Analysts: Obama's Much-Touted New Cybersecurity Plan Is Full of Holes

After a year of alarm and hype, cybersecurity has finally made it to the top of the Obama administration's to-do list. President Obama, introducing a new report on U.S. cybersecurity in a speech on Friday, said cybersecurity represents "one of the most serious economic and national security challenges we face as a nation." The White House has even produced a web video and blog to help sell the new initiative.

However, while many experts applaud this new focus as vital to protecting critical U.S. infrastructure and economic institutions, some analysts have noted that the report fails to answer many key questions, contains a number of inconsistencies and possible inaccuracies, and generally exaggerates the threat to the country.

"It's a plan for a plan," said O. Sami Saydjari, chairman of the Professionals for Cyber Defense. "Given how bureaucracies work, they tend not to come up with bold plans in 60 days. The hard problems have yet to be grappled with."

Other analysts have gone much further in their criticisms of the report. George Smith, a senior fellow at Globalsecurity.org, said "it's set up to look remarkable, but it's only remarkable because it has an urban legend at the center of it." Smith was referring to a section in the report that repeats a questionable CIA claim about an Internet-based attack causing a multi-city blackout. While that may be far-fetched, online attacks has indeed played an important strategic role in recent conflicts, most notably in Russia's skirmish with Georgia in South Ossetia.

The report presents the results of a 60-day review of cybersecurity policy commissioned by the President shortly after taking office. The review, which was led by former Department of Homeland Security cybersecurity head Melissa Hathaway, involved interviews with dozens of experts in government, private industry, and academia, in an attempt to formulate a strategy for uniting America's uncoordinated cyberdefense efforts.

Currently, every government agency has different cybersecurity policies and activities. According to Saydjari, the lines delineating different cyberdefense responsibilities between various government, intelligence and military departments are "drawn as clear as mud."

In general, even analysts who support the expansion of cybersecurity efforts lamented the report's failure to answer the most important questions.

In particular, the report did not address which agency takes the lead in the case of a massive attack, or venture any estimates about the cost of implementing the recommendations. At times, the report even fails to maintain basic consistency within itself, listing the cost to the U.S. economy from cyberattacks as both "hundreds of millions" and "as high as $1 trillion," a difference of three orders of magnitude.

"The report that went to the President was a lot stronger than the report that came out of the President," said Martin Libicki, the author of Conquest in Cyberspace and a senior policy analyst at the Rand Corporation. Libicki attributed the weakness of the language in the report to National Economic Council head Larry Summers's desire to avoid firm commitments to projects he saw as overly expensive with little payoff.

Additionally, the report does not address whether or not the cybersecurity czar President Obama hopes to create would have any control over budget. That lack of budget control felled former-President Bush's attempt to create a unified cyberdefense command in the Department of Homeland Security.

Furthermore, both Libicki and Smith claim that the report exaggerates the threat faced by the U.S. from cyber attacks.

"Public education about threats seems to be a big thing in this report, and in this case, public education mostly means fearmongering," said Smith. Libicki echoed that sentiment, noting that the damage done by cyberattacks pales in comparison to the other problems currently afflicting the U.S. economy.

Of course, there are some elements of the report that have been universally applauded. In particular, the creation of a cybersecurity czar position within the White House, and the placement of the czar on both the National Security Council and the National Economic Council, should help to rectify both the lack of focus and the influence problems that plagued previous cybersecurity directors.

"Having the cybersecurity coordinator involved with the National Economic Council, as well as the National Security Council, is a very important step," said Scott Borg, Director and Chief Economist of the U.S. Cyber Consequences Unit, a non-profit founded by the U.S. government that now independently consults with the government and businesses. "By defining the job in this way, President Obama is recognizing that economics is central to cybersecurity."

All the analysts also agreed that this report is just the beginning. With the report punting on many important issues, and the cybersecurity czar position currently sitting unfilled, the debate over U.S. cybersecurity policy has just begun.

"We're in the process of throwing the steak in the shopping cart," said Libicki. "We haven't even gotten to the grill yet."