Dear President Trump:
In my eight terms in Congress, I have seen cybersecurity explode onto the national stage as an issue of paramount importance to our national security. As you begin to craft your legacy in this emerging domain, I encourage you to use the successes and failures of your predecessor to guide your efforts.
From my perspective, three characteristics defined President Obama’s approach to cybersecurity across the first six years of his administration: It was centrist, decentralized and incremental.
First, Obama pursued a centrist approach on matters of cybersecurity, manifested through the use of multistakeholder processes to set policy. In this model, the government acts as a convener of interested parties to help develop guidance, best practices or other voluntary policies.
A prime example is the National Institute of Standards and Technology (NIST) Cybersecurity Framework for critical infrastructure, also known simply as the Framework. Following the issuance of Executive Order 13636 in 2013, NIST spent a year holding meetings with stakeholders to discuss ways to think about cybersecurity risk management. NIST consolidated the feedback, incorporated other practices from existing standards, and synthesized the Framework, which provides broad strategies for identifying, understanding and mitigating cybersecurity risk.
As this example also shows, the Obama administration’s approach was largely decentralized: It was up to individual departments and agencies to develop cybersecurity policy. While Executive Order 13636 did call upon NIST to publish a voluntary framework, it sketched out only the broadest of strategic guidance on how it was to be developed. Similarly, although Obama did make his cybersecurity adviser a special assistant to the president, he remained just that: an adviser, lacking independent policy or budgetary authority.
The Obama doctrine prior to the Office of Personnel Management (OPM) data breach also emphasized incremental change and capacity expansion. This is clear from the nature of the Framework, which has led to gradual adoption. On the capacity-building side, U.S. Cyber Command is set to become its own full-fledged unit after eight years of development, and the National Protection and Programs Directorate has matured to the point that it is ready to become an operational arm of the Department of Homeland Security (DHS). All of these are important changes, but they are largely the result of gradual evolution.
I supported Obama’s efforts throughout his first six years, even if I was frustrated by the pace. In the last two years, however, his administration’s approach began to shift. Part of this can be seen in the priority placed on cybersecurity issues. Chinese economic espionage was a perennial point of contention between our nations; only after the OPM hack was it placed at the top of the agenda. The 2015 Obama–Xi summit resulted in an agreement by the Chinese on certain fundamental norms in cyberspace, and I consider it one of Obama’s biggest achievements in this sphere.
But the core tenets of the doctrine itself also began to shift. Capabilities developed throughout his administration began to be used as offensive cyber tactics against the Islamic State in Iraq and Syria. Indictments of hackers in China and Iran, and the identification of Russia as the sponsor of recent attacks against the Democratic National Committee, are examples of our increased ability to attribute attacks. Incremental change also gave way to initiatives like the Cyber Sprint, an effort to identify and secure core assets at federal agencies. The OPM was Obama’s wake-up call that incrementalism could not keep pace with the rapidly evolving threats we face.
The biggest change, though, was the move toward greater centralization. The Cyber Sprint was led by the Office of Management and Budget and supported by binding operational directives from the DHS. This was not something that could be left to each agency — that was what led to the OPM mess in the first place. The creation of a federal chief information security officer, the development of a robust national incident response plan, and the creation of a dedicated IT modernization fund are all components of Obama’s Cybersecurity National Action Plan, a central directive that applies across the federal government.
I welcomed this new sense of urgency. Obama made it clear that he had no intention of making the same mistake twice, and I think his legacy in cyberspace will be greatly burnished by the last 20 months of increased focus.
These achievements were difficult. As you begin your term, I encourage you to take the lessons learned from your predecessor to heart when crafting cybersecurity policy. This means adopting the recommendations of the national action plan and going beyond them. It means ensuring there is an advocate for cybersecurity in the room when budget and policy decisions are made. It means working with Congress to implement existing law on information sharing and to pass new legislation on developing the workforce needed to address these issues and securing the internet of things.
Cybersecurity has never been a partisan issue, and I hope it remains that way over the next four years.
Langevin is a senior member of the House Armed Services Committee and the House Committee on Homeland Security, and is the co-founder and co-chair of the Congressional Cybersecurity Caucus.
First published at THE HILL