At the start of the year, the Obama administration placed a heavy emphasis on data protection, privacy and cybersecurity through a series of announcements and speeches on these topics in advance of
At the start of the year, the Obama administration placed a heavy emphasis on data protection, privacy and cybersecurity through a series of announcements and speeches on these topics in advance of the State of the Union address. This led to expectations that data protection issues and reform would feature prominently in the address itself. However, the content fell short of expectations, and instead pleas for bipartisan cooperation and a focus on President Obama's legacy took centre stage.
Despite this, there were a number of drivers towards reform that the White House could not ignore, with cybersecurity being at the forefront following November's high profile hacking of Sony Pictures. The 45 days which the government has given itself to draw up their promised revised Consumer Rights Bill (which will take the President's February 2012 Consumer Data Privacy white paper as its blueprint) expires at the end of this month, and the result should prove enlightening. But in the month since the State of the Union address and the preceding announcements on privacy issues, what has actually happened?
Proposals for significant future budgetary funding in the fight against cyber threats: on 2nd February, the Obama administration announced its budget proposal for the 2016 fiscal year, which included a number of proposals for significant levels of funding in relation to cyber security. The overall figure requested was $14 billion, focusing on initiatives looking at detection and prevention mechanisms, as well as providing government-wide testing and incident response training. The Pentagon's cybersecurity budget accounted for over a third of the overall figure, requesting $5.5 billion after a senior weapons tested told Congress in January that nearly every US weapons programme showed "significant vulnerabilities" to cyber attacks.
A single, central cybersecurity agency: the US government is establishing a new central agency, modelled on the National Counterterrorism Centre, to combat the threat from cyber attacks; the Cyber Threat Intelligence Center. It will begin with a staff of around 50 and a budget of $35 million. The idea has been circulating for a while, and the Sony Pictures hack in November was the final impetus needed to establish the central. Its announcement came last week (10th February), after the President alluded to it in the State of the Union when he said that the government would integrate intelligence to combat cyber threats "just as we have done to combat terrorism".
A report by the Government Accountability Office (GAO) was released on 12th February, highlighting a number of high-risk gaps in the way in which the Department for Homeland Security deals with cybersecurity, as well as the protection of personally identifiable information. Whilst there has been a lot of discussion recently regarding the Obama Administration's desire to improve cybersecurity and combat the threats, the GAO report found that it has "no overarching cybersecurity strategy that outlines performance measurements, specific roles of federal agencies, or accountability requirements".
The White House Cybersecurity Summit held at Stanford University on 13th February was an opportunity for Obama to follow up on his pre-State of the Union cybersecurity promises, and he used it to highlight the key principles that he believes are at the heart of reducing the threat and frequency of cyber attacks:
An Executive Order entitled "Promoting private sector cybersecurity information sharing" followed the summit, and was signed by the President on 13th February. At the outset, the Order states its purpose:
"Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis".
As well as the promotion of Information Sharing and Analysis Organizations (ISAOs) with voluntary data-sharing standards attached, the Order designates the National Cybersecurity and Communications Integration Center (NCCIC) as a critical infrastructure protection programme (giving it power to enter into voluntary agreements with ISAOs) and forces government agencies to coordinate their activities with senior government officials for privacy and civil liberties.
However, concern has been voiced from some in industry that the government should not be taking the lead on these issues, given "how uncertain the government really is about who does what in cyberspace" (Jeffrey Carr, president and CEO of Taia Global). Others remarked that matters that have been portrayed as issues of government espionage and a restriction on free speech, in particular the Snowden revelations were "a huge setback to the tune of several years" in relation to cybersecurity, given that the "balance between privacy and security ebbs and flows" (Dave DeWalt, CEO of security firm Mandiant).
In conclusion, it is clear that, despite the lack of discussion on the issue at the State of the Union, privacy and cybersecurity is on the Obama Administration's radar as an essential element of Western and democratic societies. The biggest change is yet to come, in the form of the revised Consumer Rights Bill, but the initiatives and action taken on privacy issues so far this year have played a valuable part in bringing this to the forefront of the American political agenda.
Despite this, there were a number of drivers towards reform that the White House could not ignore, with cybersecurity being at the forefront following November's high profile hacking of Sony Pictures. The 45 days which the government has given itself to draw up their promised revised Consumer Rights Bill (which will take the President's February 2012 Consumer Data Privacy white paper as its blueprint) expires at the end of this month, and the result should prove enlightening. But in the month since the State of the Union address and the preceding announcements on privacy issues, what has actually happened?
Proposals for significant future budgetary funding in the fight against cyber threats: on 2nd February, the Obama administration announced its budget proposal for the 2016 fiscal year, which included a number of proposals for significant levels of funding in relation to cyber security. The overall figure requested was $14 billion, focusing on initiatives looking at detection and prevention mechanisms, as well as providing government-wide testing and incident response training. The Pentagon's cybersecurity budget accounted for over a third of the overall figure, requesting $5.5 billion after a senior weapons tested told Congress in January that nearly every US weapons programme showed "significant vulnerabilities" to cyber attacks.
A single, central cybersecurity agency: the US government is establishing a new central agency, modelled on the National Counterterrorism Centre, to combat the threat from cyber attacks; the Cyber Threat Intelligence Center. It will begin with a staff of around 50 and a budget of $35 million. The idea has been circulating for a while, and the Sony Pictures hack in November was the final impetus needed to establish the central. Its announcement came last week (10th February), after the President alluded to it in the State of the Union when he said that the government would integrate intelligence to combat cyber threats "just as we have done to combat terrorism".
A report by the Government Accountability Office (GAO) was released on 12th February, highlighting a number of high-risk gaps in the way in which the Department for Homeland Security deals with cybersecurity, as well as the protection of personally identifiable information. Whilst there has been a lot of discussion recently regarding the Obama Administration's desire to improve cybersecurity and combat the threats, the GAO report found that it has "no overarching cybersecurity strategy that outlines performance measurements, specific roles of federal agencies, or accountability requirements".
The White House Cybersecurity Summit held at Stanford University on 13th February was an opportunity for Obama to follow up on his pre-State of the Union cybersecurity promises, and he used it to highlight the key principles that he believes are at the heart of reducing the threat and frequency of cyber attacks:
- the public and private sectors have to work together, given the prevalence of the private sector within the digital economy, coupled with the fact that it is the government who holds the most up to date cybersecurity data and threat alerts;
- the government should focus on their strengths in quickly and efficiently disseminating information on cyber threats, whilst industry need to take responsibility for safeguarding their own networks;
- speed and flexibility in reaching innovative solutions to combat threats are paramount, and all corners of business and government need to recognise this in order to meet the challenge presented by the technologically sophisticated people who pose these threats; and
- cybersecurity must not be at the expense of privacy and the civil liberties of the American people, with Obama stating that "when government and industry share information about cyber threats, we've got to do so in a way that safeguards your personal information… When people go online, we shouldn't have to forfeit the basic privacy we're entitled to as Americans".
An Executive Order entitled "Promoting private sector cybersecurity information sharing" followed the summit, and was signed by the President on 13th February. At the outset, the Order states its purpose:
"Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis".
As well as the promotion of Information Sharing and Analysis Organizations (ISAOs) with voluntary data-sharing standards attached, the Order designates the National Cybersecurity and Communications Integration Center (NCCIC) as a critical infrastructure protection programme (giving it power to enter into voluntary agreements with ISAOs) and forces government agencies to coordinate their activities with senior government officials for privacy and civil liberties.
However, concern has been voiced from some in industry that the government should not be taking the lead on these issues, given "how uncertain the government really is about who does what in cyberspace" (Jeffrey Carr, president and CEO of Taia Global). Others remarked that matters that have been portrayed as issues of government espionage and a restriction on free speech, in particular the Snowden revelations were "a huge setback to the tune of several years" in relation to cybersecurity, given that the "balance between privacy and security ebbs and flows" (Dave DeWalt, CEO of security firm Mandiant).
In conclusion, it is clear that, despite the lack of discussion on the issue at the State of the Union, privacy and cybersecurity is on the Obama Administration's radar as an essential element of Western and democratic societies. The biggest change is yet to come, in the form of the revised Consumer Rights Bill, but the initiatives and action taken on privacy issues so far this year have played a valuable part in bringing this to the forefront of the American political agenda.