Cybersecurity was a small but important part of President Barack Obama's 2015 State of the Union address. And with the events of the last year — the hack of Office of Personnel Management networks, breach of an IRS database, passage of information sharing legislation and an agreement with China to curb economic espionage — one would expect cyber to be a major part of this year's speech on Jan. 12.
However, a preview of the president's remarks posted on the White House website doesn't mention the words "cyber" or "cybersecurity" once.
That doesn't mean cyber won't find its way into the speech. But security experts watching the administration — and preparing to watch the final State of the Union — fear it won't be a significant part of the address.
Some of those experts offered their take on what they think Obama will say about cyber, what he should say and what will likely be left out.
A year of cyber achievements
BeyondTrust Vice President of Federal Lisa Donnan believes the president will address cybersecurity in his speech because, well, how could he not?
I expect Obama to underscore cybersecurity in the State of the Union Address given the breadth of cybersecurity legislation framework the administration has outlined and discussed ahead of time.
As an example, the omnibus bill includes a new version of CISA (Cybersecurity Information Sharing Act) as part of the Cybersecurity Act of 2015, along with the FY16 Intelligence Authorization Act. Moreover, the administration wants upgrades and amendments to RICO (Racketeer Influence and Corrupt Organizations Act), along with CFAA (Computer Fraud & Abuse Act).
Furthermore, I expect he will highlight the new Cyber Threat Intelligence Integration Center (CTIIC) to be housed at ODNI — a center for "fusing cyber intelligence."
Finally, I expect he will highlight the "progress" with the Chinese on the Cybersecurity Agreement or "bilateral no hacking." This is a step in the right direction, but given the tolerance for the Chinese to steal U.S. intellectual property, this will be a long-negotiated journey.
Given the amount of cybersecurity legislation the administration has put forth, Obama needs to address not only the strategy, but the operationalization of the strategy. Has the administration funded these initiatives so they succeed or are they arduous rules for the private sector to adhere to with no cost-benefit to the companies or their end customers?
Prediction: Cyber gets a passing remark
J.J. Thompson, founder and CEO of Rook Security, doesn't expect much cybersecurity in the speech but hopes there might be talk of new legislation for the coming year.
I think President Obama will be vague about cybersecurity and say that it's important, but without much follow up. I expect him to reference CISA and say that it was a great success. He will likely avoid anything proscriptive or proactive during his address.
I would like Obama to say that the United States requires a robust and integrated cyber defense capability to protect our country's citizens and companies. A call for congress to introduce a bill to facilitate this joint effort would add strength to his statement.
Educating the cyber workforce
Chris Drake, founder and CEO of Armor, said he wants to see the president talk about training the next generation of cybersecurity experts.
I would hope to see the president address how America falling behind in cybersecurity is ultimately a symptom of our failing education system. The fact is that we're not doing all we can to develop creative minds who have math and science depth. We have a watered down educational system that treats the arts as electives and not as a requirement. We also stifle our brightest youth to a level of learning that gets the non-brightest to pass.
If we as a nation start removing the limits we place on our brightest so that we're fair to the masses, they will change the world for the better. Cybersecurity will be one of the many things that are improved.
Securing critical infrastructure
One of the most important aspects of cybersecurity often gets forgotten: the national security implications of having critical infrastructure connected to the network. Geoff Webb, vice president of solution strategy for Micro Focus, hopes the president speaks to this, as well as improving relationships between the government and private sector.
Given the recent discussions around the possibly long term penetrations of U.S. infrastructure by Iranian hackers (and agents of other foreign states), I would expect there to be a real focus on protecting critical infrastructure from attack. Cybersecurity has become a front-line when dealing with rogue states, terrorist organizations and of course those countries who quietly fund IP theft on a large scale. If the president doesn't discuss the need for significant investment in critical infrastructure security now and there is a major incident in the future, it would be politically very costly. Seeing a large portion of the power grid shut down by ISIS hackers would be a very unpleasant scenario for any political leader.
I would also expect to see commentary on further cooperation between federal cybersecurity (and teams operating at the state level) and industry too. We've barely begun to tap the potential for meaningful cooperation between industry and government in this space – where each can bolster the efforts of the other. It's the kind of program that really needs top-down leadership from the executive.
Help the private sector help itself
Craig Hinkley, CEO of WhiteHat Security, wants to hear what the government can do to educate companies on cybersecurity best practices and enable the private sector to be more proactive. He offered three "key elements" to help guide this discussion.
It will be important for President Obama to reinforce what's being done at a national and international level, as well as within the private sector, when it comes to our collective cybersecurity capabilities. Aside from all of the legislation that's been in the works, the government needs to ensure it's creating an environment where companies understand they need to be empowered and responsible for their own information and cybersecurity safety.
Toward that end, I'd like to hear the government suggest a best practices approach to developing and running a comprehensive cybersecurity program that addresses three key elements: Awareness and detection to understand the vulnerabilities that could be exploited; how to prioritize the impacts of the vulnerabilities that are discovered; and how to mitigate vulnerabilities tactically and systematically. These best practices are relevant to any organization — public or private sector — and should be used to hold security leaders, as well as CEOs and Boards accountable for the safety and security of their business or agency.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
