If President Barack Obama's second term were a movie sequel, I'd call it "Unfinished Business." Because now it's time for the newly re-elected president to step up and see through the cybersecurity initiatives he spoke about when he first took office.
See Also: 2016 State of Threat Intelligence Study
Remember the 10-point cybersecurity plan Obama unveiled in May 2009, aimed at securing the nation's critical IT infrastructure?
We're no longer talking about a critical infrastructure at risk; it's under attack.
That was three-plus years ago. Some elements of that plan have been fulfilled, starting with No. 1. Obama, indeed, appointed a high-profile national cybersecurity coordinator, Howard Schmidt, who served 2.5 years before stepping down and being replaced by Michael Daniel.
And as my colleague Eric Chabrow pointed out the other day in his analysis, Cybersecurity: Obama vs. Romney, there is much the Obama administration has done in its first term:
- Establishing a joint Defense-Homeland Security approach to cyberdefense;
- Announcing an international cybersecurity initiative;
- Unveiling the National Strategy for Trusted Identifies in Cyberspace.
But there are some key cybersecurity goals that have not been met. Chief among them is the item that was No. 2 on Obama's original 10-point plan: Sign off on an updated national strategy to secure the information and communications infrastructure.
We can all agree that securing the critical infrastructure is essential. And we all recognize that 80 percent of the nation's critical infrastructure is controlled by the private sector. The unresolved question: To what degree should the federal government step in to regulate private industry in the name of securing critical infrastructure? Obama favors more regulation; his Republican opponents in Congress favor less.
On this critical issue, the first Obama term ended in a stalemate. Congress failed to pass the Cybersecurity Act of 2012, which included provisions to establish IT security best practices that could be voluntarily implemented by industry. And Obama hasn't come through on his subsequent threat of an executive order that would create a process to develop these best practices with the private industry stakeholders.
So ... what now?
While politicians have blustered, the threat landscape has changed dramatically. Among the escalated threats we've seen in Obama's first term:
- Sophisticated account takeover schemes that have targeted the nation's small and midsized businesses and financial institutions;
- Nation state-sponsored cyber-attacks, as described most recently by U.S. Defense Secretary Leon Panetta;
- And, of course, over the past two months we've seen the distributed denial of service attacks on U.S. banks.
Obama's second term must see a concerted bipartisan effort to address these threats. We're no longer talking about a critical infrastructure at risk; it's under attack.
Which brings me back to "unfinished business." With re-election behind him, Obama now has the opportunity to think about his legacy. He has every chance to become our first true "cybersecurity president." But that will happen only if he can bridge gaps - not just between parties, but between public and private sectors - and oversee enactment of legislation and defensive measures that truly address our vulnerabilities.
A cybersecurity plan is no longer sufficient. Now it's time for action.