Obama vs. Romney: Where They Stand on Cybersecurity
CREDIT: Obama: Chuck Kennedy/White House; Romney: Gage Skidmore/Creative Commons
As Americans prepare to go to the polls Nov. 6, President Barack Obama and his Republican challenger Gov. Mitt Romney have staked out starkly different positions on economic and foreign policy.
But if you look at where each man stands on America's cybersecurity, the picture becomes a lot muddier — as do the differences between the candidates.
There are a couple of reasons for this lack of clarity. First, cybersecurity simply hasn't been a priority during the campaign. Unemployment and the attack on the consulate in Libya are much closer to the top of the public agenda.
Second, cybersecurity isn't something Democrats and Republicans disagree on much. The topic doesn't lend itself to sound bites or photo-ops, especially since the threats are diffuse and the political disputes often merely about where bureaucratic authority should lie.
Security policy has been Obama's strength during much of his presidential campaign, but neither he nor Romney has said much about cybersecurity. Furthermore, no matter which man gets sworn in on Jan. 20, odds are he'll end up adopting the same policies his opponent would have.
"It's really one of the few areas where there is bipartisan agreement," said Jacob Stokes, research assistant at the Center for a New American Security, a centrist think tank in Washington, D.C.
Stokes noted that cybersecurity is generally not something people disagree on. No candidate or party will say there should be less of it.
It's also become clear that a threat really does exist, if for no other reason than that the U.S. itself has been convincingly linked to the creation of the Stuxnet worm and the Flame spyware.
Obama takes a hard line
The Obama campaign hasn't made any overtly political statements on cybersecurity, even though the Democratic platform includes a plank stating the importance of defending against cyberthreats. (Requests to Obama's campaign for comment went unanswered).
Other than that, there's the possibility that Obama might issue an executive order implementing some of the provisions of the Cybersecurity Act of 2012, which failed in August to muster the 60 Senate votes needed to override a threatened Republican filibuster. (Senate Majority Leader Harry Reid, D-Nev., recently vowed to revive the bill.)
The impetus behind the possible executive order has come from Sen. Joe Lieberman, I-Conn., who caucuses with Democrats and was the failed bill's chief sponsor.
The Associated Press obtained a draft of the order, which would let federal agencies propose new regulations covering so-called "critical infrastructure" systems, such as electrical grids, water-treatment plants, railway-switching systems and financial-transaction networks.
The agencies would also be able to suggest, but not decide, which systems would be subject to its proposals, and what kind of legal avenues could be used to issue and enforce new rules.
The executive order would create a new cybersecurity council under the Department of Homeland Security that covered critical infrastructure. The council would include representatives from the Departments of Defense, Justice and Commerce, as well as the office of the Director of National Intelligence.
The council would send a report to the president to assess threats and vulnerabilities affecting critical infrastructure sectors. It isn't yet clear exactly which sectors would be designated as critical.
Romney provides few specifics
Romney spokesman Brendan Buck directed TechNewsDaily to a statement on security policy on the official Romney campaign website. It had little in the way of specific proposals.
"The multi-faceted threat we face in cyberspace requires a much more coordinated effort by the Department of Defense, the intelligence agencies, the Department of Homeland Security and the Departments of Commerce and the Treasury to secure America. This effort must prevent duplication, maximize information sharing and bind together the disparate competencies of these agencies."
The campaign statement also chided the Obama administration for failing to update the country's national-security strategy, which was originally formulated in 2003. Part of a 2008 revision under President George W. Bush was made public in 2010.
Votes for or against cybersecurity bills don't always fall along strict party lines. Lieberman got a certain amount of support for his bill from Republican senators, such as Maine's Susan Collins and Olympia Snowe.
In the House, a similar bill, the Cyber Intelligence Sharing and Protection Act, sponsored by Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D- Md.), passed in April with significant support from Democrats. But it's run into opposition from the White House and groups such as the Electronic Frontier Foundation, all of which have said the bill has insufficient protections for privacy and civil liberties.
Stokes noted that an executive order would only be able to go so far. Both stalled congressional bills included liability protections for private companies and exemptions from civil-service data-sharing rules, provisions that can only be granted by the legislature.
For their part, some Republicans and their supporters have said they'd rather not have the government involved in national cybersecurity.
"The private sector, not federal regulators, should take the lead on cybersecurity," said Sen. Ron Johnson, R-Wis., in an emailed statement. "Federal policy should focus on facilitating cybersecurity solutions, rather than attempting to dictate them. The Washington bureaucracy simply cannot keep up with the rapid pace of private-sector technological advances."
Meanwhile, the U.S. Chamber of Commerce, a lobbying group for business interests, said it is concerned about additional regulatory burdens.
"The optimal way forward will not be found in layering additional regulations on the business community," said Matthew Eggers, the chamber's senior director of national security and emergency preparedness, in an emailed statement. "Slowly moving, bureaucratic compliance mandates will drive up costs and misallocate business resources without increasing security."
Two roads, same destination
Stokes noted that if Romney is elected, it's quite possible that he will end up doing the same things as Obama. Politics aside, Stokes said, the Obama administration has taken significant steps to bolster the nation's cyber-defenses.
Setting up U.S. Cyber Command at the Department of Defense as a full combat command, for instance, may sound like bureaucratic shuffling, Stokes said, but the move does offer concrete benefits, such as getting a commander who can run the unit full-time.
Updating the national cyber security strategy was also a good thing, as was creating liaisons with the National Economic Council. It's hard to see a Republican disagreeing with either, Stokes said.
But none of this means more couldn't be done. Jon Oltsik, a senior principal analyst at the Enterprise Strategy Group, an IT consulting and research firm in Milford, Mass., doesn't think much of the president's efforts so far.
Oltsik noted that both congressional legislative proposals stalled, and that appointing a cybersecurity coordinator took a lot longer than expected. (Howard Schmidt, a former Bush administration cybersecurity advisor and then chief of information security for eBay, eventually took the role — but then stepped down in May 2012, two and a half years into the job.)
Oltsik said that, at a minimum, the government could use both "carrots and sticks."
For example, it could create a list of security requirements and impose fines for violations, or offer tax incentives to companies that invest in cybersecurity.
"If there is a serious cybersecurity event, there really isn't any contingency plan other than standard disaster stuff like FEMA and the National Guard," Oltsik said. "If this happens, there will be chaos and finger-pointing."