Today, the Obama administration announced the Cybersecurity National Action Plan. Already turned into an acronym in Washington, DC, CNAP is not so much a bold new direction as a tidying up of loose ends to set the stage for the next administration.
Critics are already lambasting the plan as “nothing new.” Yet given the political calendar, it would be hard for the president to set an entirely new course. And given the reality of the cybersecurity challenge, it would also not be warranted.
The Obama administration has focused its efforts to date on preserving and extending an “open, interoperable, secure, and reliable” Internet. Its cybersecurity policies (at least after the failed 2011 regulatory attempt) have been about avoiding cures for cyber threats that are worse than the disease. In other words, don’t launch a Manhattan Project to reinvent the Internet so that it is inherently secure and therefore easily controlled; do try to increase adoption of two factor authentication.
Cybersecurity is an area in which many have demanded bold new approaches but few have been able to articulate what those would be. Witness Jeb Bush’s cyber plan, which basically (and wisely) calls for a continuation of the Obama administration’s policies while taking swipes at Hillary Clinton’s email server. Similarly, Ben Carson’s plan called for creating a series of programs that already exist and creating a new agency that looks a lot like the Department of Homeland Security.
From this perspective, the CNAP isn’t so much about setting a new direction as it is about implementation. It takes long-overdue actions like appointing a single official to be in charge of federal agency cybersecurity in a new Chief Information Security Officer. It creates a privacy council to resolve the many privacy challenges associated with implementing cybersecurity. And it calls for modernizing insecure an unsecurable legacy IT systems.
The plan also not-so-subtly puts the onus on Congress to put its money where its mouth is. For two successive years, Congress has managed to pass new laws that clarified mandates and set the stage for the federal government to act. Now the president is asking for the funds to put those authorities to use. If President Obama succeeds in getting Congress to boost the cyber budget by 35 percent, those funds will mostly be spent by whoever wins the election in November.
For close watchers of cybersecurity policy, the timing and approach is very similar to what the Bush administration did in its last year with the then classified Comprehensive National Cyber Initiative (CNCI). That program put billions of dollars into cybersecurity, beginning many of the programs that came to fruition in the Obama administration. Michael Daniel, the President’s cybersecurity advisor and the reported force behind the CNAP, is a former Office of Management and Budget official who worked on that program.
When the Center for Strategic and International Security assembled a group of experts in 2008 to make recommendations to the next president on cybersecurity, their number one piece of advice was simple: “Do not start over.” Instead, build off of CNCI, making adjustments and changes where necessary. It was sage advice. Whatever progress President Obama and his team can make in the next year should be the foundation for the next administration. If the next president gets to declare victory on the cybersecurity challenge, it won’t be because he or she charted a bold new course, but because previous administrations laid the groundwork for success.