Full Terms & Conditions of access and use can be found athttp://www.tandfonline.com/action/journalInformation?journalCode=uiss20

Download by: [Naval Surface Warfare Center Dahlgren] Date: 02 November 2017, At: 05:16

Information Security Journal: A Global Perspective

ISSN: 1939-3555 (Print) 1939-3547 (Online) Journal homepage: http://www.tandfonline.com/loi/uiss20

Stay the course: Why trump must build onobama’s cybersecurity policy

Travis Duane Howard & Jose de Arimatéia da Cruz

To cite this article: Travis Duane Howard & Jose de Arimatéia da Cruz (2017): Stay the course:Why trump must build on obama’s cybersecurity policy, Information Security Journal: A GlobalPerspective, DOI: 10.1080/19393555.2017.1385115

To link to this article: http://dx.doi.org/10.1080/19393555.2017.1385115

Published online: 31 Oct 2017.

Submit your article to this journal

Article views: 2

View related articles

View Crossmark data

Stay the course: Why trump must build on obama’s cybersecurity policyTravis Duane Howarda and Jose de Arimatéia da Cruzb,c

aU.S. Department of Defense, U.S. Navy, Washington, District of Columbia, USA; bInternational Relations and Comparative Politics, ArmstrongAtlantic State University, Savannah, USA; cU.S. Army War College, Carlisle, USA

ABSTRACTThe article presents a review and analysis of cybersecurity policy and strategic initiatives by theObama Administration, and an argument for continuity and improvement of initiatives already inmotion through the TrumpAdministration that will allow for growth of critical cybersecurity strategiesthat will improve critical infrastructure protection,modernize and defend the U.S. federal IT enterprise,and secure U.S. and allied investments in cyberspace. A discussion on key strategic efforts of theObama Administration from 2008 to 2016 is presented, as well as challenges and potential improve-ments that could be made in the Trump Administration. We conclude by making several recommen-dations for U.S. policymakers that would provide continuity and iterative improvement to PresidentObama’s cybersecurity policy strategy: deepen the federal cybersecurity bench, accept recent bipar-tisan recommendations for policy improvement and strategic direction, and continue U.S. leadershipin public-private and international partnerships.

KEYWORDScybersecurity; trump;obama; policy; strategy

Introduction

Since the last few years of the Clinton Administrationin the 1990s, cybersecurity has been a rapidly growingarea of national security, with solutions that spanseveral professional disciplines including but not lim-ited to information technology, law, public policy,criminal justice and political science. Yet despitealmost 20 years of admiring the problem, securingcyberspace for the U.S. and its international allies isstill proving elusive. In 2015, then-Director of U.S.Intelligence James Clapper asserted that U.S.Government, military, commercial, and social activ-ities were inherently vulnerable, attack vectors wereexpanding, and offensive cyber operations againsthigh value private and public sector targets wereongoing (Clapper, 2015, p. 1). Every cybersecuritypolicy enacted by the Clinton, Bush, and ObamaAdministrations has been met with both success andfailures. How does the U.S. chart the course throughwaters still unknown and perilous?

One can draw wisdom from great teachers ofwarfare such as General Carl von Clausewitz, in hisseminal work On War that has graced the book-shelves of somanymilitary leaders and public figuressince it was written in the 19th century. VonClausewitz offers the following advice when he

discusses perseverance of strategic theory: “There ishardly a worthwhile enterprise in war whose execu-tion does not call for infinite effort, trouble, andprivation… it is steadfastness that will earn theadmiration of the world and of posterity” (vonClausewitz, Howard, & Paret, 1984, p. 227).

With the recent election of President Trumpas the 45th President of the United States, a newadministration takes office at a critical time inthe development of cybersecurity policy. Manyof the President’s critics are bracing for the nextfour years, concerned that many of the previousadministration’s work will be undone or ham-strung as the Republican agenda takes centerstage until at least the mid-term Congressionalelections in 2018. Regarding many national poli-cies, President Trump has stated that he willrepeal laws, cancel executive orders, and other-wise undue much of President Obama’s effortsthat he might see as partisan to the Democraticparty. National cybersecurity policy, however, isa problem that has been in the forefront fordecades to both Democratic and Republicationadministrations. The momentum built by pastadministrations must not be halted. Rather, thecurrent strategy must be continued and built

CONTACT Travis Duane Howard travis.howard1981@gmail.com

INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVEhttps://doi.org/10.1080/19393555.2017.1385115

© 2017 Taylor & Francis

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

upon, with ample opportunities for the Trumpadministration to add its own imprint to makesmart course corrections.

This article will discuss key cybersecurity effortsled by previous U.S. presidential administrationson cybersecurity policy, focusing on recent effortsby the administration of the 44th President of theUnited States, Barack Obama. An overview ofPresident’s Trump’s known cybersecurity-relatedstatements and views, as well as those of his closestadvisors, will be analyzed considering the potentialchallenges the administration will face from 2017to 2020. Finally, the authors present potential areasfor cybersecurity policy improvement during theTrump administration and recommendations formoving forward.

Review and analysis of key obama adminis-tration efforts in cybersecurity policy

During a press conference in January 11, 2017,President Donald J. Trump promised a “major reporton hacking defense” within his first 90 days in office.President Obama produced that very report duringhis first months in office when he “directed a 60-day,comprehensive, ‘clean-slate’ review to assessU.S. policies and the structures for cybersecurity.”President Obama drew several conclusions from thisreport. One significant conclusion was that theU.S. cannot succeed in securing cyberspace withoutpublic-private sector and international cooperation(Executive Office of the President, 2009).The second important finding was that the FederalGovernment cannot “entirely delegate or abrogate” itsinvolvement in national cybersecurity, primarily inthe roles of intelligence sharing, protection of criticalinfrastructure, and incident response. PresidentObama’s 60-day cybersecurity policy review devel-oped a 10-point near-term action plan, and over thefollowing 8 years delivered in some way on nearly allof them.

During the Obama Administration (2008–2016),the national cybersecurity machine ramped up tounprecedented levels. The Office of the Presidentsought to consolidate efforts, name primary stake-holders within the Federal agencies (enlarging therole of the Federal Bureau of Investigation in cyber-security incident response), strengthen private-public sector partnerships, and increase information

sharing. Perhaps most importantly, the administra-tion advocated for a unified framework for technicalcontrols and risk management developed by theNational Institute of Standards and Technology(NIST). The development of the NIST’s RiskManagement Framework (RMF) has been widelyregarded amongst cybersecurity practitioners as themost flexible and robust framework to date,although still requires hard work to interpret theRMF and implement technical controls. Based onfeedback provided since its release in 2014, NISTupdated the framework in January 2017 in colla-boration with private-sector industry experts.

The capstone policy from the Office of thePresident during the Obama Administration,signed in February 2016, was the CybersecurityNational Action Plan (CNAP). The plan makesseveral in-roads to continue the work the ObamaAdministration started, including:

● Establishing the “Commission on EnhancingNational Cybersecurity” made up of “top stra-tegic, business, and technical thinkers from out-side the government;”

● Increase the budget, or make budgetary tra-deoffs, to modernize legacy technology andequipment within the federal government;

● Establish the Federal Chief InformationSecurity Officer (CISO) within the Office ofManagement and Budget (OMB) to unifyefforts and drive change;

● Implement a national cybersecurity aware-ness campaign by partnering with leadingprivate-sector firms;

● Increase cybersecurity spending to $19 billionin the President’s Fiscal Year 2017 budgetproposal to Congress; and

● Increase recruitment of cybersecurity profes-sionals and double the number of federalcyber-defense teams within the Departmentof Homeland Security (DHS) to a total of 48(Office of the Press Secretary, 2016, p. 5).

The plan was ambitious, especially for a Presidentin his last year, but the plan was not intended to beshort-term. Rather these are actions that areintended to continue into the next administration,and can serve as a starting point for the 45th pre-sidential administration. President Obama made

2 T. D. HOWARD AND J. D. ARIMATÉIA DA CRUZ

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

progress in several cybersecurity fronts such as theCommission on Enhancing National Cybersecurity,which met in 2016 and provided recommendationsin December, and Grant Schneider was appointedthe Federal CISO in September 2016. The remainingCNAP initiatives require additional planning andinvestments, and what follows is an analysis on theefforts thus far, the validity of continuing theseefforts, and ways in which to strengthen these efforts.

Modernize aging federal IT infrastructure

In 2016, a report by the U.S. GovernmentAccountability Office (GAO) identified thatmuch of the $89 billion spent within federal agen-cies to maintain their networks were spent operat-ing and maintain legacy, outdated networkinfrastructure. Specifically, the study found thatthose networks were “moderate to high risk” dueto obsolete systems with critical hardware andsoftware vulnerabilities, and end-of-life vendorsupport (United States GovernmentAccountability Office, 2016, p. 2). Of the agenciesreporting, the Department of Defense (DoD) com-prised of the largest portion of funding, but alsoindicated it has a clear plan of action to modernizeand address cybersecurity concerns throughout itsforce structure. Other major federal agencies, suchas the Treasury and Veterans Affairs departments,had general plans to modernize their IT invest-ments but no timeline in which to do it (UnitedStates Government Accountability Office, 2016).

Modernizing outdated, legacy systems is, argu-ably, the most important investment an agency canmake to reduce their cyber-attack surface. The SocialSecurity Administration and the Department ofVeterans Affairs reported they run several criticalsubsystems on the COBOL programming language,with plans to modernize but not without beingforced to overcome cost and schedule challengesdue to the complexity of the software (UnitedStates Government Accountability Office, 2016,p. 3). The Treasury Department stores taxpayerrecords on assembly language code on an outdatedIBM mainframe, while the DoD retains NuclearCommand and Control information on IBM Seriesone computers using 8-inch floppy disks (UnitedStates Government Accountability Office, 2016). Insome cases, using aggressively outdated systems can

be a security benefit, as modern malicious code isunlikely to affect them, but legacy systems are costlyto maintain and likely enjoy no continuous vendorsupport for security or operability patching, nor areany replacement hardware components available.Additionally, the talent necessary to maintain thesesystems is either fading or non-existent.

The 2016 U.S. GAO report identified a declineof $7.3 billion in federal IT spending since 2010,and many agencies “did not consistently performrequired analysis of at-risk investments” (UnitedStates Government Accountability Office, 2016,p. 2). OMB, the federal budget office, maintains ascorecard of both IT modernization efforts across26 different federal agencies as well as their cyber-security spending plans. GAO’s historical findingsin its 2016 report are evident of the reason whymany agencies are hesitant to request an increasein IT and cybersecurity spending:

“…federal IT investments have too frequently failed orincurred cost overruns and schedule slippages whilecontributing little to mission-related outcomes. Thefederal government has spent billions of dollars onfailed and poorly performing IT investments whichoften suffered ineffective management, such as projectplanning, requirements definition, and program over-sight and governance.” (United States GovernmentAccountability Office, 2016, p. 7).

For an increase in federal IT and cybersecurityspending to be effective, agencies must firstimprove their acquisition and project managementprocesses, and must clearly define a set of require-ments for those procured systems. Many commer-cial-off-the-shelf (COTS) solutions will fit federalneeds, as evidenced by DoD’s rapid procurementand modernization of intelligence systems, as wellas research-and-development (R&D) efforts, thatleverage major defense contractors to support mis-sion requirements with COTS hardware andsoftware.

The President’s Budget (PRESBUD, or PB) for2017 underwent several major revisions becauseof the change of administration from PresidentObama to President Trump. The first draft byPresident Obama in early 2016 requestedCongress appropriate over $89 billion to federalagencies in support of IT requirements, “withover 70% reportedly for operating and maintainexisting IT systems” (United States Government

INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 3

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

Accountability Office, 2016, p. 4). The recentrevision submitted to Congress by PresidentTrump requests a $228 million fund, operatedby the General Services Administration, for ITmodernization across federal agencies as “a long-term, self-sustaining mechanism for federal agen-cies to regularly refresh outdated networks andsystems with the newest technologies and securitycapabilities” (Mazmanian, 2017, para 3). Withoutrevisions to requirements planning, acquisition,and program management, these funds will likelybe squandered or unused, and even with federalIT acquisition reform the funding is insufficientin a single fiscal year to replace an infrastructurethat required $12.4 billion ($11.3 billion if DoD isnot counted) to maintain in fiscal year 2015; theDepartment of Health and Human Services(HHS) requires 4.3 billion alone for Medicareand Medicaid Services’ information systems(United States Government AccountabilityOffice, 2016, p. 11).

Increase cybersecurity spending in fiscal budgets

The 2016 CNAP called for an investment of “over$19 billion for cybersecurity as part of thePresident’s fiscal year 2017 budget” and represents“a more than 35% increase from fiscal year 2016”(Office of the Press Secretary, 2016, p. 3). Forfiscal year 2014, a 2015 GAO study reported thattwenty-four federal agencies spent $12.7 billion oncybersecurity, an increase of 23% from fiscal year2013 (United States Government AccountabilityOffice, 2015, p. 46). Previous years report similardollar amounts, representing a steady increase incybersecurity spending across all federal agencies.2013 saw a sharp decrease of $4 billion in federalfunding, likely re-invested in other federal priori-ties as determined by President Obama. Thetopline across the 2010–2014 fiscal years was in2012 with $14.6 billion spent. DoD spent the mostfrom these appropriations in fiscal year 2014,about 70% of the total ($9 billion out of$12.6 billion) (United States GovernmentAccountability Office, 2015, p. 54).

Federal agencies reported using those funds toprevent malicious cyber activity, detect, analyze,and mitigate intrusions, and “shape the cyberse-curity environment” (largely led by DoD). (United

States Government Accountability Office, 2015,p. 53). Overall, the 2015 GAO report found thatmost federal agencies required extensive improve-ments in access control, boundary protection, userauthentication, data encryption, auditing, and con-tinuous monitoring (United States GovernmentAccountability Office, 2015, p. 23). Some of thoseimprovements surely involve monetary invest-ments, particularly in modernizing legacy systemsthat are incapable of running modern cybersecur-ity controls, but many other improvements can bemade with smart policies and more tightly-controlled configuration management techniques.

Mostly likely, what President Obama’s proposed$19 billion investment would be used for is more“shaping the cybersecurity environment,” which isled by DoD in proactively countering adversarialactions in cyberspace before they become threats tohomeland systems. U.S. Cyber Command willdeclare its Cyber Mission Force (CMF) fully missioncapable in fiscal year 2018, with 122 teams of uni-formed offensive and defensive cyber professionalson national or defense-specific missions of interest.Increasing the budget towards these goals gets rightto the heart of the responsibilities of the Presidentand the federal government to provide for thenational defense. Coupled withmodernizing the fed-eral IT and critical infrastructure, President Obamaoutlined both the passive and active defensiveimprovements to the nation’s cybersecurity that isnecessary in today’s high threat environment.

Increase the federal cybersecurity workforce

The federal government had enacted several initia-tives aimed at improving the effectiveness of the fed-eral cybersecurity workforce. As noted by the GAO in2015, the National Initiative for CybersecurityEducation (NICE) has several components aimed atbetter defining critical skills and competencies, and to“ensure federal agencies can attract, recruit, and retainskilled employees to accomplish cybersecurity mis-sions” (United States Government AccountabilityOffice, 2015, p. 27). However, despite “several execu-tive branch initiatives” and federal laws aimed atimproving the federal cybersecurity workforce since2011, the government continues to be challenged inidentifying skill gaps, recruiting and retaining quali-fied staff, and refining the federal hiring process to

4 T. D. HOWARD AND J. D. ARIMATÉIA DA CRUZ

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

attract qualified talent (United States GovernmentAccountability Office,2017a2017b). The 2017 GAOreport noted several ongoing activities that have thepotential to assist in making the workforce moreeffective: promotion science, technology, engineeringand mathematics (STEM) education, providing scho-larships in exchange for commitment for federal ser-vice, and federal programs such as the NationalInitiative for Cybersecurity Careers and Studies spon-sored by the Department of Homeland Security(United States Government Accountability Office,2017b).

Additionally, the U.S. government must be carefulin training and retaining cybersecurity talent in itsworkforce, with much of that workforce containedwithin the Department of Defense. U.S. Air ForceAcademy Professor Martin Carlisle, in a GovTecharticle covering a 2015 training conference thatbrought government and industry white-hat hackerstogether, noted that there are two fallacies with gov-ernment and military training regimens in the cyberdomain: (1) training offensive skills is too risky, and(2) the government needs cybersecurity mangersmore than the technical experts (Naegele, 2016).Much of the federal and military workforce has beenfocused on cyber defense and compliance which, asAries Security CEO Brian Markus noted, is akin to“going up against a 300-pound fighter with one handbehind our back” (Naegele, 2016, p. 1). TheU.S. military is rapidly changing the way they defendU.S. interests in cyberspace with its Cyber MissionForce, however much remains to be done across thefederal enterprise to retain the best talent. TheU.S. should train its uniformed cyberspace operatorsin a similar manner to special operations forces: withfocused, highly specialized training, steeped in bothoffensive and defensive tactics, techniques, and pro-cedures, and that workforce should remain billeted tocyber operations jobs throughout themajority of theircareers to maximize the training and manpowerinvestments made.

Improve upon a national cybersecurityawareness campaign

The U.S. maintains the “Stop. Think. Connect.”awareness campaign, executed by DHS, as part ofthe NICE initiative; the campaign aims to increaseawareness of security and privacy measures, and

challenges the public to practice “good cyberhygiene” such as recognizing phishing emails andmalicious hyperlinks (National Institute of Scienceand Technology, 2015). The U.S.’s awareness cam-paign was put in place after the June 2009 WhiteHouse Cyberspace Policy Review, and few statis-tics are available to the public that extort its effec-tiveness. A 2015 report from the Pew ResearchCenter, gathering data via survey, found that“while some Americans have taken modest stepsto stem the tide of data collection, few haveadopted advanced privacy-enhancing measures,”however “the majority of Americans believe it isimportant… that they be able to maintain privacyand confidentiality in commonplace activities oftheir lives” (Madden & Rainie, 2015, pp. 3–4). Inshort, awareness of security and privacy issues isprevalent but lacks practical application through-out the U.S. citizenry.

Professors Maria Bada and Angela Sasse of theU.K. presented their conclusions on why cyberse-curity awareness campaigns are difficult in bothpublic and private settings in a report for theGlobal Cyber Security Capacity Centre in 2014.They noted that successful influences in behavioroccur not as a result of informing what one“should or should not” do, but rather throughchanging “attitudes and intentions” (Bada &Sasse, 2014, p. 7). They concluded that awarenesscampaigns can be improved when (1) profession-ally prepared and organized, (2) risks are notexaggerated, (3) the campaign goes beyond mere“awareness” to teach real risk reduction techniquesand security systems, (4) it is kept simple andconsistent with social norms, and (5) trainingand feedback is included to sustain the changeperiod (Bada & Sasse, 2014, pp. 33–34).

Much of the U.S.’ public awareness efforts to dateare voluntary approaches to public engagement, anddon’t include reaching children in classrooms.Additionally, the effectiveness of U.S. efforts is under-mined by complex security controls that require userset-up and management that only the most security-conscious individuals would spend time on. Toincrease the effectiveness of a U.S. national cyberse-curity awareness campaign, it should be taught at thelevel and age when computer use is first learned, andit should be reinforced with learning practical securityconcepts, such as how to use two-factor

INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 5

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

authentication for everyday applications such asGoogle Mail (Gmail). Many grade schools in theUnited States already teach computer skills as part oftheir curriculum, and the Department of Educationcould leverage federal funding to ensure the curricu-lum could be improved in this manner.

Critiques on president obama’s cybersecurityapproach

These efforts not withstanding, critics of PresidentObama’s cybersecurity policy approach state thatmany of these efforts were failing in large partbecause the President refused to transform wordsinto action. One critic noted that these policyactions “provide the White House with politicalcover and make it appear as though the adminis-tration has adopted tough cyber defense policies,”and that the Obama Administration’s “generallypacifistic approach” did not do enough to enforcethe policies it sets (Kaplan, 2016). Indeed, one canfind such criticism abundant when discussingObama’s foreign policy approach, which leansheavily on incentivizing, collaboration, and part-nerships, rather than heavier-handed options.

The Obama Administration has made a greatstrides in national cybersecurity policy by forgingpublic-private and international partnerships, voi-cing sound action plans backed by industryexperts, and advocating for budgetary adjustmentsthat will modernize the federal and critical infra-structures of the United States. Critics claim thatthe administration’s approach is largely passivewith no real “teeth” or enforceable actions.Nevertheless, the 2016 Cybersecurity NationalAction Plan and the Commission of EnhancingNational Cybersecurity both offer recommenda-tions and ways forward for the administration ofthe 45th Presidency to build upon the effortsalready underway. One thing is clear: there is stilla lot to do.

Challenges and potential for improvement inthe trump administration

Many of the challenges the Trump Administrationwill face in crafting and employing cybersecuritypolicy are numerous and varied, rangingfrom nation-states that will challenge the

U.S. cybersecurity hegemony to U.S. to home-grown hacking groups (malicious, recreational,and activists) within U.S. borders. Attribution ofcyber-attacks has proven difficult at best, withcurrent policy relying on national borders whencyberspace is inherently borderless. Mediaaccounts of cyber-attacks range from simple factreporting to misunderstood, sensationalized stor-ies, forcing the public to make up its own mind onwhat is important. The recent re-discovery of “fakenews” only makes fact-finding more elusive anduntrustworthy, and partisan media reporting canmistake facts for opinions. Indeed, the challengesfacing the Trump Administration in setting smart,clear cybersecurity policy are multifaced anddaunting.

In a 2011 article in the Public AdministrationReview, R. J. Harknett and J.A. Stever, researchersfrom the University of Cincinnati, articulatedmany of these challenges; that the piece was writ-ten over five years ago speaks to the enduringnature of these problems. As the article states,cybersecurity “does not fit conventional or tradi-tional security categories based on individualsecurity responsibilities, economic or corporatesecurity issues, military security problems, as wellas domestic versus international problems.” Giventhat the Republic party platform is largely aboutde-regulation and shrinking of federal influence,while simultaneously championing nationaldefense and military spending, this would seemto conflict with the multi-disciplinary approachthe previous challenge statement would seem torequire (Harknett & Stever, 2011).

President Obama did much to further thecybersecurity effort, especially in developing acoherent national plan, but many critics stated itfell short of enforceability. One key challenge forthe Trump Administration would be to build uponwhat is already established while still following theRepublican Party mandate of reduced regulationand oversight. Harknett and Stever were critical ofthe Obama administration for not providing stra-tegic direction, a shortcoming he appeared to cor-rect (at least in part) with the February 2016Cybersecurity National Action Plan and theDecember 2016 findings of the Commission onEnhancing National Cybersecurity; both docu-ments seek to provide a plan and strategic

6 T. D. HOWARD AND J. D. ARIMATÉIA DA CRUZ

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

direction for the next administration and the fed-eral government in general. The challenge here ispolitical; both documents were created by anopposing political party and could be discardedby the political climate’s penchant for cancellingthe previous administration’s efforts. It is here thatPresident Trump’s advisors must look for policyimprovement through iterative changes in policy,rather than a “repeal and replace” approach thatsome experts fear might happen.

Between the two capstone documents at the endof the Obama Administration, the 2016 CNAP andthe recent report from the bipartisan cybersecurityCommission, one can extrapolate several potentialimprovement areas for the Trump administrationto anchor on that will make iterative policychanges while simultaneously keeping to theRepublican party’s platform ideals and strengths.First, the U.S. must continue its leadership andchampioning of cybersecurity issues on the inter-national stage, investing in research and develop-ment while increasing collaboration with its closestallies: Australia, Canada, New Zealand, and theUnited Kingdom. A group of nations collectiveknown as the “Five Eyes” alliance. Several othercountries not within the Five Eyes “club” alsocontinue to be leaders in the cybersecurity arena:a recent World Economic Forum analysis revealedthat Malaysia, Oman, and Norway ranked high onthe Global Cybersecurity Index (GCI) (Santiago,2015). Cybersecurity is a global problem and, as atechnology leader, the U.S. should continue lead-ing this important international partnership. TheTrump administration could continue this effortand enhance it, rather than taking an isolationistview and retreating from the world stage.

Ultimately, the Federal Government is respon-sible for the nation’s defense and security.Politicians are often fond of expressing this factin their support of increasing the military’s budgetor starting new national defense initiatives. Incybersecurity, the government has potentially nogreater responsibility than protecting the 16 feder-ally-designated critical infrastructure sectors fromcyber-attack. President Bush placed emphasis onDHS’ role in critical infrastructure cyber-defense,and President Obama increased the military’s rolethrough the establishment and strengthening ofU.S. Cyber Command. Likewise, President

Obama also charged the Federal Bureau ofInvestigation (FBI) as the lead agency for cyberincident response and investigation. PresidentTrump has the potential to strengthen these linesof effort even further, clarifying cyber missionroles within the federal government for yet-undefined areas of potential influence. Thisrequires careful analysis of potential gaps wherethe federal government could assist industry instrengthening critical infrastructure, addressingweak or missing capabilities, and establishing thefunding in future fiscal year budgetary actions toensure those capabilities are stood up.

The federal government cannot do this in avacuum; public-private partnerships and commis-sions must be strengthened to ensure industryexperts are brought in to help solve the problemalongside public service experts and policy-makers. Education and awareness is one areawhere the public-private partnership strategy hasborne some fruit: The National Initiative forCybersecurity Careers and Studies is a partnershipthat connects “government employees, students,educators, and industry with cybersecurity trainingproviders across the nation” (United StatesGovernment Accountability Office, 2017b, p. 2).Another successful partnership, albeit one stillgrowing in effectiveness, is DHS’ CriticalInfrastructure Partnership Advisory Council(CIPAC), bringing together private and public sta-keholders to plan, coordinate, and exchange infor-mation on cross-sector issues pertaining to criticalinfrastructure protection; a February 2017 GAOreport found that DHS is “well positioned” toleverage these partnerships on cross-functionalissues such as access control, but it requires per-sistent federal leadership to bring the stakeholdersto the proper forum and harmonize federally-administered efforts (United States GovernmentAccountability Office, 2017a).

Possibly the most important and effective policyinitiative of the early Obama administration camewithin the Department of Defense (DoD). In 2009,the Secretary of Defense approved the formationof a sub-unified commander for offensive anddefensive cyberspace operations, named U.S.Cyber Command (USCYBERCOM, or USCC).The command, declared “initial operating capabil-ity” (IOC) in 2010, was given an initial budget of

INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 7

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

$120 million but grew over the years to over$500 million in 2015. The President’s directionwould put USCC under the command of a 4-starmilitary officer, who also would serve as directorof the National Security Agency (NSA). This con-troversial dual-role would ensure USCYBERCOMand the NSA worked together in this mission, withthe NSA’s intelligence-gathering efforts informingUSCYBERCOM’s military operations (Gould,2015). The recent Office of Management andBudget (OMB) blueprint for the 2018 President’sBudget only strengthens USCYBERCOM’s posi-tion as the DoD’s unified commander for cyber-space, and as of 2017 USCYBERCOM has begunthe initial stages to transition to a full combatantcommand in the coming years, which will allow itto take advantage of even greater resources insupport of its missions (Office of Managementand Budget, 2017).

Finally, there is an opportunity for the PresidentTrump and his Republic party to strengthen cyber-security policy by incentivizing the adoption of theNIST’s Risk Management Framework within criti-cal infrastructure. The Commission report makesthis opportunity clear in its tenth foundationalprinciple:

The right mix of incentives must be provided, with aheavy reliance on market forces and supportivegovernment actions, to enhance cybersecurity.Incentives should always be preferred over regula-tion, which should be considered only when therisks to public safety and security are material andthe market cannot adequately mitigate these risks(Commission on Enhancing National Cybersecurity,2016, p. 5)

This would appear to be aligned with PresidentTrump’s 100-day plan, by favoring incentives overbrute-force regulatory action. This also speaks toPresident Trump’s acumen as a business leader and“deal maker,” and opportunities for making head-way in this effort would make many cybersecuritypractitioners see the advantages of the Trumpadministration’s unique practices and viewpoints.OMB’s blueprint document states that thePresident intends to grant “$1.5 billion for DHSactivities that protect Federal networks and criticalinfrastructure from an attack,” and that DHS will, asa result, expand its information sharing capabilitiesfor the benefit of both federal and private sector

partnerships (Office of Management and Budget,2017, p. 24).

Incentivized public-private partnerships in theU.S., in the interests of national security, have beenbeneficial from World War II through the end ofthe Cold War: “citizens were trained by the federalgovernment to watch for enemy aircraft, assist inpreparation of nuclear attacks, and direct air raiddrills in public spaces” (Busch and Givens, 2012).While cybersecurity of critical infrastructure maybe technically different, the concept is largely thesame: it is a model that has proven itself, and cando so again when the proper incentives are therefor private companies to share information withfederal agencies and vice-versa.

As an example of how these incentives could beimproved, Deborah Rodin, a law professor at GeorgeWashington University, noted that increasing infor-mation sharing in a public-private partnership was“vital to better understanding cyber-risks andimproving cybersecurity” (Rodin, 2015, p. 6).Private firm criticisms, particularly in how federalagencies use shared information about past inci-dents, must be addressed. To strengthen this impor-tant incentive even further, Professor Rodinconcluded that amended legislation is needed topersuade contractors that “the government will nothold prior incidents against them in future procure-ment decisions” (Rodin, 2015, p. 12). PresidentTrump could leverage his executive power and part-nerships within the legislative branch to put such anamendment to the Federal Acquisition Regulationon the table for Congress as part of his effort toreform federal IT acquisition practices, as noted byOMB’s budget blueprint (Office of Management andBudget, 2017). This amendment has the potential tostrengthen the incentives for IT contractors provid-ing services and security to U.S. critical infrastruc-ture to share information with federal agencies in theinterest of national cybersecurity.

Recommendations

Cybersecurity threats to the U.S. and her allies arereal, and the challenges are multifaceted and numer-ous. Previous U.S. Presidential Administrations havebuilt upon their predecessors: President Clintonsigned Executive Order 13011 in 1996 which laidthe groundwork for today’s OMB oversight of

8 T. D. HOWARD AND J. D. ARIMATÉIA DA CRUZ

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

federal cybersecurity efforts through theE-Government Act of 2002, and President Bushmade sweeping changes to federal agency organiza-tion with the establishment of the Department ofHomeland Security and the implementation of themarginally-effective 2003 National Strategy forSecurity in Cyberspace (NSSC) which set the stagefor many critical infrastructure protection policiesthat President Obama reinforced in severalExecutive Orders. To maintain this iterative conti-nuity between administrations, the authors make thefollowing recommendations for actions along threelines of effort: deepen the federal cybersecuritybench, accept recent bipartisan recommendations,and continue the global discussion.

The appointment of Rudi Giuliani as cyberse-curity advisor to the President has its merits; he isa leader with public policy experience, the reputa-tion for tackling tough problems in tough situa-tions and a strong background in law that isimportant to the cybersecurity discussion.However, he lacks technical expertise and he him-self must likewise be advised by technical experts.The President needs to “deepen the bench” ofadvisors by including cybersecurity practitionersand industry leaders with strong reputations. Theexpertise must be bipartisan, and this cannot bestressed enough; cybersecurity policy challengestranscend partisan politics, and bias cannot factorinto the strategic discussion or the effort will notbe sustainable in the long-term. After only fourmonths on the job, Brigadier General GregoryTouhill, U.S. Air Force (retired), stepped down asthe Federal Chief Information Security Officer.The Federal CISO appointment was a key recom-mendation of President Obama’s capstone policyrecommendations, and, as of June 2017, PresidentTrump has yet to name a successor, leaving aleadership and advisory vacuum within OMBthat was meant to oversee cybersecurity policiesand practices.

The Federal CISO role must be filled, and thesuccessor chosen must have technical and policycredentials to be well respected in industry circles,which is necessary to create and maintain criticalpublic-private partnerships. Additionally, the federalhiring freeze has left many cybersecurity jobs vacantacross the federal enterprise. While the hiring freezewas recently lifted, President Trump must accelerate

the hiring of key politically-appointed senior officialsto top CIO and CISO positions, and continue theprevious administration’s strategic focus on “dee-pening the bench” of the federal cybersecurity work-force through improved hiring practices andeducation initiatives.

Second, President Trump’s Administrationneeds to continue and expand President Obama’s2016 CNAP, addressing shortfalls and assistingindustry in bootstrapping their own cybersecurityefforts through incentives without regulation. Thebipartisan Commission on Enhancing NationalCybersecurity’s report should be accepted as ger-mane by the incoming administration, and its 16recommendations and 53 related actions should beexamined for fiscal and policy feasibility as part ofthe Administration’s formal cybersecurity policyreview. It is here that President Obama presentedthe incoming administration with a tremendousjump-start on this problem; regardless of the pol-itics involved, the recommendations must be ana-lyzed with careful consideration. The OMB budgetblueprint document gives us indications thatPresident Trump wishes to continue many of the2016 CNAP strategic efforts, such as strengtheningpublic-private partnerships, and modernize agingIT infrastructure. However, as noted previously,the federal hiring freeze hampered efforts tostrengthen the federal cybersecurity workforce,and the President nor his administration officialsappear to be prioritizing other portions of theplan, such as cybersecurity education and publicawareness campaigns. There are real ways toimprove those initiatives that will have long-termbenefits for the next generation of Americans.

Finally, the U.S. must continue to work with pri-vate sector and coalition partners to strengthen cyberwar and mutual defense ties for cyber operations,and continue to define the battlespace that is cyberon an international scale. In this, USCYBERCOM’smilitary engagements are key, and efforts to elevateUSCYBERCOM to full combatant command mustcontinue. Cybersecurity is not an issue in which wecan be isolationists; it is a global problem thatrequires international partnerships. It is in thisaspect of cybersecurity policy that one can turn tothe masters of warfare for help in reasoning a courseof action, and Sun Tzu has said “configuration ofterrain is an aid… analyzing the enemy, taking

INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 9

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

control of victory, estimating ravines and defiles…one who knows these and employs them in combatwill certainly be victorious.” (Tzu & Sawyer, 1984).Once again, cyberspace’s borderless characteristicsillustrate how one cannot understand the full scopeof the battlespace without help from the interna-tional community. Without strong internationaleffort, attribution becomes nearly impossible.

Similarly, with private sector firms controllingthe cybersecurity posture of over 85% of theU.S. critical infrastructure, finding ways to incen-tivize public-private information sharing and inci-dent response is of critical importance to protectthe homeland. The Department of HomelandSecurity and the FBI are the two leading federalagencies in cybersecurity public-private partner-ships in critical infrastructure protection, informa-tion sharing, and incident response; PresidentTrump should leverage his “deal making” personaand executive power to the benefit of such part-nerships by addressing private firm economic andpolicy-related criticisms; as Rodin (2015) noted,there are ways to strengthen incentives throughlegislation, and the OMB budget blueprint indi-cates that the federal government is willing tospend federal dollars on real cybersecurityimprovement that could be used to further incen-tivize corporate cooperation with economic bene-fits and federal contracts.

Conclusion

The article presented a review and analysis of cyber-security policy and strategic initiatives by the ObamaAdministration, and an argument for continuity andimprovement of initiatives already in motionthrough the Trump Administration that will allowfor growth of critical cybersecurity strategies that willimprove critical infrastructure protection, moder-nize and defend the U.S. federal IT enterprise, andsecure U.S. and allied investments in cyberspace. It isimportant to note that the Obama Administrationalso did not work in a vacuum when shifting from aRepublican to Democratic administration. PresidentObama built upon the Comprehensive NationalCybersecurity Initiative (CNCI) developed by theBush Administration in January 2008, just asPresident Obama signed capstone strategic docu-ments in 2016 that President Trump can build upon.

President Trump assumed the mantle as the 45thPresident of the United States on January 20th, 2017.It was a day of reflection on the eight years of theObama Administration, the progress and the pitfalls,and through all the political rhetoric and public con-cern it can be hard to see a lighted ship through theheavy sea swells of the unknown. Yet there are clearopportunities for cybersecurity policy improvementin the next four years of the Trump Administration.If the recommendations made by the authors donothing else, we hope to serve as hope for cyberse-curity professionals, business leaders, and public offi-cials alike that the Trump Administration could takecybersecurity actions that will make a positive andlasting impact to the nation’s cybersecurity posturefor the benefit of not only the U.S. but also our globalinterests and partners in the brave new world of acyberspace without frontiers.

Disclaimer

The views expressed here are solely those of the authors, anddo not necessarily reflect those of the Department of theNavy, Department of the Army, Department of Defense orthe United States Government.

Declaration of interest

The authors report no conflicts of interest. The authors aloneare responsible for the content and writing of the article.

Notes on contributors

Travis Duane Howard is an information systems and cyberse-curity practitioner with over 17 years of experience as a U.S.Naval Officer. He holds graduate degrees in BusinessAdministration and Cybersecurity Policy from the Universityof Maryland University College, and is a Certified InformationSystems Security Professional. He can be reached via email attravis.howard1981@gmail.com or on LinkedIn at

Dr. José de Arimatéia da Cruz is Professor of InternationalRelations and Comparative Politics at Armstrong StateUniversity, Savannah, Georgia and Adjunct Research Professorat the U.S. Army War College, Carlisle, Pennsylvania. He can bereached via email at jose.dacruz@armstrong.edu.

References

Bada, M., & Sasse, A. (2014, July). Cyber security awarenesscampaigns: Why do they fail to change behavior? GlobalCyber Security Capacity Centre: University of Oxford.

10 T. D. HOWARD AND J. D. ARIMATÉIA DA CRUZ

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17

Retrieved from http://discovery.ucl.ac.uk/1468954/1/Awareness%20CampaignsDraftWorkingPaper.pdf

Busch, N. (2012, October). Public-private partnerships in home-land security: Opportunities and challenges. HomelandSecurity Affairs, 8(18). Retrieved from http://calhoun.nps.edu/bitstream/handle/10945/25017/143.pdf?sequence=1

Busch, N. E., and Givens, A. D. (2012, October). Public-PrivatePartnerships in Homeland Security: Opportunities andChallenges. Naval Postgraduate School: Dudley Knox Library.Retrieved from https://calhoun.nps.edu/handle/10945/25017

Clausewitz, C., Howard, M., & Paret, P. (1984). On war.Princeton, NJ: Princeton University Press.

Clapper, J. (2015). Worldwide Threat Assessment of the USIntelligence Community. United States: Washington DC.Retrieved from https://www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf

Commission on Enhancing National Cybersecurity. (2016).Report on securing and growing the digital economy. UnitedStates, Washington, DC. Retrieved from https://www.whitehouse.gov/sites/default/files/docs/cybersecurity_report.pdf

Gould, J. (2015, Nov 3). Constructing a Cyber Superpower.The Business Monthly. Retrieved from https://www.bizmonthly.com/constructing-a-cyber-superpower/

Harknett, R. J., & Stever, J. A. (2011). The new policy world ofcybersecurity. Public Administration Review, 71(3),455–460. doi:10.1111/j.1540-6210.2011.02366.x

Kaplan, F. (2016, February). Repairing America’s cybersecurity:President Obama’s cybersecurity plan is ambitious but flawed.Slate.com. Retrieved Jun 7, 2016, from http://www.slate.com/articles/technology/future_tense/2016/02/president_obama_s_cybersecurity_plan_is_ambitious_but_flawed.html

Madden, M., & Rainie, L. (2015, May). Americans’ atti-tudes about privacy, security and surveillance [Report].Pew Research Center: Internet & Technology. Retrievedfrom http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/

Mazmanian, A. (2017, May 23). Trump budget pushes ITmodernization. FCW: Business of Federal Technology.Retrieved from https://fcw.com/articles/2017/05/23/trump-budget-it-modernization.aspx

Naegele, T. (2016, Jan 19). Hackers to Pentagon: You’re DoingCyber Wrong. Nextgov.com. Retrieved Feb 10, 2016, fromhttp://www.nextgov.com/nextgov-sponsored/2016/01/hackers-pentagon-youre-doing-cyber-wrong/125206/

National Institute of Science and Technology. (2015, July).NICE: National Initiative for Cybersecurity Education.Retrieved from http://csrc.nist.gov/nice/

Office of Management and Budget. (2017). America first:A budget blueprint to make America great again[Report]. Washington, DC: Executive Office of thePresident of the United States.

Office of the President of the United States. (2009). Cyber spacepolicy review: Assuring a Trusted and Resilient Informationand Communications Infrastructure. United StatesWashington, DC. Retrieved from http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

Office of the Press Secretary. (2016). FACT SHEET:Cybersecurity national action plan. Retrieved from https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan

Rodin, D. N. (2015). The cybersecurity partnership: A proposalfor cyber-threat information sharing between contractorsand the federal government. Public Contract Law Journal,44(3), 505–528.

Santiago, J. (2015). Top countries best prepared against cyber-attacks. World Economic Forum. CH-1223 Cologny/Geneva, Switzerland. Retrieved from https://www.weforum.org/agenda/2015/07/top-countries-best-prepared-against-cyberattacks/

Tzu, S., & Sawyer, R. (1984). Art of war. Boulder, Colorado:Westview Press.

United States Government Accountability Office. (2015,September). Federal information security: Agencies need tocorrect weaknesses and fully implement security programs(GAO-16-696T). United States, Washington, DC.

United States Government Accountability Office. (2016,May). Information technology: Federal agencies need toaddress aging legacy systems (GAO-15-714). United States,Washington, DC.

United States Government Accountability Office. (2017a,February). Critical infrastructure protection: Additionalactions by DHS could help identify opportunities toharmonize access control efforts (GAO-17-182). UnitedStates, Washington, DC.

United States Government Accountability Office. (2017b, April).Cybersecurity: Federal efforts are under way that may addressworkforce challenges (GAO-17-533T). United States,Washington, DC.

INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 11

Dow

nloa

ded

by [

Nav

al S

urfa

ce W

arfa

re C

ente

r D

ahlg

ren]

at 0

5:16

02

Nov

embe

r 20

17