The Heritage Foundation
Cyber attacks threaten our way of life. And they're not a new threat. Our sensitive personal data, in the hands of the government, has been at high risk for years now.
The private sector has long been focused on cybersecurity, yet the federal government has not given the issue the attention it deserves. In February, more than seven years into his presidency, Barack Obama finally rolled out a $3 billion cybersecurity plan, explaining the details in a Wall Street Journal op-ed.
While I commend the president for putting forth a plan, especially after not even mentioning cybersecurity once during his final State of the Union address, the plan is inadequate and flawed.
Never miss a local story.
It's all well and good to talk about protecting U.S. innovation and giving every American a level of online security. But the president fails to suggest even a single solution that would impact everyday citizens or industry. Instead, he focuses on overhauling government computers and software. While promoting innovation is laudatory, it is hard to see how we gain personal online security from the billions the government spends on itself.
To validate his plan, the president points to his administration's record of boosting cybersecurity in government. But considering the fact that multiple government agencies, as well as the Justice and Homeland Security departments, have faced significant cyber attacks, this is an odd claim to make.
The most egregious breach took place less than a year ago when the Office of Personnel Management suffered a huge data breach that continues to impact tens of millions of federal workers and contractors, including those with access to America's most sensitive secrets. No one was fired over the incident. Is that accountability? In late February, the office's chief information officer resigned just two days before having to testify before Congress.
The administration's failed record in cybersecurity extends beyond the breaches on government systems. In a recent score card released by the House Oversight and Government Reform Committee, the majority of federal agencies received subpar, if not failing, grades on their cybersecurity posture.
Among the worst was the Department of Energy, which charged with protecting our nation's nuclear technology. Given that the Obama administration had seven years to meet its cybersecurity obligations, why should the American people believe anything will change with a new initiative?
Let's unpack the president's proposal to create incentives to attract cyber professionals to this initiative. He would offer them a variety of perks in exchange for joining the government. While this proposal rightly addresses the need to recruit great talent, does the administration really think the ability to wear jeans is going to sway the best and brightest away from the pay in Silicon Valley?
And even if the government was to recruit some of this talent, the workers' success would still be at the mercy of ineffective bureaucratic processes that often stymie innovation. Try as they might to overhaul government tech systems, if this top talent is not given the authority to employ agile processes, frustration will take over and they will soon leave.
The president's plan calls for a more robust public-private partnership. This isn't a new idea. What is there to show for his previous statements on this issue? The president highlights progress by companies such as Google and Facebook as proof that the administration's industry efforts are working. But let's be honest. The fact that leading U.S. technology companies are employing better security protocols is hardly something that can be attributed to the president. The administration's touting of the National Institute of Standards and Technology cybersecurity framework as an adequate tool to gauge cyber threats is weak. The NIST cannot adequately measure private sector cybersecurity. Compliance, after all, is voluntary.
How odd that the president didn't even mention Apple among the other leading technology firms when it comes to cybersecurity. Apple, America's (and the world's) largest and move valuable technology firm, has led the industry in securing its products, a claim of the others listed can't stand by. But of course the president can't mention Apple as a shining example of American cybersecurity because his administration is entrenched in a political battle with the company over encryption.
The battle is one that threatens to erode the very personal security that the president claims to be strengthening through his initiative. The administration is attempting to veil their attacks on Apple under the guise of national security, using the recent tragedy in San Bernardino as justification for a back door to Apple's technology. The truth is that the administration had been campaigning for this long before the attack, and is now using the San Bernardino attacks to bring pressure on Apple. How sad that when it comes to the cybersecurity of the American people, politics trumps principles.
I agree with the president as to the need for a national cybersecurity plan. Unfortunately, the evidence points to years of cybersecurity complacency and outright incompetence. The poor-to-failing cybersecurity grades across all federal agencies illustrates that this administration does not have a "record of boosting cybersecurity." Why should be we confident that this administration will follow through?
David R. Shedd, a former acting director of the Defense Intelligence Agency, is a visiting distinguished fellow in The Heritage Foundation's Davis Institute for National Security and Foreign Policy. Readers may send him mail at 214 Massachusetts Avenue NE, Washington, D.C. 20002.