the former White House cybersecurity coordinator, who argued that, “disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”

Daniel added that it would not be in the national interest to build up, “a huge stockpile” of undisclosed vulnerabilities. But, of course, the definition of a “huge stockpile” could generate huge debate.

An obvious way for government to improve would be to update its technology, and experts note that in a budget approaching $4 trillion, surely money exists to improve hardware and software. But they say the political will is lacking.

“When it comes to spending money, security always falls behind other priorities,” Bambenek said. “Updating servers and laptops isn’t as sexy as other spending projects. No congressman ever attended a ribbon cutting for a shipment of new computers.”

Finally, Murray said government needs to focus not just on those who hack or steal data, but also on those who let it happen. He said government won’t get better results until it demands accountability. In virtually every case of a failure, including the OPM breach, those in charge are allowed to resign, which means they keep their pension and all other government benefits.

“There’s a lot of hand wringing, but not enough action,” Murray said. “You have to make the people in charge of holding this information accountable. Somebody should get paid a lot of money, but then told, ‘You are going to be held responsible if it leaks out on your watch.’

“You start doing that, and people will start taking it seriously,” he said.

Ultimately, if what matters is results, Obama’s legacy will suffer. Tantleff pointed to a recent book titled "The Global Cyber Vulnerability Report," that reviewed the cyber vulnerabilities of 44 nations, and ranked the US the 11^th safest.

“It’s hard to believe that will help Obama’s cybersecurity legacy,” he said.

Whether things will improve under President Trump is anyone’s guess, but some early indications are not encouraging.

Nicholas Weaver, a senior staff researcher at the International Computer Science Institute, in a post on Lawfare, declared that the president’s insistence on continuing to use an insecure Android device is, “asking for a disaster (and) should cause real panic.

“Once compromised, the phone becomes a bug – even more catastrophic than Great Seal – able to record everything around it and transmit the information once it reattaches to the network,” he wrote.

Tantleff said, “the jury is still out,” on whether Trump will be able to improve on Obama’s record. But in his view, it is not a terribly high bar.

“The level of cybersecurity that exists in government today would be disgraceful if it existed within large corporate America,” he said. “No financial or healthcare institution would be comfortable – nor would the American people – with our current efforts.”