The Obama White House has formally opened its transition office, which prepares a series of policy books for the next president that will include presentations on the cybersecurity issues and decisions expected to confront the new administration in 2017.
This will be the second time that cybersecurity features prominently in the transition materials that are put together for each presidential candidate’s national security transition team.
In 2008, Melissa Hathaway, the director of the first-ever interagency task force on cybersecurity under President George W. Bush, was assigned to the White House transition group developing policy books for either Barack Obama or Republican nominee John McCain.
She created a catalog of what the Bush administration had done on cyber, and worked to ensure that cybersecurity was listed as one of the top three priorities in the separate transition books on policy issues facing the Department of Defense, Department of Homeland Security and the FBI.
Hathaway stayed on with the Obama administration for several months after the transition, and wrote an influential 60-day review that strongly influenced cyberpolicy for years to come.
This time around, cybersecurity is no longer the obscure policy issue that it was eight years ago.
And the Obama administration is working feverishly to ensure that as many policy pieces as possible are in place before the current team walks out the door.
In essence, this administration seems to be trying to make sure that its successor will continue implementation of a panoply of Obama cyberinitiatives, rather than being faced with a long list of policy decisions in its early days.
For instance, the White House in late July released Presidential Policy Directive 41, which “sets forth principles governing the Federal Government’s response to any cyberincident.”
The nine-page document details the mechanics of how federal officials would react in the event of a cyberattack on a private entity, and also establishes philosophical points on the prerogatives and lines of responsibility between the government and the private sector.
The policy directive clarifies that the private-sector owners of critical infrastructure such as power plants will make the decision on whether the public should be notified of an attack.
That kind of deference to industry is much appreciated in the private sector — and could be politically difficult to reverse by a new administration.
The White House has also created a blue-ribbon Commission on Enhancing National Cybersecurity that will produce recommendations for the next president.
That panel includes former National Security Adviser Thomas Donilon and industry heavyweights such as ex-IBM CEO Samuel Palmisano.
The commission was empowered by a lame-duck president, but the cyberpolicy credentials of its members suggests the final product won’t simply become shelfware.
Democratic nominee Hillary Clinton earlier this year called cybersecurity “one of the most important challenges the next president is going to face,” and has indicated she would largely follow the policy path set out by Obama.
Republican nominee Donald Trump has said little about cybersecurity policy, though he has called out China on the issue and indicated an interest in the capabilities of Cyber Command.
Trump adviser Sam Clovis, in a brief conversation last week, said the campaign would soon produce policy papers on cyber and other issues.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
