WASHINGTON-In 2003, then President Bush, with input from government agencies, the private sector, academia and the military, issued the National Strategy to Secure Cyberspace to rave reviews and gushing praise from the IT industry. The plan set guidelines, avoided mandates and promised a vaguely defined cyber czar. If anything, cyber-security declined.
On May 29, President Obama issued his own Cyberspace Policy review after input from virtually every federal agency and security trade group, promising guidance over mandates. A vaguely defined cyber czar, though now called a cyber coordinator, will oversee Obama’s cyber-security plan. The technology sector wasted no time in praising the effort.
As the eminent philosopher Yogi Berra once said, “It’s like deja vu all over again.”
But executives from Symantec, PGP, RSA, Lockheed Martin, IBM and TechGuard all claimed it will be different this time. At a press conference a few blocks from the White House following Obama’s late morning televised event, the executives, most of whom attended Obama’s speech, gathered under the auspices of TechAmerica, one of the capitol’s top tech trade organizations.
TechAmerica President Phil Bond called Obama’s speech a “remarkable event.” Enrique Salem, Symantec’s CEO, hailed a new era of cyber-security and vowed, “We will not fall back … like before,” while Suzanne Magree, president and CEO of TechGuard Security, said that Obama’s cyber-security initiative, “coming so early in his first term, bodes well.” IBM Chief Privacy Officer Harriet Pearson added, “Starting today, we’re all security companies.”
Of course, much the same things were said of Bush’s cyber-security plans. What’s the difference between 2003 and today? Most of the executives seem to agree it was Obama’s very public commitment. Bush didn’t televise his cyber-security plan and often went long stretches of time without even mentioning it.
“Because of the critical importance of this work, I will personally select this official,” Obama said of his cyber-security coordinator. “I’ll depend on this official in all matters relating to cyber-security, and this official will have my full support and regular access to me as we confront these challenges. To ensure accountability in federal agencies, cyber-security will be designated as one of my key management priorities. Clear milestones and performances metrics will measure progress.”
“Politically, he [Obama] put a lot of chips on the table,” Bond said.
Salem said the Bush administration “started us on this path, but Obama has put cyber-security on his personal agenda, and he said he would personally track progress.”
PGP CEO Phil Dunkelberger pointed to Obama’s “force of will and unity.”
Perhaps the biggest difference between the Bush plan and Obama’s new cyber-security initiative is the issue of privacy. IBM’s Pearson stated, “This administration has made a commitment to protect civil liberties.”
Even the Center for Democracy & Technology, a fierce watchdog group, praised Obama’s speech.
“It’s clear that the White House review team was committed to building privacy into these cyber-security policy recommendations from the beginning of the process,” CDT President and CEO Leslie Harris said in one of the dozens of statements flooding e-mail boxes after Obama’s speech. “Further, we are greatly encouraged by the administration’s strong commitment to develop its cyber-security privacy policies in a collaborative manner with those in the private sector.”
Despite all the praise, the road ahead will be a difficult one.
“The White House going public is very important, but Congress has a role to play,” said Shannon Kellogg, RSA’s director of government affairs and chairman of Tech America’s Information Security Committee. “Giving him the tools he needs is when the tough part begins. It’s unacceptable that FISMA has not been updated. We need to update the legal framework we all have to work under.”
One of the more formidable fights ahead on Capitol Hill will be dealing with Sen. John D. Rockefeller’s proposed Cybersecurity Act of 2009, which would clarify the president’s authority to protect public and private systems in the face of an attack or imminent high-level threat to national security, comparable to the way that Bush exercised his authority on Sept. 11, 2001, to temporarily ground all aircraft in U.S. airspace.
Not even Obama is seeking such unprecedented authority over networks.
“What is omitted from this report is as significant as what is included in it,” the Center for Democracy & Technology said in a review of Obama’s plan. “While the report recommends a stronger cyber-security role for the White House, it does not propose that the president be given the power to limit or shut down Internet traffic to a critical infrastructure information system.”