President Obama announced on Wednesday that Thomas Donilon, his former national security adviser, would chair a bipartisan Commission on Enhancing National Cybersecurity—a move that likely prompted reactions ranging from shrugs to quizzical brow-furrows.
The move was the follow-up to another announcement, made last week but buried in the flurry of headlines about the New Hampshire primaries and the 2017 budget proposal—namely, Obama’s release of what he called the Cybersecurity National Action Plan, or CNAP. Donilon’s commission—which will be comprised of “top strategic, business, and technical thinkers,” tasked with drawing a “road map” for securing cyberspace in the next decade—is one piece of that plan.
Like many things that presidents call into being, blue-ribbon panels are whatever their creator wants them to be. Over the years, some have inspired serious debate and new policies, while others have proved to be purposeful distractions—a way of pretending to give an issue grave attention while in fact evading the deep thoughts and hard choices it entails.
Obama tends toward the former approach, and he is genuinely concerned about the challenges of cybersecurity (and its flip side, cyberwar). But in this case, the commission’s report isn’t due until the end of 2016, just in time to hit the doorstep of the next White House occupant, who—depending on the election results—will either mull its findings or shred it into pulp.
Meanwhile, it’s a shame that the rest of the CNAP drew so little attention, because some of its initiatives might really help ward off hackers—at least if the federal bureaucracy, Congress, and private industry go along. And that’s where stabs at reform in this realm have always fallen short.
One of the CNAP proposals seems so common-sensical, it’s amazing that it hasn’t been done already. It calls for spending $3.1 billion on an Information Technology Modernization Fund, so that old computers and servers—thousands of them scattered throughout the federal bureaucracy, many so old that they can’t support up-to-date antivirus programs—can be retired and replaced. Another unassailable idea: Insist that government agencies install two-factor authentication on all their computers, a step that will make intrusion much harder for all but the most advanced hackers. (Already, under White House prodding, the number of federal computers that have stiffened their passwords with two-factor authentication has risen from 40 percent to 80 percent.)
But here’s the catch. This $3.1 billion fund—and, in fact, all the changes the CNAP envisions—will be administered by a “chief information security officer,” a newly minted official placed in charge of “developing, managing, and coordinating cybersecurity strategy, policy, and operations across the entire Federal domain.” The CNAP fact sheet boasts, “This is the first time that there will be a dedicated senior official who is solely focused” on this mission.
Creating this job is, in principle, a very good idea. Rob Knake, a former White House cybersecurity aide, now an analyst at the Council on Foreign Relations, said in a phone conversation, “You need someone who can tell some official, ‘I’m disconnecting your whole agency from the Internet, and I’m not reconnecting you until you comply with this policy, throw out your old stuff, and replace it with this new stuff.’ ”
But to do this sort of thing, the officer would need an executive order, signed by the president, giving him such powers. The problem is, President Obama hasn’t signed such an order, nor does the White House have plans to do so. Several cyber specialists, all former or present government officials, told me they laughed when they read the new post’s job description published by the Office of Management and Budget. “It sounds good on the surface,” says one specialist, who has government contracts, “but you read closely and you see there’s no real power here, he doesn’t control budgets, he can’t hire or fire anyone, he doesn’t even get reimbursed for relocating—he’s just another guy buried deep in the bureaucracy.”
Others say that critique goes too far. If the heads of backward agencies are willing to change their practices, if they appoint officials to supervise the overhauls, and—as a first step—if Congress authorizes the $3.1 billion, then a chief information security officer could do some good. But if the officer faces resistance, his or her options are severely limited.
In February 2015, Obama signed an executive order, titled “Improving Critical Infrastructure Cybersecurity,” setting up forums in which private companies could share data about the hackers in their midst—in exchange for which the government (mainly the National Security Agency, working through the FBI) would share tools and techniques for protecting their networks. However, as with similar orders in the past, the data-sharing isn’t mandatory; the private companies made clear that they’d lobby against the plan if it was. And so, the final document stated, “Nothing in this order shall be construed to provide an agency with authority for regulating the security of critical infrastructure.”
“Government is 10 percent policy, 90 percent implementation,” says Richard Clarke, who drafted several cybersecurity orders in the White House of Bill Clinton and (briefly) George W. Bush, including one that named himself as the “coordinator” of federal cyber policy. “I was able to get a few things done,” Clarke remembers, “because I pretended to have power, and some people believed me.” But ultimately his bluff was called—mainly by industry executives and their allies in the Treasury Department, who resisted any measures that smacked of government regulation—and the game screeched to a halt.
The thing is, everything about cyber policy is political. The contest of security vs. privacy, the public good vs. corporate profits, interagency power struggles, budget fights, and the simple matter of setting priorities in a 24-hour day—all enter into and complicate issues that might seem clear-cut at first glance.
A classic case is Apple’s current attempt to keep the FBI from cracking the code on its latest iPhone operating system: The FBI wants to get inside the phone of the San Bernardino shooter, to see if he had been in contact with ISIS; Apple wants to assure the privacy of its customers and argues that, if a back door is carved open for the FBI, other hackers will also find a way in.
These sorts of tensions often dominate less dramatic forums, too. In fighting off White House attempts to impose mandatory security requirements in the 1990s, companies argued that such steps would slow down their servers and thus reduce their appeal in the global marketplace. When the FBI or NSA has penetrated networks used by criminals or foreign terrorists, they also pick up communications of innocent Americans using the same networks—thus raising outcries about civil liberties but also making the cellular companies and Internet service providers leery of cooperating, lest they be held liable in lawsuits. This was one reason companies didn’t want to go along with Obama’s—and, before him, Bush’s and Clinton’s—plan to share information about hackers. Obama proposed legislation exempting the companies from such lawsuits, but Gen. Keith Alexander, director of the NSA at the time, secretly lobbied against the bill, because it would have required the companies to share information with the Department of Homeland Security, whereas Alexander wanted the NSA (working through the FBI) to be in charge.
There’s another obstacle to reforms of this sort: In one sense, the resisters have a point. They hesitate to spend a lot of money on cybersecurity because they know that, in the cyber arms race, offense has an edge over defense and that today’s “best practices”—which the government urges everyone to adopt—devolve into tomorrow’s easy targets.
Again, it’s all very complicated.
Some officials pushing Obama’s CNAP are aware of this checkered history. They think their effort, unlike many similar efforts of the past quarter-century, will be different because, this time, the climate is different. The daily headlines about foreign hackers, the massive cybertheft of personal data from the Office of Personnel Management, the growing awareness that this is a serious problem—all this, they hope, might reduce the resistance that earlier plans have met.
Maybe they’re right, and the Obama plan does call for certain measures that push security along paths that no one has pushed before. Knake, despite his skepticism, says that on balance he’s optimistic. “Yes, it’s more of the same,” he says of the CNAP’s initiatives, “but that’s a good thing”—that’s the sort of approach that people, agencies, and entities tend to adopt and that, over time, can alter the culture.
But to move things along quickly, so that security keeps up with changing threats and technologies, the officers put in charge of running the plan have to be able to run the plan. The president needs to give them not only the job but also the written authority to do the job. And while a presidential commission isn’t necessarily an ineffective way to set an agenda for the future with bipartisan support, the one to be led by Tom Donilon—a capable manager who worked on cyber issues during his tenure in the White House—is getting started with less than a year left in Obama’s term: barely enough time to finish its report, much less take the first steps toward turning its recommendations into policy.
It’s a smart, focused effort, but it’s too little, too late.