America got a taste of its cyber vulnerabilities during the 2016 presidential election, when Russian hackers stole Democratic leaders' emails.
President Barack Obama has since directed the intelligence community to investigate "malicious cyber activity" connected to elections going back to 2008.
Ahead of his first term, Obama promised to develop a cybersecurity strategy for the country. Eight years later, he has made significant gains, though there's room to grow.
"He has a national strategy for cyberspace, and an action plan, so all in all, I think he has tried to deliver," said Heather Roff, a researcher at the University of Oxford and Arizona State University.
The administration defines its cyber strategy as: "1) Raising the level of cybersecurity defenses in the public and private sectors; 2) Deterring and disrupting malicious cyber activity aimed at the United States or its allies; and 3) Effectively responding to and recovering from cybersecurity incidents when they occur."
National Security Council spokesman Mark Stroh sent PolitiFact a list of 18 executive orders, administrative policies and laws that he said address these three strategic goals.
This list includes, for example:
-
Reaching agreements with China and other nations to discourage intellectual property and business secret theft;
-
Establishing the Cyber Threat Intelligence Integration Center, which coordinates cybersecurity strategy across the intelligence community;
-
Codifying the federal government's plan for responding to significant cyber incidents;
-
Signing the National Cybersecurity Protection Act of 2014, which promotes information sharing between the private and public sectors;
-
And issuing an executive order intended to make financial transactions more secure.
Most recently, in February 2016, Obama directed his administration to implement a Cybersecurity National Action Plan. The plan establishes a Commission on Enhancing National Cybersecurity, calls for working with Internet companies to protect Americans' identities, and proposes over $22 billion in spending on cybersecurity measures.
The White House called the plan "the capstone of more than seven years of effort" to ensure Americans can have confidence in their digital security. Since that announcement, the White House has appointed members to the commission and hired the country's first chief information security officer.
"The Obama administration has taken more steps than any previous administration at attempting to comprehensively address cybersecurity," said Susan Hennessey, managing editor of the Lawfare blog and former lawyer for the National Security Agency.
But she said a gap remains between identifying solutions and putting them into action, such as convincing consumers to have better passwords or encouraging companies to invest in cybersecurity before a data breach happens.
Congress hasn't passed fully comprehensive cybersecurity laws, so Obama has had to work mostly through the executive branch, Roff said.
And the private sector is still reluctant to fully coordinate with the government, said Jamie Winterton, director of strategy for Arizona State University's Global Security Initiative. She specifically noted the dispute between the FBI and Apple over unlocking an iPhone belonging to one of the San Bernardino shooters.
Winterton said she'd like to see the government foster better relations with private companies, develop more metrics for measuring progress, and have a more public conversation about balancing privacy and security.
Over the course of Obama's presidency, she's noticed more emphasis on how to protect critical infrastructure and a better ability to detect cyber attacks and more progress on figuring out who needs to be involved in these conversations.
But it's a complex problem to fully solve, involving social, technological and legal elements.
"We've signed up for a marathon, bought some nice training shoes and done a good three-mile warm up run, but we've got a long way to go," Winterton said.
Obama pledged to develop a cybersecurity strategy. Although this hasn't blocked cyber attacks on the country — as evidenced by Russian hackers meddling in the election — and there remains room to improve, he has moved the country many steps forward in this arena. We rate this Promise Kept.