Jeb Bush on Monday announced his strategy for improving U.S. cybersecurity, stepping more deeply into a policy battle that has so far remained on the sidelines of the 2016 presidential election.
The former Florida governor’s five-point plan paints a broad picture of the his cybersecurity priorities. It does not set many specific goals, such as federal cybersecurity spending targets or industry security benchmarks. Instead, it targets many of the Internet-policy issues that have cropped up during President Barack Obama‘s term and criticizes Obama for insufficiently addressing them.
Among the few specific proposals in the plan is Bush’s endorsement of the Cybersecurity Information Sharing Act, which passed the House but, according to the candidate, “languishes in the Senate due to opposition from Senate Democrats.” CISA would empower the government and the private sector to share information about cyber threats—including customers’ private data—and has been criticized by civil-liberties advocates as a backdoor surveillance program with weak privacy safeguards.
“Everything the policy calls for is an idea that the administration has already implemented.”
Bush’s plan calls on Obama to “lean on” the Senate Democrats who oppose CISA and convince them to refrain from blocking the bill if it were brought to the floor for a vote. In an interview Friday, one of those Democrats, Sen. Ron Wyden (D-Ore.), refused to rule out the possibility of a filibuster if the Senate’s Republican leadership didn’t allow votes on privacy-focused amendments.
“How strange it is that Jeb lumps sharing to the government together with sharing among companies,” said Lee Tien, a senior staff attorney at the Electronic Frontier Foundation. “These are very different, and my understanding is that many companies are much more interested in the latter than the former.”
The plan also highlights the data breach at the U.S. Office of Personnel Management, which exposed more than 22 million federal workers’ private records, and blames it on “the cultural failure of the Obama administration to take these threats seriously.”
Whereas Obama did not immediately fire OPM‘s director, Bush, according to his plan, would prioritize “holding executive branch officials accountable for their failure to prioritize cybersecurity and protect the networks under their care.”
“The people who protect our systems are just as important as the technology itself,” the former governor declares in his proposal.
Tien argued that Bush’s comments about the OPM breach ignored “the reality behind the failure.”
“He easily goes to ‘culture,’ which is the kind of thing people point to when they can’t point to concrete reasons,” he said.
Although it takes shots at Obama-era technology crises like the OPM hack and salts its proposals with conservative axioms (“The government’s power to incentivize and empower must take precedence over its predilection to regulate and constrain”), the plan echoes many of the current administration’s Internet-policy goals.
“It’s a ringing endorsement of the approach the Obama administration has taken,” said Rob Knake, a senior fellow on cyber policy at the Council on Foreign Relations, who served as director of cybersecurity policy at the White House from 2011 to 2015.
Bush says in his plan that he wants the government to “promote best practices for the private sector, including voluntary cybersecurity standards.” He adds: “Just as the government needs to pay more attention to cybersecurity, so too must the private sector.”
“He easily goes to ‘culture,’ which is the kind of thing people point to when they can’t point to concrete reasons.”
The plan praises the “ongoing work” on cybersecurity standards at the National Institutes of Standards and Technology. Knake, who helped draft the executive order that created that program, said, “Hats off for calling out the NIST framework.”
Bush also wants the U.S. to take a more active role in advancing the dialog around international cyber norms. “The President should also prioritize cybersecurity in discussions and agreements with our allies and partners around the world,” the plan says. Bush calls for the U.S. to “work with partners to establish international rules of the road and get them to establish the legal framework necessary to prosecute cybercriminals,” something the government is already doing through the United Nations.
Bush’s plan would also give the FBI “more resources” to combat cybercrime and overhaul the federal contracting process to avoid delays in filling government cybersecurity needs.
“Everything the policy calls for is an idea that the administration has already implemented,” Knake said. “From information sharing [through CISA] to holding federal agency heads accountable to prioritizing the issue with foreign leaders and [contractor] reform, these are all policies developed by the current president.”
But the plan does contain sharp divisions with President Obama’s cybersecurity platform and with his handling of technology scandals.
Bush takes aim at former Secretary of State Hillary Clinton, the leading Democratic presidential candidate, who used a private email server while in office, angering conservatives and worrying security experts. “The President,” Bush’s plan says, “cannot allow cabinet secretaries and senior officials to violate rules and procedures meant to protect classified and national security-related government communications.”
Like many Republicans who are frustrated by cuts to defense spending, Bush says in his plan that he will reverse budget cuts from sequestration and fund the intelligence community and the military at higher levels. He also praises the “quiet intelligence professionals” who have come under harsh scrutiny in the wake of disclosures by former NSA contractor Edward Snowden, saying it is time to “stop demonizing” them and “start giving them the tools they need.”
Bush’s unvarnished support for the national-security apparatus may rile privacy advocates more than anything else in his plan, aside from CISA. Tien derided the proposal, with its effusive praise of the intelligence community, for ignoring expert criticisms of many government programs.
“He spends little time even talking about protection, or about the very current ‘going dark’ campaign by [the] FBI to weaken security by compromising encryption,” Tien said, “or about the NSA’s surreptitious sabotage of secure private systems and its stockpiling of vulnerabilities (which means not fixing them) in existing software and hardware.”
While Obama has repeatedly scolded China for rampant data theft and digital espionage, the U.S. has yet to lay out a clear cyber-deterrence strategy on the order of its Cold War nuclear-deterrence policy. Bush’s plan suggests that the president address that issue more aggressively.
“The people who protect our systems are just as important as the technology itself.”
“Efforts to expose, prosecute, and in some cases retaliate against these actors will raise the cost of conducting such attacks and increase deterrence of future attacks,” the plan says.
In perhaps the sharpest rebuke of Obama’s agenda, Bush calls for the Commerce Department to abandon its planned transfer of key Internet governance oversight to an international group. Among those authorities is management of the Domain Name System (DNS), which routes all Internet traffic by translating URLs (like google.com) into the addresses that bring people to Web servers.
The Obama administration plans to transfer its oversight of the group that manages those tasks, the Internet Corporation for Assigned Names and Numbers (ICANN), to an international multistakeholder system. Bush’s criticism of that plan aligns him with conservatives who worry that an ICANN transition will result in Internet censorship by repressive regimes that gain an outsized voice in the resulting process.
Knake, the former White House cyber official, dismissed Bush’s attack on the ICANN transition, calling it “an important but esoteric issue that few understand.”
Photo via Michael Vadon/Flickr (CC BY SA 2.0)