Campaign Promises

Cabinet/Departments -> Homeland Security -> Cyber Security


ItemHomeland Security
Cyber SecurityGrade
HS-3
The Promise: "....will ensure that his administration develops a Cyber Security Strategy that ensures that we have the ability to identify our attackers and a plan for how to respond that will be measured but effective."
When/Where: Fact Sheet: Obama's New Plan to Confront 21st Century Threats, 07/16/08
Source: http://www.presidency.ucsb.edu/ws/?pid=93199
Status:On 02/09/09, Obama ordered a 60-day intra-agency review to determine the USG's reactive posture toward cyber warfare. The resulting report was released on 05/29/09 by President Obama and is entitled "Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure."

One of the near-term goals articulated in the above document was: "Prepare for the President's approval an updated national strategy to secure the information and communications infrastructure."

On 05/16/11, the White House presented a set of cybersecurity policy proposals. According to President Obama, the initiative represented "not only a vision for the future of cyberspace but an agenda for realizing it." His "International Strategy for Cyberspace" reinforced the Administration's focus on cybersecurity and counter-censorship.

In 07/11, the Department of Defense (DoD) released its "Strategy for Operating in Cyberspace," making it clear that the Pentagon reserved the right to respond to foreign attacks on its cyber networks with military force. This provision was retained in the Pentagon's release of its "Cyberspace Policy Report" in mid-11/11. Further to that report, DoD released its specific five-point strategy to secure its cybersecurity initiatives on 04/17/15. That strategy was summarized as: (1) Build and maintain ready forces and capabilities to conduct cyberspace operations; (2) Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions; (3) Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence; (4) Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages; and (5) Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

After nearly a decade of partisan haggling, the "Cybersecurity Act of 2015" was signed into law on 12/18/15 as Division N of the FY2016 omnibus spending bill, the "Consolidated Appropriations Act of 2016" (H.R. 2019). Less than a month later on 01/08/16, Congressman Amash Justin (R-MI) introduced H.R. 4350 entitled "To Repeal the Cybersecurity Act of 2015" which would delete Division N in its entirety. The premise for the repeal is that the "Cybersecurity Act of 2015" won't prevent cyber attacks, threatens personal privacy, and is considered by some to be illegitimate. This legislation is not expected to be signed into law before the 114th Congress expires at the end of CY2016.

Meanwhile, the Office of Personnel Management (OPM) revealed in 06/15 that over 21M personnel records had been hacked since 03/14. The fingerprints of 5.6M personnel were compromised in the process. In 02/16, the contact information of 20K FBI and 9K DHS personnel was made public by a hacker. Also in 02/16, the Internal Revenue Service (IRS) was hacked. Approximately 700K social security numbers were stolen, increasing identity theft risks for the owners of those social security numbers.

Nonetheless, a national Cyber Security Strategy was developed under President Obama.

This promise was fulfilled.
1.00
HS-4
The Promise: "Barack Obama will also initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime."
When/Where: Fact Sheet: Obama's New Plan to Confront 21st Century Threats, 07/16/08
Source: http://www.presidency.ucsb.edu/ws/?pid=93199
Status:The Comprehensive National Cybersecurity Initiative (CNCI) under which the proposed grant/training programs would be funded, was actually started in January 2008 during the President Bush administration, so the Obama Administration cannot lay claim to initiating these programs.

A review of the Department of Homeland Security Grant Program (HSGP), established in CY2003, reveals that funds from each of the HSGP State, Local, Tribal and Territorial (SLTT) grant components (i.e. State Homeland Security Program, Urban Areas Security Initiative, Metropolitan Medical Response System and Citizen Corps Program) can be used for SLTT cybersecurity programs.

Under President Obama, the Law Enforcement Cyber Center (LECC) was created on 05/18/15. The LECC enters into strategic partnerships with organizations that provide training, technical assistance, and other resources to law enforcement agencies and criminal justice practitioners to prevent, investigate, prosecute, and respond to cyber threats and cyber crimes. Organizations participating in the LECC on-line training mission include but are not limited to:
- FBI Cyber Shield Alliance - Virtual Academy Cyber Certification Program;
- National White Collar Crime Center (NW3C);
- Secret Service - National Computer Forensics Institute (NCFI);
- Department of Homeland Security The Federal Virtual Training Environment (FedVTE);
- Defense Cyber Crime Center (DC3);
- Department of Justice, Computer Crime and Intellectual Property Section (CCIPS);
- National Computer Forensics Institute (NCFI);
- National Criminal Justice Training Center (NCJTC); and
- Regional Computer Forensics Laboratory (RCFL).

This promise was fulfilled.
1.00
HS-5
The Promise: "The federal government must partner with industry and our citizens to secure personal data stored on government and private systems. An Obama administration will institute a common standard for securing such data across industries."
When/Where: Fact Sheet: Obama's New Plan to Confront 21st Century Threats, 07/16/08
Source: http://www.presidency.ucsb.edu/ws/?pid=93199
Status:In the early years of the Obama Administration, several bills were introduced in Congress that could have potentially addressed this promise. Among those bills:
- Data Accountability and Trust Act (H.R. 2221)
- PASS ID Act (S. 1261) "to amend Title II of the Homeland Security Act of 2002 to protect the security, confidentiality, and integrity of personally identifiable information."
- Cybersecurity Act of 2009 (S. 773)
- Cybersecurity and Internet Freedom Act of 2011 (S. 413)
- Cybersecurity Act of 2012 (S. 2105)
- A new version of the "Cybersecurity Act of 2012" (S. 3414)
- Cybersecurity Enhancement Act of 2012 (H.R. 2096) to "advance cybersecurity research, development, and technical standards."

None of the above bills passed both houses of Congress.

Faced with non-action by Congress, President Obama issued Executive Order (EO) 13636, "Improving Critical Infrastructure Cybersecurity," on 02/12/13. This EO ordered the development of a Cybersecurity Framework, which is a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, produced by the Department of Commerce's National Institute of Standards and Technology (NIST) and created jointly by the government and the private sector, uses a common language to address and manage cybersecurity risks. It was released in 02/14.

In 01/15, President Obama released draft language to Congress for the establishment of a national data security standard. His proposal was incorporated in the Senate's "Data Security and Breach Notification Act of 2015" (S. 177) and in the House's bill by the same title (H.R.1770). Neither of these bills were expected to be signed into law before the 114th Congress expired at the end of CY2016.

Taking further action, on 02/13/15 President Obama signed Executive Order (EO) 13691 entitled "Promoting Private Sector Cybersecurity Information Sharing." This EO (Section 3, ISAO Standard Organization directs the Secretary of Homeland Security to develop Information Sharing and Analysis Organizations (ISAOs) and enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization (SO). The University of Texas at San Antonio was selected as the SO. Its mission is to improve the nation's cybersecurity posture by identifying standards and guidelines for effective information sharing and analysis related to cybersecurity risks, incidents, and best practices. The resultant standards are to address at a minimum contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization, for ISAO operation and ISAO member participation.

The Cybersecurity Act of 2015, signed into law as Division N of the Consolidated Appropriations Act of 2016 (H.R. 2019), did not include provisions for the institution of a common standard for the protection of personal data.

Given the efforts made by the Obama Administration to address cybersecurity matters and establish standards, but given that no legislation has been signed into law to codify the promised "common standards," it is considered that tangible progress was made toward promise fulfillment.
0.75
HS-6
The Promise: "California and other states have laws requiring a company that may have disclosed a resident's personal information without authorization to inform the victim of the disclosure. Barack Obama believes that all Americans deserve the same right to know and will push for comparable federal legislation."
When/Where: Fact Sheet: Obama's New Plan to Confront 21st Century Threats, 07/16/08
Source: http://www.presidency.ucsb.edu/ws/?pid=93199
Status:The National Strategy for Trusted Identities in Cyberspace (NSTIC) was created in early-CY2011 under President Obama to improve the privacy, security and convenience of sensitive online transactions through collaborative efforts with the private sector, advocacy groups, government agencies, and other organizations.

The NSTIC was based on an online environment where individuals and organizations could trust each other because they mutually identify and authenticate their digital identities.

The "Identity Ecosystem," a less formal term for the NSTIC initiative will, when designed, developed and implemented, allow consumers to gain greater privacy and security protection from the innumerable companies that collect data on their web-surfing activities. Use of the future "Identity Ecosystem" will be voluntary.

But the thrust of this promise was to have laws in place at the national level that would require companies to notify consumers when their personal data has been disclosed to a third party. In the absence of national-level legislation and in view of the urgency associated with identity theft notifications, as of end-CY2016, residents of 47 states (less Alabama, New Mexico and South Dakota), the District of Columbia, Puerto Rico and the Virgin Islands can expect to be contacted by a business or bank should their personal data get lost or stolen.

Bills that, if combined, could have fulfilled this promise were routinely introduced during President Obama's two terms in office. The most recent bills include:
* Data Breach Notification and Punishing Cyber Criminals Act of 2015 (S. 1027), introduced by Senator Mark Kirk (R-IL) on 04/21/15, to require notification of information security breaches and to enhance penalties for cyber criminals.
* Data Security and Breach Notification Act of 2015 (S. 177), introduced by Senator Bill Nelson (D-FL) on 01/13/15, to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a breach of security.
* Data Security and Breach Notification Act of 2015 (H.R. 1770), introduced by Congresswoman Marshaw Blackburn (R-TN) on 04/14/15, to require certain entities who collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security involving such information.
* Personal Data Notification and Protection Act of 2015 (H.R. 1704), introduced by Congressman James Langevin (D-RI) on 03/26/15, to establish a national data breach notification standard.

None of the above bills were given a chance of being signed into law before the 114th Congress expired at the end of CY2016, according to Congressional activity monitoring web site govtrack.us.

This promise was not fulfilled.
0.00
HS-7
The Promise: "...will work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development."
When/Where: Obama-Biden Plan: "Strengthening Homeland Security" dated 10/17/08.
Source: http://change.gov/agenda/homeland_security_agenda/
Status:On 02/20/13, the U.S. Attorney General Eric Holder, Acting Secretary of Commerce Rebecca Blank and Victoria Espinel, White House Intellectual Property Enforcement Coordinator at the White House, released a document entitled "Administration Strategy on Mitigating the Theft of U.S. Trade Secrets." Part of this strategy is to "promote voluntary best practices by private industry to protect trade secrets."

With support from a broad industry coalition of manufacturers such as the Boeing Company and General Electric, as well as organizations such as the Software & Information Industry Association (SIIA) and the U.S. Chamber of Commerce, President Obama signed the "Defend Trade Secrets Act of 2016" (S.1890) into law on 05/11/16.

This law provides federal jurisdiction over the theft of trade secrets. This means that U.S. companies and inventors whose trade secrets and intellectual property are proven to have been stolen by any means can seek monetary compensation for those losses in federal court.

Thus, a strategy is in place to address this promise, and some legislation is being enacted for that strategy to become a reality.

This promise was fulfilled.
1.00
HS-8
The Promise: "...will support an initiative to develop next-generation secure computers and networking for national security applications."
When/Where: Obama-Biden Plan: "Strengthening Homeland Security" dated 10/17/08.
Source: http://change.gov/agenda/homeland_security_agenda/
Status:One day after he was sworn into his first term, President Obama released his strategy for cyber security. One of the goals of that strategy was to "develop next-generation secure computers and networking for national security applications," words identical to his promise of 10/17/08.

The term "national security application," by default, lent itself to the handling of classified information. This aspect gained prominence and heightened attention after the release of thousands of classified documents to the web site "Wikileaks" in CY2010.

The National Intelligence Programs (NIP), exclusive of military intelligence, were funded as follows under President Obama:

FY2010....$53.1B
FY2011....$54.6B
FY2012....$53.9B
FY2013....$49.0B (Reduced from $52.6B under Sequestration)
FY2014....$50.5B
FY2015....$50.3B
FY2016....$53.9B (Requested)
FY2017....$53.5B (Requested)

While there is no other disclosure of currently classified NIP budget information because such disclosures could harm national security, one part of NIP's responsibilities is to "maintain the security of federal cyber networks." Further, the NIP budget supports the protection of the critical networks that facilitate Intelligence Community information sharing and operational requirements and accelerates various information protection and access-control mechanisms.

Under the NIP funding umbrella, the National Security Agency (NSA) manages a High Assurance Platform (HAP) Program, a multi-year program dedicated to develop a next generation secure computing systems to further improve protection for national security data, applications and networks. NSA conducts this effort in collaboration with industry, academia, and other government organizations.

The promise was to "support" the development of next-generation secure computers and networking for national security applications. Through his sustained funding requests for NIP and, by extension, NSA's HAP initiative, President Obama has fulfilled this promise.
1.00
HS-9
The Promise: "...will shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes."
When/Where: Obama-Biden Plan: "Strengthening Homeland Security" dated 10/17/08.
Source: http://change.gov/agenda/homeland_security_agenda/
Status:On 02/09/09, President Obama ordered a 60-day review of the highly classified Comprehensive National Cyber Initiative (CNCI) established by the Bush Administration in 01/08. One of the objectives of the review reportedly included "shutting down untraceable Internet payment schemes."

In CY2011, the highly reputed cybersecurity firm "RSA" reported alarming trends in the effectiveness of such financial cybercrime trojans as "Zeus," "Spyeye," "Ice IX" and others. Their report also indicated that cybercriminals were successfully finding new ways to monetize non-financial data such as utility bills, medical records, gaming accounts and other sources.

As of CY2016, the following untraceable Internet payment schemes have proliferated, any of which could easily be used to mask the transmission of criminal profits:

- DASH: A Bitcoin-based electronic currency focused on privacy. Anonymity is an option.
- CloakCoin: Every CloakCoin participant becomes part of a network, which increases anonymity
- ShadowCash: Decentralised cryptocurrency with the option of making anonymous payments.
- LEOCoin: This is a decentralized peer-to-peer payment system. The public ledger is encrypted. There have reportedly been substantiated scam accusations against the developers of this currency.
- AnonCoin: Anonymous cryptocurrency also anonymizes computer IPs when one connects to a client.
- Monero: An open source untraceable currency that uses peer-to-peer transactions and a distributed public ledger, receipts and money transfers remain private by default. Ring signatures add a degree of ambiguity to make it harder to link a transaction to an individual computer.
- BitcoinDark: Employing a unique approach to currency anonymity, BitcoinDark uses what they call "Teleport" to clone and exchange currency denominations.

The promise to shut down "untraceable Internet payment schemes" was not fulfilled.
0.00
HS-10
The Promise: "...will work with the private sector to establish tough new standards for cyber security and physical resilience."
When/Where: Obama-Biden Plan: "Strengthening Homeland Security" dated 10/17/08.
Source: http://change.gov/agenda/homeland_security_agenda/
Status:On 02/12/13, President Obama signed Presidential Policy Directive 21 (PPD-21) entitled "Critical Infrastructure Security and Resilience." At the same time, he issued Executive Order 13636, entitled "Improving Critical Infrastructure Cybersecurity."

PPD-21 introduced three strategic imperatives designed to "drive the Federal approach to strengthen critical infrastructure security and resilience: (1) Refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience; (2) Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government; and (3) Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure."

PPD-21 led to the release of The National Infrastructure Protection Plan (NIPP 2013) on 12/20/13, entitled "Partnering for Critical Infrastructure Security and Resilience." This Plan outlined how government and private sector participants in the critical infrastructure community are to cooperate to manage risks and achieve security and resilience outcomes and meets the requirements of PPD-21.

NIPP 2013 represented an evolution from concepts introduced in the initial version of the NIPP released in CY2006 by the Bush Administration and updated in CY2009 by the Obama Administration. It was developed through a collaborative process involving stakeholders from all 16 critical infrastructure sectors, all 50 states, and from all levels of government and industry. It provides a clear call to action to leverage partnerships, innovate for risk management, and focus on outcomes by providing the foundation for an integrated and collaborative approach to achieve the vision of a "nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened."

As to standards, NIPP 2013 included the following direction to the Department of National Security: "Develop interoperability standards to enable more efficient information exchange through defined data standards and requirements, to include: (1) a foundation for an information-sharing environment that has common data requirements and information flow and exchange across entities; and (2) sector-specific critical reporting criteria to allow for improved information flow and reporting to produce more complete and timely situational awareness for security and resilience."

The above requirements were codified in Section 208 of Division N (Cybersecurity Act of 2015) of the Consolidated Appropriations Act of 2016 (H.R. 2029), which states in part that the Secretary of Homeland Security shall, among other responsibilities: "provide information to the appropriate congressional committees on the feasibility of producing a risk-informed plan to address the risk of multiple simultaneous cyber incidents affecting critical infrastructure, including cyber incidents that may have a cascading effect on other critical infrastructure" and "...a report on cybersecurity vulnerabilities for the 10 United States ports that the Secretary determines are at greatest risk of a cybersecurity incident and provide recommendations to mitigate such vulnerabilities."

This promise was fulfilled.
1.00
HS-11
The Promise: "...will strengthen privacy protections for the digital age and will harness the power of technology to hold government and business accountable for violations of personal privacy."
When/Where: Obama Plan: "Connecting and Empowering All Americans Through Technology and Innovation" dated 11/13/07.
Source: https://www.wired.com/images_blogs/threatlevel/2009/04/obamatechplan.pdf
Status:The National Strategy for Trusted Identities in Cyberspace (NSTIC) was created in early-CY2011 under President Obama to improve the privacy, security and convenience of sensitive online transactions through collaborative efforts with the private sector, advocacy groups, government agencies, and other organizations.

The "Identity Ecosystem," a less formal term for the NSTIC initiative will, when fully implemented, allow consumers to gain greater privacy and security protection from the innumerable companies that collect data on their web surfing activities. Within the Identity Ecosystem Steering Group's Identity Ecosystem Framework (IDEF), the strategy states that "...to truly enhance privacy in the conduct of online transactions, the Fair Information Practice Principles (FIPPs) must be universally adopted and applied in the Identity Ecosystem. The FIPPs are the widely accepted framework of defining principles to be used in the evaluation and consideration of systems, processes, or programs that affect individual privacy." The strategy further states that "...organizations should be accountable for complying with these principles, providing training to all employees and contractors who use personally identifiable information (PII), and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements."

As of end-CY2016, the National Institute of Standards and Technology (NIST) continued to award grants to eligible applicants to pilot online identity solutions that embrace the IDEF. Consequently, this promise is considered to be a work in progress.

This promise was not fulfilled during President Obama's two terms in office because the strengthening of privacy protections has not yet occurred.
0.00