Cybersecurity: Obama vs. RomneyANALYSIS: Distinguishing a Romney from an Obama Presidency
Regardless of who wins the U.S. presidential election, cybersecurity will be a top administration priority. What remains uncertain is how a President Romney would differ from a second-term President Obama on his approach to IT security over the next four years. And, by extension, what difference would an Obama or Romney administration make on the IT security profession?
Both candidates have made fleeting references to cybersecurity during the presidential campaign, but neither has addressed the matter in detail.
"They're stealing our intellectual property, our patents, our designs, our technology, hacking into our computers, counterfeiting our goods," Romney said at the third president debate, referencing his proposed get-tough-with-China policy. At the same debate, while addressing United States military capabilities, Obama said: "We need to be thinking about cybersecurity."
That's virtually all both candidates have said about cybersecurity on the hustings, and neither campaign responded to direct queries about their cybersecurity ideas. Their relative silence, though, doesn't mean they don't have some fundamental differences on cybersecurity. The most striking difference: The role of the federal government in developing IT security standards that could be adopted by the private sector.
Or so it seems.
Conventional wisdom suggests that Romney would oppose cybersecurity regulation because he has espoused repeatedly throughout the campaign a fervent belief for fewer government regulations on business, though he never specified IT security in his comments. Fortifying that thinking is the Republican Party platform that's explicitly and decidedly anti-regulation. It states: "The costly and heavy-handed regulatory approach by the current administration will increase the size and cost of the federal bureaucracy and harm innovation in cybersecurity."
Yet, does the GOP platform reflect Romney's position? As one Capitol Hill insider observes: If the candidate doesn't explain his position, look at with whom he keeps company. One of Romney's top cybersecurity advisers is former National Security Agency Director Michael Hayden. In June, Hayden and his former colleagues wrote a letter to Senate leaders saying situations exist in which IT security regulation of industry might be appropriate. With his hawkish views, it's not inconceivable that Romney could favor some form of cybersecurity regulation because many in the intelligence and defense communities support it
"This is the kind of issue that if Obama weren't president, if there were a Republican president, we would have passed cyber legislation with some sort of regulatory approach," says a former senior Capitol Hill staffer who spent years shaping cybersecurity legislation. "That's what the national security community, that's what the intelligence community is asking for. The reason why Republicans are much more inclined to reject that advice was simply because of the man in White House."
That man in the White House - Obama - doesn't necessarily disagree with the former defense and security leaders' assessments. And he sees a role for government in working with industry and academia to create IT security best practices that businesses - especially ones operating the nation's critical infrastructure - could adopt voluntarily. Obama backs the Cybersecurity Act of 2012, legislation stalled by a Senate filibuster that provides for a process to create voluntary best practices. His administration also is mulling the issuance of an executive order to develop voluntary IT best practice.
The Obama Cybersecurity Record
The Democratic Party platform points out that the president and the administration have taken "unprecedented steps to defend America from cyberattacks, including creating the first military cyber command and conducting a full review of the federal government's efforts to protect our information and our infrastructure."
That review was initiated just weeks after Obama took office in 2009 and resulted in the administration's Cyberspace Policy Review, which the president unveiled with much fanfare in May 2009. By year's end, he tapped Howard Schmidt as White House cybersecurity coordinator.
Though the president himself hasn't said much about cybersecurity since presenting his action plan, his administration has been active, establishing a joint Defense-Homeland Security approach to cyberdefense, announcing an international cybersecurity initiative, unveiling the National Strategy for Trusted Identifies in Cyberspace and promoting cybersecurity research and development. The administration also has advocated the use of secure cloud computing and continuous monitoring of agencies' IT systems to assure they meet security standards detailed in the Federal Information Security Management Act.
An Obama second term primarily would focus on executing the programs initiated during the first term and codifying cybersecurity practices and governance, including granting more authority to the Department of Homeland Security on IT security matters.
A Romney Approach to Cybersecurity Governance
As Obama had his cyberspace review after taking office, the former Massachusetts governor says, if he's elected, that he also would order full interagency reviews to develop and deliver to his desk a unified strategy to bolster America's cybersecurity.
Melissa Hathaway, who managed Obama's cyberspace policy review and also held a top cybersecurity post in the Bush White House, sees Romney's business background as making him well suited to tackle a unified strategy to cybersecurity. "He's a businessman, and he knows how to run things and get things done," Hathaway says. "I think he'll bring that mentality or approach to the office [saying], 'Here is my capital cost, here are my operation costs, here's what I expect to be the impact, and you know, bottom-line, performance management objectives."
Regardless of management style, one area where the candidates seem to agree is for the need to enact a law to allow the government and businesses to share information on cyberthreats. Such a law is needed to allow the government to share certain sensitive and/or classified information with private entities. A law also would furnish protections against lawsuits, including anti-trust actions, based on information shared about cyberthreats. Businesses might be reluctant to share information if they feel disclosing certain actions could expose them to legal action.
It's assumed, although uncertain, that Romney supports a Republican-sponsored bill that passed the House of Representatives in April known as CISPA, the Cyber Intelligence Sharing and Protection Act, which Obama has threatened to veto.
Obama contends CISPA's information sharing provisions don't provide sufficient citizen privacy and civil liberties protections and the bill's anti-trust safeguards could inappropriately shield companies that claim protection because of cyberthreat information sharing. "The government, rather than establishing a new anti-trust exemption under this bill, should ensure that information is not shared for anti-competitive purposes," an Obama administration statement of policy says.
DHS's Role in Governing Civilian IT Security
Another difference between the two candidates on cybersecurity could be how they approach governance of IT security in the federal government, especially with civilian agencies. Romney hasn't articulated how he would manage government IT security, and perhaps like Obama during his first year in office, would wait until his cybersecurity review was completed.
Obama's position is clearer: The president wants to give more authority to the Department of Homeland Security to oversee day-to-day oversight of IT security of civilian agencies. He backs legislation to amend the FISMA to direct the DHS secretary to oversee the information security requirements of federal agencies. The Obama administration already is doing some of this through an Office of Management and Budget memorandum that has administratively transferred certain responsibilities to DHS from OMB.
The same bill would designate DHS as the main federal entity to coordinate cybersecurity protection with business and other non-federal-government enterprises.
The last Republican presidential nominee, Sen. John McCain of Arizona, has fervently opposed efforts to give DHS more authority, believing the department hasn't demonstrate competency to oversee IT security. But Romney has never expressed his opinion about DHS's role in governing federal government IT. And, with his own appointees in charge at DHS should he be elected, he might not have such a negative view on giving the department a central role in federal government IT security governance.
That Obama's and Romney's approaches to cybersecurity don't seem too far apart shouldn't be surprising. For the most part, cybersecurity in the federal government has been bipartisan. Democrats and Republicans generally agree that government has an important role to play in safeguarding the nation's critical IT systems. What has prevented Congress from adopting comprehensive cybersecurity legislation is ideology, which primarily surrounds whether the government should regulate the private sector. It's unclear how ideological Romney would be as president when it comes to cybersecurity regulation.
It took Hathaway's cyberspace review and advice from scores of cybersecurity experts before Obama formulated his cybersecurity policy, so maybe we shouldn't expect Romney to have devised his plan before the election.
Still, cybersecurity is so vital to the functioning of our government, our economy and our society that voters may be disappointed that neither candidate had much to say about the topic as they campaigned for president.