Administration given so-so grade on cybersecurity

Private research firm assigns Obama high marks for commitment to protection but lower scores for speed and follow-through in agency collaboration.

The National Security Cyberspace Institute gave the Obama administration's efforts to enhance cybersecurity a grade somewhere between a B+ and a C- for its first two years, according to its report released Tuesday.

In the report card from the Smithfield, Va.-based cyberspace education, research and analysis company, the administration was graded on 10 criteria laid out in a May 2009 review of Obama's cybersecurity policies, commonly called the Hathaway Report. The report card analyzed only those goals in the Hathaway Report listed as near-term action plans.

The administration earned the lowest grade of D for its appointment of a cybersecurity policy official and its ongoing preparation of an updated national strategy to secure the information and communications infrastructure. A grade of D means the item is still in progress and "implementation was delayed to the point that it suggests a lack of leadership or decisiveness in assigning priorities," the report said.

Howard Schmidt was appointed cybersecurity coordinator in December 2009, but Obama's move was delayed too long by internal squabbles over authority, responsibilities and chain of command, the report said.

NSCI also stressed that no strategy document has been released, despite a statement on the White House website that one is in the works. The White House plan calls for an updated version of the Comprehensive National Cybersecurity Initiative launched by the Bush administration in January 2008. "The time for such a document to be delivered is past due," the NSCI report said.

Obama earned his highest mark of B for designating cybersecurity as a key management priority, for initiating a national awareness and education campaign to promote cybersecurity and for developing an international cybersecurity policy framework, the report said. A grade of B means an item that has been significantly implemented and represents an improvement but still requires some action to achieve fully implemented status.

While NSCI graded 10 areas, it gave the administration credit for other accomplishments, such as influencing nationwide initiatives to enhance cybersecurity, not only within the federal sector but also within the private sector and academia. Yet when Obama spoke about the Hathaway report conducted over 60 days in spring 2009, the report said, it was more talk than action.

"Thus far, it appears the president give a great pep talk before the [cyber] team took the field, but hasn't had much to offer in terms of in-game coaching," the report said. "The degree of effectiveness of our interagency cooperation and collaboration will ultimately determine our ability to deter or respond to cyber incidents and attacks."