Despite a number of new laws and executive orders in the last decade, not much has changed in the government's approach to improving cybersecurity. For example, the president's Cybersecurity National Action Plan has surprisingly few new ideas. Besides creating another commission to study the problem, the president's plan is little more than a list of familiar measures — more information sharing, more hiring and more spending on programs that produce little evidence of any real security value.
The most impactful changes in cybersecurity have been forced on the private sector by regulatory agencies. While necessary, the government's use of regulatory authorities has been duplicative, uncoordinated and highly inefficient. As such, the security value of compliance spending for most companies is questionable.
Specifically, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act each impose requirements. The Securities and Exchange Commission and many other agencies have also rolled out standards. Since most large enterprises fall under more than one regulatory agency, the present regime creates almost unmanageable compliance requirements.
For many cybersecurity professionals, the focus on compliance actually detracts from efforts to implement effective cybersecurity measures. For small and mid-size businesses, the burden can be overwhelming.
The government needs to do much more to consolidate and streamline cyber regulatory requirements and standards so that companies can focus on tools and processes that work, rather than audits and reports that are mostly duplicative and provide little protection.
The best improvements in the government's response to the cybersecurity challenge have been implemented by the military. The consolidation of the cyber forces for each branch (Army, Navy, Air Force and Marines) into a single cyber command goes a long way toward integrating and synchronizing U.S. cyber power. In addition, the Defense Department has ramped up training to produce thousands of top-tier cyber warriors. This may be the one real solution to the enormous demand for skilled cybersecurity professionals in civilian government agencies and the private sector.
Overall, I would give the Obama Administration a D-minus on cybersecurity.
Over the last seven years, the government's cybersecurity shortcomings — made evident by the catastrophic breach of the Office of Personnel Management and the penetration of White House and State Department unclassified systems — were far worse than anything in the private sector. Instead of bold, proactive measures, the government took a reactive approach.
By not shifting significant resources and aligning agency responsibilities, Congress shares much of the blame for the government's mediocre response to this significant security challenge.
It's hard for the administration to coax and cajole the private sector into making the necessary investments in cybersecurity when the government itself can't seem to get it right.
Leo Taddeo is the chief security officer for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo is a former special agent in charge of the Special Operations/Cyber Division of the FBI's New York Office. Prior to Cryptzone, Taddeo led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high-profile cases, including Silk Road, Blackshades and JPMorgan.