Obama’s Cyber Legacy

The Obama administration made an unprecedented all-fronts effort to secure cyberspace. For eight years, cyberspace proved the Obama administration’s most unpredictable adversary, always twisting in new directions and delivering body blows where least expected.

The administration took the cyber threat seriously from day one, launching reviews, promulgating policy, raising defenses and punishing cyberspace’s most dangerous actors. That included imposing sanctions against Russia and North Korea and indicting government-linked hackers from China and Iran.

But, in the end, cyberspace won.

President Barack Obama will leave office following an election in which digital breaches ordered by Russian President Vladimir Putin helped undermine the losing candidate Hillary Clinton, sowed doubts about the winner Donald Trump’s legitimacy and damaged faith in the nation’s democratic institutions.

When the history of the Obama administration’s cyber policy is written, that fact will likely loom larger than anything else, numerous cyber experts and former officials told Nextgov, overshadowing years of hard work to prepare the government and the nation for an age of digital insecurity. It will also likely overshadow the dozens of instances in which Obama officials got the big cyber questions, more or less, right.

“He set himself up with all the tools, but he blew this,” said Paul Rosenzweig, a deputy assistant secretary at the Department of Homeland Security during the Bush administration.

This assessment is unnerving for many top cyber watchers who credit the Obama administration with making substantial progress preparing the government, military, law enforcement and the private sector to operate in an emerging and incredibly complex domain.

“The Obama administration has done a good job laying out the traditional government markers of thoughtful policy consideration … the fundamental building blocks of what makes the traditional American policy apparatus function,” Rosenzweig said. “They’ve invested intellectual capital and a lot of effort and time in them. On the negative side, despite these efforts, we aren’t actually any better off in terms of cybersecurity.”

Are we better off than we were eight years ago?

That question, are we better off in cyberspace now than we were eight years ago, was a particularly troubling one for cyber experts. Their answer, by and large, was a qualified no.

“We’re better off in terms of policies and institutions to deal with cybersecurity, but worse off with regard to the threat landscape and the actual security environment,” said Tim Maurer, co-lead of the Cyber Policy Initiative at the Carnegie Endowment for International Peace.

“There’ve been improvements on protecting us from attacks on critical infrastructure,” said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. “I think those are much less likely than before. But, overall, the progress has not kept up with the pace of the threat.”

The Good

There’s a lot to place on the positive side of the Obama administration’s cybersecurity ledger.

On the top of most former officials’ lists is a September 2015 agreement between Obama and Chinese President Xi Jinping to halt purely commercial hacking.

Prior to that agreement, former National Security Agency Director Gen. Keith Alexander described Chinese cyber theft of US companies’ trade secrets and intellectual property as “the greatest transfer of wealth in history.” FBI Director James Comey declared there are “two kinds of big companies in the United States … those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.” 

Within months after the agreement, Chinese corporate hacking dropped precipitously, according to US intelligence agencies and private-sector cybersecurity firms.  That’s just the top of a long list of accomplishments.

DHS built and continually upgraded its Einstein cyber threat detection and prevention system, which now protects more than 90 percent of federal agencies. The White House issued directives establishing internal government cybersecurity policies and procedures for responding to cyber incidents and attacks.

The National Institute of Standards and Technology established a cybersecurity best practices framework widely adopted by the private sector.

The Defense Department stood up an independent US Cyber Command, with offensive and defensive capabilities, which reached its initial operating stage in October staffed with more than 6,000 cyber warriors. The State Department worked with dozens of other nations to establish peacetime norms in cyberspace and to work out how international law applies there. And the Treasury Department developed a set of cyber-specific sanctions the White House used to punish Russian hackers in December.  

The Bad and the Ugly

There were also bad moments, however, that went beyond Putin’s election meddling.

There were breaches of email systems at the White House, State Department and Joint Chiefs of Staff, reportedly committed by Russian government-linked hackers. Hackers reportedly linked to the Chinese government stole sensitive security clearance documents on more than 20 million current and former federal employees and their families from the Office of Personnel Management.

There were also private-sector breaches, led by North Korea’s destructive cyberattack against Sony Pictures Entertainment, but also including major data breaches at Target, J.P. Morgan, Yahoo and the denial-of-service attack against the internet optimization firm Dyn, which knocked websites including Netflix and The New York Times offline for hours.

Disclosures by NSA leaker Edward Snowden fundamentally damaged attempts to cooperate with Silicon Valley on cybersecurity. It also pushed adversaries and some allies toward a narrow and insular view of managing the internet that has made cooperation on cybersecurity significantly more complicated.

Cyber-crime against consumers and the private sector did not significantly ebb during the past eight years. Despite a “cyber sprint” to shore up federal networks in the wake of the OPM breach, the government still relies inordinately on outdated technology. And decades-old inefficiencies in government technology acquisition and hiring have not been substantially repaired.

Most importantly, cyber watchers, say the government never successfully managed to establish a broad policy to deter cyber-attackers. If anything, as the Russian election meddling suggests, attackers only grew bolder.

A Complicated Landscape

The Obama administration’s cybersecurity efforts were hampered by a few fundamental facts.

To begin with, unlike combat in air or at sea, the Internet as a domain of conflict is controlled largely by the private sector. The government’s ability to enforce security measures is limited, especially outside industries such as energy, electricity and transportation DHS has labeled critical infrastructure.

Cyberspace is also best viewed as a domain of conflict rather than an issue unto itself like health care or homelessness. As a result, experts say, it makes more sense to view the administration’s failure to halt or counteract Russia’s election meddling as part of a broader failure to contain Russian aggression in Crimea and elsewhere rather than as a purely cyber failure.

The greatest fear during the first part of the Obama administration, expressed by intelligence officials and congressional leaders, was a destructive cyberattack against critical infrastructure that caused major loss of life and destruction of property. That never happened and, if it had, the breaches and influence operations that did occur might pale by comparison.

If there is one fundamental reason for the Obama administration’s inability to claim victory over cybersecurity, it is this: The threat grew and mutated faster than the administration’s ability to deal with it.

DefenseOne:             Obama Advises Trump To Train 100,000 Hackers:    We Are In A New Era Of Espionage:
 

« One Million Say Pardon Snowden & Russia Says He Can Stay Two More Years
Russia, Trump & Flawed Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Biscom

Biscom

Biscom offers solutions for secure file transfer, synchronization, file translation, and mobile devices, designed to deliver mission-critical reliability, streamline workflows and reduce costs.

Cristie Data

Cristie Data

Cristie have been a trusted, innovative and leading edge data storage, backup and virtualisation solutions provider across all sectors of industry for over 40 years.

AvePoint

AvePoint

AvePoint is an established leader in enterprise-class data management, governance, and compliance software solutions.

Mobile Guroo

Mobile Guroo

Mobile Guroo is a strategy and systems integrator for Enterprise Mobility Management projects.

Cisco Talos

Cisco Talos

Talos is an industry-leading threat intelligence solution that protects your organization’s people, data and infrastructure from active adversaries.

Cybersecurity Association of Maryland (CAMI)

Cybersecurity Association of Maryland (CAMI)

CAMI’s mission is to create a global cybersecurity marketplace in Maryland and generate thousands of high-pay jobs through the cybersecurity industry.

Blake, Cassels & Graydon (Blakes)

Blake, Cassels & Graydon (Blakes)

Blakes is one of Canada’s top business law firms serving national and international clients in specialist areas including cyber security.

Dutch Accreditation Council (RvA)

Dutch Accreditation Council (RvA)

RvA is the national accreditation body for the Netherlands. The directory of members provides details of organisations offering certification services for ISO 27001.

Cyemptive Technologies

Cyemptive Technologies

Cyemptive's CyberSlice technology preempts and remove threats before they take hold, in seconds, compared to other’s hours, days, weeks and even months.

Forever Group

Forever Group

Forever Group is a Managed Services Provider specialising in Telecommunications, IT Support, and Cyber Security.

Access Venture Partners

Access Venture Partners

Access Venture Partners are an early stage VC firm investing in bold founders and helping every step of the way. Areas we give special focus to include cybersecurity.

Arsen Cybersecurity

Arsen Cybersecurity

Arsen is a French cybersecurity startup, dedicated to enhancing human behaviors in cybersecurity.

Nexio

Nexio

We are Nexio. We help organisations take every NEXT step toward their accelerated digital transformation.

Vantyr

Vantyr

Vantyr's core mission is to safeguard the business-led adoption of SaaS applications by automating the lifecycle management and security of non-human identities.

Rite-Solutions

Rite-Solutions

Rite-Solutions is an award-winning software development, systems engineering, and information technology firm.

Qryptonic

Qryptonic

Qryptonic pioneers next-generation cybersecurity by leveraging the unparalleled capabilities of quantum computing to defend against evolving threats.