He is right and the proof most recently was in February of 2016, with the posted Executive Orders.
WASHINGTON — Through two executive orders signed Tuesday, President Obama put in place a structure to fortify the government’s defenses against cyber attacks and protect the personal information the government keeps about its citizens.
The orders came the same day as Obama sent to Congress a proposed 2017 budget that includes $19 billion for information technology upgrades and other cyber initiatives.
In September of 2015, Obama held a meeting on cyber with China’s Xi. Perhaps there was no formal sanction or punishment of China due in part to the U.S. debt they hold. Obama also held meetings with key Congressional leaders in 2015 on the issue of cyber. Going back to 2013, Obama held sessions with corporate CEO’s to discuss efforts to improve cybersecurity amid growing concerns within the administration over attacks from China targeting American businesses.
The president will discuss efforts to address the cyber threat facing the country and get the executives’ feedback on how the government and private sector can forge a relationship to improve cybersecurity in the United States, according to The White House. The meeting will be held in the Situation Room and attendees include AT&T CEO Randall Stephenson and Northrup Grumman CEO Wesley Bush.
Not until February of 2016, did Obama launch the Cybersecurity National Action Plan which was headed by Tom Donilon, his National Security Advisor and Sam Palmisano, former CEO of IBM. There was no traction and given the recent cyber intrusions, there is likely a LOT of ‘ooops’ coming from the White House and should. No corporation, bank, government agency or other private entity ever wants to publically announced they have been hacked or their vulnerability, as it only invites more cyber chaos but the United States including top government agencies and the White House along with the State Department have all been victim of both Russian and Chinese cyber attacks of various forms.
***
Sen. Ted Cruz says he hopes the incoming Trump administration is tougher on dealing with cyberattacks than the “weakness” he saw from President Obama on hacking by Russia and other foreign adversaries.
“One of the reasons these cyberattacks are so prevalent is that Barack Obama and his administration have rolled over for eight years,” Cruz said Thursday on “The Mike Gallagher Show.”
“They have shown nothing but weakness and appeasement in the face of those attacks. This is something I hope and believe will change with the new administration,” he said.
Cruz insisted neither Russian hacking nor WikiLeaks revelations last year about the Democratic Party significantly influenced Donald Trump’s victory in the presidential election.
“I think that there’s no evidence whatsoever that Russia’s efforts against us, which have been longstanding, did anything to affect the campaign,” said Cruz, who competed against Trump in last year’s GOP primaries.
“It’s, frankly, patently absurd,” Cruz added of claims Russia or WikiLeaks helped Trump win. “You can’t credibly argue that [WikiLeaks’] disclosures impacted the election because most voters never heard it.” More here from TheHill.
****
‘From Awareness to Action: A Cybersecurity Agenda for the 45th President’
A task force co-chaired by two U.S. lawmakers and a former federal CIO is issuing a 34-page report recommending a cybersecurity agenda for the incoming Trump administration. The report recommends the new administration jettison outdated ways the federal government tackles cybersecurity, noting: “Once-powerful ideas have been transformed into clichés.”
The report from the CSIS Cyber Policy Task Force – From Awareness to Action: A Cybersecurity Agenda for the 45th President – will be formally unveiled on Jan. 5. It comes from the think tank Center for Strategic and International Studies, which sponsored the Commission on Cybersecurity for the 44th Presidency that made recommendations to then-President-elect Barack Obama in 2008.
“In the eight years since that report was published, there has been much activity, but despite an exponential increase in attention to cybersecurity, we are still at risk and there is much for the next administration to do,” the new report’s introduction states.
Cybersecurity Goals for Trump Administration
The task force outlined five major issues President-elect Donald Trump and his administration should address, including:
- Deciding on a new international strategy to account for a very different and dangerous global security environment.
- Making a greater effort to reduce and control cybercrime.
- Accelerating efforts to secure critical infrastructures and services and improving cyber hygiene across economic sectors. As part of this, the Trump administration must develop a new approach to securing government agencies and services and improve authentication of identity.
- Identifying where federal involvement in resource issues, such as research or workforce development, is necessary, and where such efforts are best left to the private sector.
- Considering how to organize the U.S. effort to defend cyberspace. Clarifying the role of the Department of Homeland Security is crucial, and the new administration must either strengthen DHS or create a new cybersecurity agency.
Ditching Outmoded Security Practices
Task force members recommend the new administration should get rid of outdated ways the federal government tackles cybersecurity. The report notes: “Statements about strengthening public-private partnerships, information sharing or innovation lead to policy dead ends. … Once-powerful ideas have been transformed into clichés. Others have become excuses for inaction.”
As an example, the task force cites the National Strategy for Trusted Identities in Cyberspace, a government initiative unveiled in 2011, which envisioned a cyber-ecosystem that promotes trust and security while performing sensitive transactions online. The task force contends NSTIC “achieved little,” asserting that such initiatives fail because they aren’t attuned to market forces. “There are few takers for a product or service for which there is no demand or for which there are commercial alternatives.”
The task force makes recommendations on dozens of policies and technologies.
On encryption, for instance, it suggests that the president develop a policy that supports the use of strong encryption for privacy and security while specifying the conditions and processes under which assistance from the private sector for lawful access to data can be required. It also states that the president should direct the National Institute of Standards and Technology to work with encryption experts, technology providers and internet service providers to develop standards and ways to protect applications and data in the cloud and provide secure methods for data resiliency and recovery.
“Ultimately,” the report says, “encryption policy requires a political decision on risk. Untrammeled use of encryption increases the risk from crime and terrorism, but societies may find this risk acceptable given the difficulty of imposing restrictions. No one in our groups believed that risk currently justifies restrictions.”
Battling Cybercrime
In battling cybercrime, the task force sees “active defense,” a term it says has become associated with vigilantism, hack back and cyber privateers, as only a stopgap measure to address the private sector’s frustration over the apparent impunity of trans-border criminals. The Trump administration should seek ways to help companies move beyond their traditional perimeter defenses and focus on identifying federal actions that could disrupt cybercriminals’ business model or expand the work of federal agencies and service providers against botnets, according to the report.
To make cybercrime less profitable, the task force recommends the new administration identify actions that would impede the monetization of stolen data and credentials. Other recommendations include accelerating the move to multifactor authentication and identifying better ways to counter and disrupt botnets, a growing risk as more devices become connected to the internet. The task force says this could be done by expanding the ability to obtain civil injunctions for use against botnets and raising the penalties for using botnets against critical infrastructure.
The role of the military to protect civilian critical infrastructure turned out to be among the most contentious issues the group debated. A few task force members said that the Defense Department should play an expanded and perhaps leading role in critical infrastructure protection, according to the report. Most members, though, believed that this mission must be assigned to a civilian agency, not to DoD or a law enforcement agency such as the FBI.
“While recognizing that the National Security Agency, an element of DoD, has unrivaled skills, we believe that the best approach is to strengthen DHS, not to make it a ‘mini-NSA,’ and to focus its mission on mitigation of threats and attacks, not on retaliation, intelligence collection or law enforcement,” the report states.
Organizing Government Cybersecurity
DHS is the focal point in cybersecurity protection among civilian agencies as well as civilian-led critical infrastructure. The task force recommends that an independent agency be established within DHS focused exclusively on cybersecurity.
The task force says Trump should quickly name a new cybersecurity coordinator and elevate the White House position two notches to assistant to the president from special assistant to the president. Also, the group says Trump should back away from his pledge to conduct a cybersecurity review, as was done at the beginning of the Obama administration.
The task force co-chairs are:
- Rep. Michael McCaul, R-Texas, chairman of the House Homeland Security Committee and co-founder of the Congressional Cybersecurity Caucus;
- Sen. Sheldon Whitehouse, D-R.I., sponsor of legislation to require federal law enforcement and national security agencies to account for cyberattacks;
- Karen Evans, a cybersecurity adviser to the Trump transition team who’s national director of the U.S. Cyber Challenge and formerly served as White House administrator for e-government and information technology, a position now known as U.S. CIO; and
- Sameer Bhalotra, co-founder and CEO of the cybersecurity startup Stackrox and a senior associate at CSIS.
CSIS Senior Vice President James Lewis, the think tank’s cybersecurity expert, served as the task force project director.
How bad is it?
USAToday:
Exhibit A: The Social Security Administration system still runs on a platform written in the 1960s in the COBOL programming language, and takes 400 people just to maintain, Obama said.
“If we’re going to really secure those in a serious way, then we need to upgrade them,” Obama told reporters Tuesday after meeting with advisers on the issue. “And that is something that we should all be able to agree on. This is not an ideological issue. It doesn’t matter whether there’s a Democratic President or a Republican President. If you’ve got broken, old systems — computers, mainframes, software that doesn’t work anymore — then you can keep on putting a bunch of patches on it, but it’s not going to make it safe.”
To implement those upgrades, Obama created two new entities Tuesday: The first, a Commission on Enhancing National Cybersecurity, will be made up of business, technology, national security and law enforcement leaders who will make recommendations to strengthen online security in the public and private sectors. It will deliver a report to the president by Dec. 1.
The second, a Federal Privacy Council, will bring together chief privacy officers from 25 federal agencies to coordinate efforts to protect the vast amounts of data the federal government collects and maintains about taxpayers and citizens.
Obama’s cybersecurity adviser, Michael Daniel, said the structure allows the administration to move forward even without additional authority from Congress by “driving our executive authority to the limit.”
The administration’s plan will look at cybersecurity both inside and outside the government. There will be more training and shared resources among government agencies, 48 dedicated teams to respond to attacks, and student loan forgiveness to help recruit top technical talent.
But the will plan also promote better security practices throughout the economy, by encouraging through multi-factor authentication that uses additional information in addition to a password. The government is also looking to reduce its use of Social Security numbers the unique identifier for all Americans.
Across the government, the Obama administration wants to spend $19 billion on cybersecurity in 2017, a 35% increase over 2016. But the plan does not rely on an increase in funding. “We can do quite a bit of it even without the additional resources,” Daniel said.
The White House said it also plans to create the new position of Chief Information Security Officer to coordinate modernization efforts across the government, including a a $3.1 billion Information Technology Modernization Fund. “That’s a key role that many private-sector companies have long implemented, and it’s a good practice for the federal government,” said Tony Scott, the U.S. Chief Information Officer.
The president is expected to meet with national security advisers Tuesday morning to launch the new effort.