President Obama is calling on President-elect Trump to prevent foreign cyber-meddling in future U.S. elections. But Obama himself already has had the power to preempt cyberattacks — a power he has used poorly and insufficiently, according to experts and Obama’s opponents.
During his eight years in office, Obama was often reluctant to strongly respond to severe cybersecurity breaches by foreign governments and even worked to delay congressional action on the issue for years, according to cybersecurity experts and lawmakers who worked on the issue.
The president only once levied sanctions on a foreign country for hacking incidents: against North Korea after a devastating breach of Sony Pictures Entertainment in late 2014.
Signaling a stronger stance on cybersecurity five months later, Obama issued an executive order giving him the authority to issue sanctions against individuals and state actors engaging in “significant malicious cyber-enabled activities.”
But the president has yet to use the new weapon in his cybersecurity arsenal against China, Iran or Russia or any others blamed for numerous cyberattacks against both public and private U.S. information systems.
“The president himself could be doing what he is asking President-elect Trump to do – he could be designating more people in the Russian security establishment who U.S. intelligence agencies have identified as being involved,” Boris Zilberman, a Russia expert at the Foundation for Defense of Democracy who has tracked the country’s cyber attacks on the U.S., told the Washington Examiner. “The ball is actually in his court — he could designate more people, and that would send a strong signal.”
One of the most egregious hacking incidents by a foreign government took more than a year for the Obama administration to publicly acknowledge. Months and months went by before the U.S. government admitted in mid-2015 that the personal data of more than 20 million U.S. citizens had been stolen in a massive cybersecurity breach of the Office of Personnel Management.
Several more months passed before the president or his top officials named China as the culprit, even though outside sources said Beijing was clearly responsible all along.
The administration at one point decided that the OPM theft was so severe that it must retaliate against China, but vacillated heavily in its response in order to ensure that U.S. private industry operating in China didn’t suffer as a result. As a result, it never sent a clear message that the U.S. would not tolerate the cyber-espionage.
Tepid public administration responses against China’s rampant industrial espionage in recent years also never produced the deterrence Obama sought. The topic was center stage when Obama and Chinese president Xi Jinping met for their “shirtsleeves summit” in California in June 2013, and the two leaders created a working group on cybersecurity issues.
But the group was so ineffective that Obama, after nearly a year, decided to circumvent the group and simply issue indictments against five People’s Liberation Army members for alleged commercial spying. Those indictments were largely symbolic, since Beijing never agreed to hand over the accused hackers for trial in U.S. courts.
Some Obama supporters say the president talked tough publicly about commercial cyber-espionage but carefully developed a behind-the-scenes dialogue with China and other countries to try to prevent more hacking incidents.
But others say Obama, as well as his White House predecessors, were slow to respond to the cybersecurity threat.
“We didn’t make it a priority and we should have years ago,” Rep. “Dutch” Ruppersberger, D-Md., who spent more than a decade on the House Intelligence Committee, told the Examiner.
“I started working on cyber-threats in 2004 … I went to my leadership and tried to get more funding for cybersecurity. As we see now, it took us longer than it should have … if we had maybe worked more closely together and acted quicker, maybe we would have been further ahead by now,” he said.
Gail-J Ah, the director of the Center for Cybersecurity and Digital Forensics at Arizona State University, grading Obama administration for its record on protecting the nation against cyber-threats on a pass/fail basis, said the administration barely passed.
“I think in this current situation, it’s barely passing the bar,” he said, acknowledging Obama’s activity on the issue but arguing that there is still a long way to go to protect the U.S. private sector and prevent episodes like the Russian hacking.
The Russian hacking incident, he said, puts cybersecurity “under the national spotlight” so people feel the impact of it and understand how devastating this type of cyber warfare can be.
During his 2008 presidential campaign, Obama promised to develop a cybersecurity strategy for the country. A senior administration official sent the Examiner a list of 18 executive orders, administration policies and laws that Obama enacted during his time in office to address the threat.
The list includes establishing the Cyber Threat Intelligence Integration Center, which coordinates cybersecurity across the intelligence community, codifying how the federal government responds to cyber attacks, and signing the Federal Information Technology Acquisition Reform Act, which requires federal agencies to update their computer systems to help protect against attacks.
Earlier this year, Obama also released a comprehensive Cybersecurity National Action Plan, which creates a new commission to mull ways to bridge the private-sector-government divide over information sharing and proposes more than $22 billion in spending on government cyber-security actions.
Despite the flurry of activity on the issues, critics argue that the way the U.S. has been responding to cyberattacks during Obama’s presidency isn’t working.
“America has been in a cyber war for at least eight years, and we’re not winning,” former Rep. Mike Rogers, R-Mich., a former FBI agent who previously chaired the House Intelligence Committee, said Sunday on CNN. “I think this is a really strong opportunity for America to finally understand.”
“Listen, lots of nation states, Iran has been after us for eight years. The Russians have certainly been after us for eight years,” Rogers continued. “For the president to make a phone call [to Russia] and say, “Well, cut that out,’ tells you how far we are behind in solid peace-through strength diplomacy.”
Rogers, before leaving the House in 2014, spent four years with Ruppersberger, trying to pass a first-step cybersecurity bill focused on allowing the U.S. government and private companies to share information about data breaches and other attacks.
Before the OPM attack, which put the dire need for cybersecurity measures in stark relief, Obama had opposed the legislation and threatened to veto it at a critical moment in 2014 after it had passed the House with bipartisan support and the Senate was weighing whether to support it.
Obama, at the time, viewed the bill skeptically as an intrusion into his own executive authority as commander in chief and shared privacy concerns with civil liberties groups over government’s ability to gain access to individual citizens’ personal information.
But after the OPM attack, the White House turned around and blamed Congress for inaction on the issue. White House Press Secretary Josh Earnest said in June of 2015 that Congress should “come out of the Dark Ages and actually join us here in the 21st century to make sure that we have the kinds of defenses that are necessary to protect a modern computer system” and accused Congress of not doing a “single thing” to try to get the measure passed.
The accusation was too much for Rogers, who hit back, calling the Obama turn-about “shameful,” “disingenuous.”
“It’s maddening to think about how much cyber information has been stolen since then,” he told the Examiner at the time. “When there was a time for leadership, it would have been last year. And by the way, the bill passed in a bipartisan fashion.”
