Is Barack Obama a Cybersecurity Leader?President Busy Promoting His IT Security Initiatives
The president of the United States is known as the leader of the free world. But does that leadership carry over to the realm of cyberspace?
When President Obama last week unveiled his latest cybersecurity legislative initiative and began to promote it in a series of speeches, culminating in this week's State of the Union address, I began to ponder whether he was a true leader in the cyber dominion (see Obama to Congress: Enact Cybersecurity Laws).
This degree of presidential focus is unprecedented and is one of the hallmarks of leadership.
Technology, after all, is in Obama's DNA, and from his very first day in office, securing technology was a very personal matter. Remember the news stories before his inauguration that he didn't want to give up his BlackBerry, so the smart phone had to be modified to become extremely secure?
Cybersecurity has been a priority of the Obama presidency from the get-go. Within a month of his inauguration six years ago this week, he commissioned a governmentwide cybersecurity review that three months later produced the Comprehensive National Cybersecurity Initiative, which he announced with much fanfare in a White House speech (see The President's 10-Point Cybersecurity Action Plan). Within a year, Obama named the first White House cybersecurity coordinator (see Schmidt: A Take-No-Nonsense Cybersecurity 'Czar').
Still, Obama would go months, even longer, without uttering the word "cybersecurity" in public, although his aides contended it was a topic he remained engaged in behind the scenes.
In 2011, Obama offered a comprehensive legislative proposal - one similar to the package he revealed this past week - but over the next 3Â½ years, cybersecurity bills backed by Obama languished in the Capitol (see White House Unveils Cybersecurity Legislative Agenda) .
Not getting his legislation through Congress, Obama decided to use his executive authority, and nearly two years ago signed an executive order directing the federal government to share cyberthreat information with critical infrastructure owners (see Obama Issues Cybersecurity Executive Order). He also ordered the National Institute of Standards and Technology to work with industry to create a cybersecurity framework, a compendium of IT security best practices, which critical infrastructure operators and others could adopt voluntarily. That framework was issued in February 2014 to mostly positive reviews from the business community (see NIST Releases Cybersecurity Framework).
This past year, Obama issued another executive order directing government agencies to shift to the use of chip-and-PIN cards that are deemed more secure than magnetic stripe cards (see Obama Seeks to Speed EMV Adoption). Now, the president is aggressively pushing his latest cybersecurity initiatives, which include measures to encourage businesses to share cyberthreat information, nationalize data breach notification and toughen criminal laws to allow prosecution of botnet sales and protect student data (see Obama Unveils Cyberthreat Info Sharing Plan and Obama Seeks to Nationalize Breach Notification). "If we don't act, we'll leave our nation and our economy vulnerable," Obama said in this week's State of the Union address. "If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."
Does all of this make Obama a cybersecurity leader? To help me answer that question, I asked experts in the IT security and privacy field to share their thoughts on the matter.
"It's incontrovertible that the president has demonstrated true leadership in the cybersecurity space," says Larry Clinton, president of the industry trade group Internet Security Alliance. "No world leader has shown more vision and insight to the cyberthreat."
Clinton, to back his contention, points to the initiatives cited above. "This degree of presidential focus is unprecedented and is one of the hallmarks of leadership," he says.
With less fervor, privacy and data security lawyer Francoise Gilbert sees leadership tendencies in Obama's actions. "No other U.S. president has been as proactive as President Obama in pushing privacy or security legislation," she says. "From this standpoint, he is a better leader in regards to cybersecurity and data privacy than any of his predecessors, but I would not give him an A for his performance. There is room for improvement."
Determining whether Obama is a true cybersecurity leader could be shaded by one's own agenda. Clinton generally agrees with Obama's cybersecurity agenda, although he says the Internet Security Alliance seeks more aggressive action than the president proposes.
Change of Heart
Privacy advocate Rebecca Herold says the president demonstrated leadership by proposing legislation to hold companies accountable for protecting consumers' personal information and to safeguard the data of students. "I was hopeful that President Obama would be a good technology leader when he had promoted privacy with these initiatives," she says.
But her opinion changed about his leadership with revelations of National Security Agency snooping during his tenure, as well as his stated belief that law enforcement might need to have a backdoor to break encryption on suspected terrorists' mobile devices (see Obama Sees Need for Encryption Backdoor). "There is an apparent large gap between his stated concerns and his understanding of cybersecurity," Herold says. "It doesn't seem as though he realizes that putting backdoors into security technologies will make those security technologies ineffective and put organizations at risk of having the cybercrooks using those backdoors, and will make it significantly harder for organizations to effectively protect data and systems."
It's not just a philosophical bent that could determine whether one considers anyone a leader. It could be missed opportunities to evangelize the cause.
Missed His 'Truman Moment'
Andrea Little Limbago, principal social scientist at the IT security firm Endgame, points out that when Democrat Harry Truman was president in the late 1940s - and like Obama had to work with a Republican-led legislature - he delivered a speech to a joint session of Congress that outlined the key tenets of what soon would become the Truman Doctrine to curtail the expansion of the Soviet Union and its communist ideology, a strategy that guided American foreign policy for more than four decades.
Limbago says Obama should have used the State of the Union address to outline his vision for protecting the country from a range of cyberthreats, rather than address immediate challenges, such as data breach notification and cyberthreat information sharing.
"Given the fast pace of the cyber domain, absent a vision, any congressional legislation will not only be aimed at the wrong problem, but it likely will lag behind the current needs of both the public and private sectors," she says. "President Obama succeeded in specifying his domestic vision for the economy, but when it comes to cybersecurity, he missed his 'Truman moment' to create an Obama Doctrine that will guide the future of U.S. cyber policy."
Perhaps what looks like leadership in reality is merely responding to the current environment. "President Obama's leadership in regard to cybersecurity is more an indicator of the times," says Ben Desjardins, director of security solutions at IT security provider Radware. "The universal recognition that threats to national security, the U.S. economy and individual citizens exist today as much in the virtual world as they do in the physical world. He should be lauded for recognizing the growing importance of advancing cybersecurity initiatives, but to become a true leader in this area he will have to make some difficult decisions."
Before deciding if Obama is a true leader on the issue, Desjardins will examine how the president prioritizes efforts across such issues as identity theft, critical infrastructure protection and the reliability of the electronic economy. Obama "cannot protect everyone from every threat," he observes. "To leave a legacy as a leader in advancing the nation's cybersecurity readiness, President Obama will need to make these difficult choices, and then enable the government to effectively help private and public organizations to not only respond when security incident occurs, but also improve their ability to proactively protect from their occurrence."
Determining whether Obama is a cybersecurity leader, from my perspective, is a political issue. After all, we should frame much of anything a president does through a political lens. If he succeeds in getting his legislative package through a Congress dominated by the opposition, then conceivably he is a cybersecurity leader.
What's your take: Is the president a cybersecurity leader? Share your thoughts below.