Presidential inaugurations not only mark the beginning of a new administration, but also the end of one too. As many remain uncertain about the policies of the new Trump Administration, it is important to also take a look back at the progress made by the Obama Administration. Coinciding with the most critical period of the Internet’s growth, the Obama Administration essentially built the foundations of federal cybersecurity efforts moving forward. The Cipher Brief spoke with Davis Hake, former Director for Federal IT Security at the National Security Council and an Adjunct Fellow at the Center for Strategic and International Studies, to discuss the Obama Administration's efforts in securing the nation’s cyberspace and the role the Internet plays in forming strategic narratives.
The Cipher Brief: What are the major areas that shaped President Obama’s approach to cybersecurity?
Davis Hake: The administration was able to achieve several major accomplishments during their tenure, including the formation of a central White House office in the National Security Council that focused on coordinating cybersecurity policies, planning, and operations across the intelligence, law enforcement, and homeland security arenas. It really helped determine the individual roles and responsibilities of the each of the federal agencies to get a strong idea about how they should work together on cybersecurity efforts.
The second area of progress on was information-sharing with the private sector. Cybersecurity grew up in the cryptology space, and so it has traditionally been in the national security and law enforcement realm. But a key piece that had been missing in policy was that as our critical infrastructure becomes more networked, there is a strong need to help the private sector better defend it. Because of that strong public-private connection, this role had to be a public-facing, non-law enforcement, non-national security entity. DHS was charged with stepping into this role. Traditionally, sharing information with the government has caused uncertainty about liability and what the government does with the data. Getting information-sharing legislation passed in 2015 clearly laid out that companies can share information with government—and that the government can share information back.
The third area was coordination between federal agencies. DHS has the central authority and mission for better securing federal agencies, but the problem is that all of those agencies have independent authorities and budgetary controls that go back to congressional committees—which is great for the individual agencies, but really difficult when trying to coordinate security policies and implement programs across the entire federal government. These agencies do not often see cybersecurity as part of their mission, rather, they see their mission as what they are statutorily mandated to do. But—as companies are learning— today most parts of their mission have a digital component to it involving security.
TCB: How has the Obama Administration fared in creating a deterrence policy in cyberspace?
DH: The idea of using cyber tools as a deterrent factor is tricky. It is better to take a broader, more policy-focused approach, rather than just focusing on a technical cyber response. When looking at a cyber incident and norms for responding, there are a lot of different tools to help correct and shape those norms. There are discussions going on about what are appropriate actions in cyberspace, and one of the core concerns is that of critical infrastructure, such as power plants and dams. Civilian infrastructure should be considered off-limits as a target.
Our democratic system should also be considered a piece of our core critical infrastructure. While there does not appear to have been any direct tampering with voting tallies and voting machines in the last election, the intelligence community has assessed that there was a very direct effort to use cyber capabilities to influence this piece of very critical infrastructure—our election—by Russia.
On the other end, the Russian hacking incident is a wake-up call to realize there is an ability to magnify the effects of cyber information operations. We have been telling critical infrastructure operators and owners for years that the government can provide information and best practices and recommendations, but at the end of the day, it is the owner’s and operator’s responsibilities to actually secure their power plants or facilities, as most pieces of critical infrastructure are privately owned. In the same way, we have a voting public that has a responsibility to be savvy when consuming digital media.
TCB: How do you feel the Obama Administration handled the Snowden revelations?
DH: One of the key things to come out of the Snowden revelations was that no systems should be built that in the wrong hands would allow for a circumvention of our core constitutional principles. The tools built up around the hard-working men and women of the U.S. national security community are the parameters that they work under. We need to continue to have a public debate about our expectations of privacy, but also the capabilities and the level of access that our government has in its tool belt.
Internationally, news headlines that countries spy is nothing new—it is understood that every country engages in espionage. However, it is important for the strategic messaging about the United States that the real story about what the country stands for comes through. That did not happen with the way that the Snowden exposures were revealed.
We have a very powerful and capable intelligence apparatus, but it is also bound by a very powerful Constitution under a government designed to have checks and balances. Congress conducts diligent reviews and really cares about getting this issue right. Going forward, we have to ensure that there continues to be strong oversight, and understand that we don’t build systems that could potentially threaten our democracy, regardless of whose hands they are in.
TCB: How has the Obama Administration approached strategic messaging on social media, particularly with ISIS recruitment messaging and foreign influence operations?
DH: There is much more that can be done, and a lot more understanding needed on how adversaries to American ideals are using the Internet, and also how to combat those techniques. This is not an easy task because, on the one hand, we have a very strong commitment to not wanting to turn these spaces into a war zone, but on the other hand, adversaries are using some of these channels—effectively in many cases—to recruit, organize, and influence.
The national security community understands the threats, but has to really get savvy about how to counter them. A direct or clumsy response comes off as totally prepackaged, engineered, and illegitimate—especially when countering extremism and recruitment. We need to focus on using legitimate voices in communities, finding at-risk youth, and bring them back into the fold so that they are not isolated. The way recruitment works is through isolating individuals, indoctrinating them with disinformation, and then convincing them to break from their community.
TCB: How has the Obama Administration sought to address insider threats?
DH: Humans are always the weak link in the chain of cybersecurity. The issue of a malicious insider threat is one of the most difficult to tackle, and has really been a key focus of a lot of Administration efforts over the past several years. They have better shored up internal national security systems by understanding what is happening inside those networks and controlling access. Contractors and others that are outside or attached tangentially can still be a huge risk, and it is not something that technology alone can solve, but rather something better mitigated through training and reviewing security practices.
TCB: How would you summarize President Obama’s legacy in cyberspace?
DH: The Obama Administration lived through a core time where the Internet became more and more a part of our daily lives, and they laid strong foundations for building the policies of the future. It is going to be incumbent on the next administration not to take a partisan view of cybersecurity, but to keep the issue bipartisan as has been done over the past two administrations, and really look to the experts for recommendations that should be taken seriously. There are a lot of lessons that were learned through major incidents of the past eight years, and building on the effort to coordinate agency policy while understanding the roles and responsibilities between law enforcement, military, and civilians leads will be critical for the next administration’s cybersecurity efforts.
