With the end of his second term in sight, debates about President Barack Obama’s legacy in various policy areas are underway. When it comes to national security, his administration will be the first for which cybersecurity will feature prominently in legacy terms. Although former President George W. Bush focused on cybersecurity more than his predecessor, 9/11 and the wars in Afghanistan and Iraq determined his administration’s national security legacy. Obama entered office intending to make cybersecurity a priority, and it became a major feature of his administration’s national security efforts—just not in the ways he had envisioned. Examining the gap between his original strategy and where U.S. cybersecurity policy stands today illuminates some of the challenges the next administration will confront.
Good Intentions: Obama’s Initial Policy Objectives
Upon taking office, Obama ordered a comprehensive review of U.S. cybersecurity policy, the first time a new administration had done so. The message of the resulting May 2009 Cyberspace Policy Review was blunt: America’s increasing dependence on information and communications technologies had heightened vulnerabilities to cyber crime, terrorism and attacks by foreign nations that the U.S. government, private sector and society were unprepared to handle. This conclusion clearly suggested that the Bush administration’s efforts, including the February 2003 National Strategy to Secure Cyberspace and the classified January 2008 Comprehensive National Cybersecurity Initiative (CNCI), had fallen short. The review bluntly declared that “the status quo is no longer acceptable.”