During his 2008 presidential campaign, Barack Obama promised to "ensure that his administration develops a Cyber Security Strategy that ensures that we have the ability to identify our attackers and a plan for how to respond that will be measured but effective."
In the year since our last ruling, the attention devoted to cybersecurity has only increased, partly due to well-publicized breaches of customer data but especially from revelations about National Security Agency surveillance of electronic and telephone traffic.
On Feb. 12, 2013, Obama signed an executive order on "Improving Critical Infrastructure Cybersecurity," which called for the implementation of a cybersecurity framework launched one year later.
The framework, developed by the Commerce Department's National Institute of Standards and Technology, is designed to help critical infrastructure sectors such as power plants, public transportation and communication systems, as well as other organizations, reduce and manage their risk of cyber-intrusions.
Organizations are encouraged to use the framework to manage their cybersecurity risk, though it is not designed to replace existing processes — an organization can keep its current process while incorporating aspects of the framework to determine gaps in its cybersecurity.
The adoption of the framework is voluntary, but the Department of Homeland Security has established the Critical Infrastructure Cyber Community Voluntary Program, C-Cubed for short, to increase awareness and use of the framework.
According to a White House briefing on the topic, C-Cubed will connect companies to DHS and other federal government programs and resources that will assist efforts in managing their cyber risk.
So the administration has taken some concrete steps to develop a formal cybersecurity strategy. But the administration's ability to pitch that strategy to private-sector companies and individuals has been hampered by the continuing stream of revelations based on leaked documents from former NSA contractor Edward Snowden. Whatever trust existed between the government and private companies has taken a serious blow in the post-Snowden era.
"On one hand, we had the Obama administration working for development of increased cybersecurity through its 'framework' initiative," said George Smith, a senior fellow at GlobalSecurity.org. On the other hand, Smith said, the administration was "allowing the NSA to aggressively pursue initiatives that destroy the security and trust in global as well as domestic networks."
So while Obama has made meaningful strides in creating a cybersecurity strategy, he faces stiffer-than-ever hurdles in implementing such a strategy, due to resistance in Congress as well as public skepticism. For now, we'll wait to see how this process shakes out, and we'll hold our rating at In the Works.