The Obama administration is eying a splashy cybersecurity announcement in its final budget proposal this week. As we await the details, the White House is trying to gin up appreciation for its cybersecurity efforts so far.
Critics such as Senate Armed Services Chairman John McCain, R-Ariz., say the administration has no cyberstrategy at all. So the White House last week posted a lengthy blog touting accomplishments across a wide range of domestic and international cybersecurity issues.
White House homeland security adviser Lisa Monaco highlighted initiatives and accomplishments in 2015 and committed to “maintaining this momentum and making even more progress through the remainder of this Administration.”
The White House is trying to make the case that its cyberpolicies provide a foundation that should endure well into the next administration.
Monaco pointed to passage of cyber info-sharing legislation in December and efforts to implement the law, which will consume a good portion of 2016. That law settles legal liability issues that long inhibited the info-sharing process.
The law also provided new tools to enhance the security of the government’s cyber networks, which will be a prime focus in 2016, according to Monaco.
She noted the 2015 executive order on new information sharing and analysis organizations, the subject of a private sector-run implementation process — and the creation of the Cyber Threat Intelligence Integration Center.
The ISAO effort continues this week with an event in San Antonio, amid some questions about the level of industry buy-in at this stage.
The cyberthreat center, meanwhile, has encountered resistance in Congress over staffing levels and the new entity’s relationship with the Department of Homeland Security. The center will help cyber officials “connect the dots” on attacks, according to Monaco, while lawmakers worry that it adds a layer of bureaucracy.
Some of those concerns may have been assuaged in January when the administration named a team of well-respected, senior intelligence officials to run the center.
Officials are also considering updates to the National Institute of Standards and Technology’s framework of cybersecurity standards, a policy document at the heart of government-industry collaboration on cybersecurity. Monaco promised even deeper “collaboration with key critical infrastructure sectors” through the framework process.
Internationally, Monaco hailed the 2015 cybersecurity agreement with China and separate advances on “peacetime norms” for cyber behavior. In both cases, Monaco promised close scrutiny of implementation and a “trust but verify” sensibility.
“However,” Monaco wrote, “even as we promote international cooperation, we must also hold accountable those who carry out malicious activity in cyberspace. Our cyber deterrence policy focuses on the development of improved defenses, more resilient architectures, and a range of options cyber and non-cyber to inflict costs and to hold accountable adversaries that choose to conduct cyber attacks or other malicious activity against U.S. interests.”
McCain has been especially critical of the administration’s approach to deterrence, calling it essentially nonexistent.
Monaco highlighted actions against North Korea, a “cybersecurity strategy” from the Pentagon, and an executive order on sanctions.
She said more work is needed to guard against cyberattacks “causing physical destruction,” and pledged to “refine our policies and procedures to further strengthen our unity of effort response, whether it is helping a Federal agency or a private company.”
The blog could be seen as a checklist offered in defense of the administration’s efforts.
But considering this White House’s frequent use of surprise in the cyberpolicy space, perhaps it’s best viewed as a background document in anticipation of another big pronouncement this week.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
