Cybersecurity AWOL in State of the UnionObama Makes Passing Reference to Information Security
But an administration spokeswoman says the passing reference to cybersecurity in the Jan. 28 address doesn't mean information security isn't an administration priority.
The thrust of the president's address was the economy - an understandable focus. "The role of cybersecurity in improving the economy is not obvious to the average person, so it is not surprising that he would instead focus on issues that are more accessible, such as small businesses supporting the auto industry," says Gene Spafford, executive director of Purdue University's Center for Education and Research in Information Assurance and Security.
James Lewis, the cybersecurity expert at the think tank Center for Strategic and International Studies, says the president all but ignored other important matters regarding developments in Africa, Asia and the Middle East as well as nuclear disarmament. "One mention is better than none, which is what most of the world got," he says.
The president's lone mention of cybersecurity came as an addendum to a section of the speech that dealt with battling terrorists. "Here at home," the president said, "we'll keep strengthening our defenses, and combat new threats like cyber-attacks."
Obama also made a fleeting reference to privacy concerns resulting from the National Security Agency surveillance programs disclosed from top-secret documents leaked by former NSA contractor Edward Snowden.
In addressing the prudent use of drones to target terrorists, the president added, "That's why, working with this Congress, I will reform our surveillance programs - because the vital work of our intelligence community depends on public confidence, here and abroad, that the privacy of ordinary people is not being violated."
Caitlin Hayden, the White House national security spokeswoman, says the dearth of cybersecurity's mentioned in the State of the Union speech doesn't mean information security isn't an administration priority.
"Clearly these issues are a high priority for the administration," Hayden said, in a response to an Information Security Media Group query on why the president hardly mentioned cybersecurity and privacy. "As you note, cybersecurity featured prominently in last year's State of the Union and was mentioned again this year.
"As you and others have been covering, we are continuing to implement the significant cybersecurity initiatives the president announced last year. And on the issues of intelligence reform and privacy, the president gave a major speech on the issue less than two weeks ago, which was widely covered. [That's] also clearly a priority for us."
Indeed, on Jan. 17, Obama delivered a major speech in which he revealed new limits on the way intelligence agencies collect telephone metadata as well a comprehensive review of how government and business are confronting the challenges inherent in big data (see Obama Orders Review on Use of Big Data).
And next month, the administration is expected to unveil its cybersecurity framework aimed at providing the nation's critical infrastructure operators a series of best IT security practices that they can voluntarily adopt (see Cybersecurity Framework: Tests Needed?).
Obama in last year's State of the Union address announced a cybersecurity executive order he had signed that not only charged the National Institute of Standards and Technology with coordinating the development of the cybersecurity framework, but also promoted cyberthreat information sharing between the government and business (see Obama Issues Cybersecurity Executive Order).
In this year's address, Obama called on Congress to invest more on in research hubs to drive innovation and on improving science, technology and math skills. "These pledges sound promising and good for our technology capabilities as well as the support for programs to develop job-ready skills for high-tech manufacturing in the U.S.," says Dwayne Melancon, chief technology officer at Tripwire, a provider of information risk and compliance software. "However, I'm concerned about the ability to create skilled personnel who are ready to engage in the cybersecurity workforce, since the president seemed to refer primarily to manufacturing jobs when he spoke about the reforms."
The paucity of cybersecurity in this year's address brought mixed reaction from cybersecurity experts.
"The president's executive order on cybersecurity ... was a watershed moment in cyber policy development," says Larry Clinton, president of the trade group Internet Security Alliance. "However, the follow through, including virtually ignoring the issue in the State of the Union, is disappointing. ... Mostly we have seen hyper-heated rhetoric and little actual policy development, and tonight we didn't even get the rhetoric."
But Chris Buse, chief information security officer for the state of Minnesota, was more charitable, saying he wasn't disturbed by the brief comment on cybersecurity. "We all need to be careful not to use the number of words in a speech as a barometer to gauge the relative importance of key issues facing our nation," Buse says. "Instead, we should look at the collective federal agency strategies and tactics as our true litmus test to gauge whether issues like cyber are getting the attention that they deserve."
Allan Friedman, visiting scholar at George Washington University's Cybersecurity Policy Research Institute, says the president had nothing to gain politically in mentioning cybersecurity in the State of the Union address. "Cybersecurity may remain an important part of the administration's agenda, but it's not one the president feels he needs to call attention to in his speech," says Friedman, co-author of the just-published book Cybersecurity and Cyberwar: What Everyone Needs to Know (see 5 Trends to Sway Cybersecurity's Future).
"He announced [the cybersecurity initiatives] last year, and the progress has not been tangible enough for a victory lap," Friedman says. "There will be plenty of time to take credit for hard work in the future. The issue is complex enough that serious State of the Union discussion would require a parallel rollout of policy, and there wasn't anything ready this year."