Communications - August 2009

Government Policy | DOI: 10.1145/1536616.1536626
Gregory Goth
u.s. unveils
cybersecurity Plan
‘Intent and timing’ may help the federal cyberspace
initiative work better than previous blueprints.

THe nAtionAl cyBeRsecURity ini- tiative announced by Presi- dent Barack Obama last May follows a decade of similar efforts by the two preceding administrations—and after a decade of hearing earnest governmental pronouncements about how vital cybersecurity is, skeptical observers might say little has been accomplished except to demonstrate the intricacies of bureaucratic battles in the creation of new government agencies.

However, crucial differences exist between the Obama administration’s cybersecurity efforts, marked by the release of its 60-day Cyberspace Policy Review ( http://www.whitehouse.gov/ assets/documents/Cyberspace_Pol-icy_Review_final.pdf), and those of Bill Clinton and George W. Bush, despite the many similarities, says James Lewis, senior fellow for technology and public policy at the Center for Strategic and International Studies, a Washington, D.C.-based think tank.

“The difference here is in intent and timing,” Lewis says. “This administration did this in their first few months in office, and it looks like the president has an interest in it. The Clinton administration’s Presidential Decision Directive 63 and the Bush administration’s Comprehensive National Cybersecurity Initiative were both done late in their second terms and didn’t really get any traction.”

PhotoGraPh by ManDel nGan / Getty IMaGes

Lewis and security experts Fred B. Schneider, professor of computer science at Cornell University, and Susan Landau, distinguished engineer at Sun Microsystems, say the Obama administration must work deftly if its cybersecurity plan will emerge with more credibility than its two predecessors. Among the vital elements they said the Obama administration’s report contained was recognition that the federal

President Barack obama speaking about the u.s. government’s Cyberspace Policy Review at the White house on may 29, 2009.

government must take an active role in operating cybersecurity policy and infrastructure; it must balance that active role with a concerted campaign to protect industry’s ability to innovate in the creation of new platforms and applications; it must preserve citizens’ confidence that cybersecurity policy will protect their civil liberties as well as the cyberinfrastructure; and it must forge workable partnerships with other nations, nongovernmental organizations, and technical standards bodies.

Landau says perhaps the report’s most important indicator of the new

The cybersecurity
czar must be
appointed at a high
enough level to
possess real clout.

administration’s cybersecurity strategy is a passage in the report’s executive summary in which the phrase “ national economic needs” precedes “national security requirements.”

However, the new emphasis adds more interested parties—the cybersecurity czar is expected to report to both the National Economic Council and the National Security Council— and that may dilute the office’s ability to craft real actions instead of fighting incompatible bureaucratic goals. One of the chief weaknesses of the Bush administration’s cybersecurity policy was its failure to ensure the cybersecurity boss was appointed at a high enough level to possess real clout—and, says Schneider, that could happen again.

“You have somebody who is no longer just talking to the president. In fact, whomever they appoint will be a servant of many masters,” he says.

Schneider says finding a way to bring the foundations of accountability prevalent in law enforcement into cyberspace “is a big step because cyberspace has had this value system that is about anonymity. But cyberspace, when it was constituted, was not constituted with anything of consequence being controlled or anything of value being accessed that way.”

“But there is a stupid way and a sensible way to make cyberspace accountable,” says Schneider, “and if you use too broad a brush when you bring accountability to cyberspace, you will blow it badly. And the people who are worried about privacy have a reasonable basis to be worried, because it’s easy to do it badly, which is why research needs to be done, and the process needs to be open and transparent.”