Giving Obama a 'D' in InfosecJudging the Fairness of the Grade
How fair is the report card issued by a little known group, National Security Cyberspace Institute, that gives President Obama middling grades on his administration's cybersecurity performance?
"I thought the report card was well researched and thoughtful," says Melissa Hathaway, who led in early 2009 Obama's Cyberspace Policy Review.
Not being familiar with NSCI, I didn't want to report on the grades till it was vetted. Who better to evaluate the report than Hathaway? Not only did she lead the Cyberspace Policy Review that produced the administration's cybersecurity policy in May 2009, but NSCI used her report as the benchmark for its evaluation of the White House cybersecurity performance.
"I think it is a fair assessment of what has been accomplished to date and, in some areas, gives generous credit," Hathaway says.
Hathaway's comments focused on the first part of the report card: Appointment of a cybersecurity policy official responsible for coordinating the nation's cybersecurity policies and activities.
NSCI gave the administration a "D," primarily because it took Obama more than one-half year to name Howard Schmidt as White House cybersecurity coordinator. From the report:
"The process was delayed by a number of internal squabbles over authorities, responsibilities and chain of command, with several potential candidates declining the job because of concerns over insufficient authority to execute required responsibilities. Melissa Hathaway, who chaired the 60-day review and was considered by many to be the odds-on favorite to win the coordinator's position, resigned from her cyber position on the National Security Council after waiting three months for the president to make a decision.
"The president's lack of leadership and decisiveness were likely responsible for the resulting delays in getting started on the focused effort required for a problem he himself had described as "one of the most serious economic and national security challenges we face as a nation." We believe Mr. Schmidt has all the experience and qualifications necessary for the job. We also believe he made an excellent choice in June 2010 when he named Sameer Bholatra to serve as his deputy. However, it is our belief that the concerns expressed by many over the authority-versus responsibility issue were valid in 2009 and remain valid today"
Hathaway didn't disagree: "It is possible that more progress could have been achieved, if the cyber coordinator position had been elevated (per the recommendation in the Cyberspace Policy Review) and if the office had more staff. I look forward to seeing more focus and attention to cybersecurity in 2011."
The report card covered much more than coordinating cybersecurity activity from the White House:
Out of fairness, I sought a White House response, and spokesman Nicholas Shapiro e-mailed the following statement:
"President Obama has made cybersecurity and protecting the computer networks and infrastructure we depend on everyday a national security priority. As a result, federal departments and agencies are working together and with the private sector every day to an unprecedented degree to address threats to our nation's critical cyber infrastructure. There has been significant progress since the president's Cyberspace Policy Review. This includes the consolidation of trusted federal gateways to the Internet, which increases security, makes intrusion detection easier and saves money; the development and testing of the National Cyber Incident Response Plan, which was created in close collaboration with the private sector; the signing of a key memorandum of agreement between the departments of Defense and Homeland Security on cybersecurity; and the connecting of key cybersecurity centers to enhance our national situational awareness.
"In addition, this administration has provided an unprecedented level of transparency on its cybersecurity efforts, starting with the public announcement of the declassified summary of the Comprehensive National Cybersecurity Initiative and continuing with active engagement with privacy and civil liberties groups and the public so there is a full understanding of what we are doing and why, as well as the roles of the government agencies involved. The administration has also enhanced its efforts to engage the public through the development of the national 'Stop. Think. Connect.' cybersecurity awareness campaign and through the National Initiative for Cybersecurity Education to enhance public awareness and the recruitment, training and retention of cybersecurity professionals.
Arguably, the Obama administration has done more than other administrations to defend the government's and nation's critical IT systems. Of course, the threat to IT has never been greater, and the optimism surrounding Obama's May 2009 cyberspace address raised expectations to achieve policy goals that may have been unrealistic.
Perhaps, if the White House had been graded on a curve, it would had received higher marks. But, of course, grading on a curve requires the evaluation of more than one subject, and in our republic, we have only one president at a time.