What to expect from the Obama administration on Cybersecurity

By Norman Johnson

The first Obama administration jumped out of the gate in 2009 with a nationwide review of cyberspace, headed by Melissa Hathaway.  By May 2009 Cyberspace Policy Review was released with much fanfare. "This new approach starts at the top, with this commitment from me: From now on, our digital infrastructure - the networks and computers we depend on every day - will be treated as they should be: as a strategic national asset," Obama said. "Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage."  The recommendations in the review were received positively by the security community and set high expectations. 

A major recommendation of the Review was to appoint an interagency cybersecurity policy official and was fulfilled in Dec 2009 with the appointment of Howard Schmidt as the White House cybersecurity coordinator with cabinet and Presidential access. Although in the following years President Obama and Schmidt have been relatively quiet, the Obama administration has been active on many fronts, addressing many of the recommendations in the Review, for example, developing a joint Defense-Homeland Security guidance (Oct 2010), coordinating an international cybersecurity initiative (May 2011), proposing a plan for National Strategy for Trusted Identities in Cyberspace (Jun 2010), and unveiling a unified research and development strategic plan (Dec 2011). 

Most of the activities in the first administration were policy actions, which did not directly impact companies and operations. What can be expected from the second Obama administration?  A recently proposed Presidential directive outlines provides major clues: the “Critical Infrastructure Protection and Resilience Presidential Policy Directive” or Cybersecurity Executive Order (CEO), first circulated for comment in Sept 2012 and was made available to the public in Nov 2012.  While the focus of the order is critical infrastructure protection (CIP), the type of infrastructure covered by the CEO differs from prior CIP directives, in that cybersecurity in a modern economy impacts all aspects of society, from traditional infrastructures, such as energy production and distribution, to new information infrastructures found in financial and economic sectors. 

Why was an executive order needed?  The CEO was in response to the failed Senate legislation, Cybersecurity Act of 2012(S.3414), on Aug 2, 2012 that was backed by the Obama administration. The goal of the legislation was to consolidate the oversight and regulation of the private sector cyberspace within the Dept of Homeland Security (DHS) as recommended in the Policy Review, but the legislation was rejected because opponents said it would lead to undue government regulations of the private sector.  With the continued divided Congress, there is little expectation that a new cybersecurity legislation will be passed.  Hence, the proposed CEO implements parts of the legislation, but is limited because only legislation can change or create new regulatory authority.  Instead of a consolidated approach within DHS, the proposed CEO requires all agencies with regulatory control over critical infrastructures, under the coordination of DHS, to 1) identify critical infrastructure at risk and prioritize them – to be completed within 150 days of the date of the order, 2) develop a Framework to reduce cyber risk to critical infrastructure – to be finalized within one year, 3) establish and invite owners and operators of critical infrastructure to adopt voluntarily the Framework, and 4) propose regulations to implement the Framework within each infrastructure sector – within one year. The Executive Order differs from the Senate legislation S.3414 primarily by seeking a multi-agency regulatory solution, coordinated by DHS, rather than a centralized regulatory solution.  Furthermore, because some cyber infrastructures are not currently regulated - such as financial networks, these will be exempt from the Executive Order.  

While the details of the impact on the public sector by the Executive Order depend on the Framework that will be developed and the prioritization of the infrastructures (highest priority ones will be affected soonest), the final outcome will be some form of cybersecurity regulations. The new regulations will in turn result in increased certification and auditing activities.  Whether or not there will be a common need for software and services to support the new regulations across all infrastructures will depend on the success by DHS in coordinating across multiple agencies.  

So is increased cyberspace regulation of public sector likely in the second Obama administration? Definitely.  And is the a new industry to be arise around regulation, certification and compliance?   

Quite likely.