Rating US Presidents on Cyber Security

What would be the result, I wondered, of comparing and assessing our Presidents on their relative performance in cyber security? I’d personally worked with the last three Presidential Administrations, so I figured I had reasonably good insight from a largely unbiased perspective. And now, with President Trump’s recent flurry of activity, I felt that it was time to introduce a set of criteria along with an out-of-the-gate ratings assessment.

Without getting too much into the sausage making, I will say that I reviewed previous Presidential assessments ranging from Arthur Schlesinger’s famous Life Magazine articles in 1948 and 1962, to C-SPAN’s recent criteria, which gave the top slots to Abe, George, and FDR. What I found in my research was that breaking down the comparison process into discrete component categories was definitely the way to go. It reminded me of the Orange Book.

The Assessment Criteria

After much consideration, I settled on the following six categories of Presidential performance in cyber security: Coherence of Cyber Security Mission, Selection of Cyber Security Advisors, Cooperation Between Government and Industry, Protection of Government Assets, Presidential Directives in Cyber, and Response to Security Incidents. I decided to let the Privacy Community deal with Presidents using their own criteria.

The Coherence of Cyber Security Mission category involves the broad, overarching objective of a given President’s cyber security activities. Of the last three Presidents, Clinton was best of the bunch with his broad goal of defining and improving critical infrastructure (Grade: B). Bush clumsily tried to build a base for metadata-based analytics (Grade: C), whereas Obama spun his wheels on industry threat information sharing initiatives (Grade: C). None of these grades are anything to write home about.

The Selection of Cyber Security Advisors category is self-explanatory. Clinton wins again in my book with his reliance on an experienced senior official, Richard Clarke, who had major political chops and influence (Grade: A). Obama comes in second with his great choice of Howard Schmidt as the nation’s first cyber czar (Grade: B+), but Bush also ties for second with his excellent decisions to promote competent leaders such as General Keith Alexander and Admiral Mike Rogers (Grade: B+).

The Cooperation Between Government and Industry category has been a common failure point for all three of our last Presidents. None of their Administrations can claim much success in promoting meaningful cooperation, what with the endless arguments and fights about penalties, fines, and regulations. I give Clinton and Obama low marks (Grade: C), but feel compelled to give Bush a lower mark (Grade: D) for the surveillance scandals that hurt our global tech companies in the international market.

The Protection of Government Assets is a category where President Obama did worst (Grade: D-). With the infamous OPM breach occurring under his team's watch, the only thing keeping me from making this grade an F is the on-going challenge of evolving away from an enterprise perimeter. Bush and Clinton allowed less remarkable breaches, albeit with less determined adversaries, so they were both a bit lucky in this regard (Grade: B-).

The Presidential Directives in Cyber category reflects well on President Clinton. His Presidential Decision Directive on Critical Infrastructure (PDD 63) remains one of the seminal works in cyber security, perhaps worthy of continued examination from graduate students studying computer science (Grade: A). Presidents Bush and Obama issued the usual series of toothless directives on cyber that were more ceremonial than practical (Grade: C).

And finally, the Response to Security Incidents category is one where each of the last three Presidents did not perform well. Obama’s cyber czars were silent through one major national breach after another (Grade: C), while the Bush team sat and watched the worm and virus disasters of 2003 (Grade: C). But Clinton gets dinged here for closing the Y2K Center in DC after the Millennium change. It would have been such a wonderful incident response legacy to have maintained such a world-class fusion center operating in our nation's cyber interest. (Grade: C-).

If you do the rough math as I have, you will find that President Clinton was our greatest President in cyber security with an unremarkable score of B-minus. Presidents Bush and Obama tie for second with also unremarkable scores of C. These performances should not inspire great confidence or pride amongst Americans. I suspect that the vast overwhelming majority of cyber security experts in our country would agree 100% with these ratings and conclusions.

Which brings us to . . .

Assessing President Trump on The Cyber

It might seem unfair to provide any type of rating for a President who has been in office for a whopping three weeks as of this writing. We simply do not know what the President will do in cyber security until he is seriously tested, or at least until he has had some time to settle into the new role. So, the reader should view my remarks below as they might that awkward conversation with your kid’s teacher three weeks into the school year on Parent’s Night.

The Coherence of Cyber Security Mission category for Trump is too early to call. But the following comment is of concern: “The whole age of the computer has made it where nobody knows exactly what is going on.” Regardless of your politics, this cannot be viewed as inspiring commentary for the cyber security community from our new Chief Executive. Even his language (“The Cyber”) displays a fundamental misunderstanding of what we do as cyber security professionals. But I'll give him the benefit of the doubt here (Grade: B -).

The Selection of Cyber Security Advisors category involves President Trump’s selection of Rudy Giuliani as a special advisor for cyber security. Besides the lack of clarity around this new position, one cannot help but point to the obvious political payback in appointing such a loyal defender. Yes, the former Mayor leads the league in 9/11-style crisis management, but there are so many people who would have been much more experienced choices for cyber security. Let's see how Mayor Giuliani works this position (Grade: C).

The Cooperation Between Government and Industry category is off to a bad start for President Trump. Asking two of the finest experts in the business – Greg Touhill and Andy Ozment, both previously of DHS – to leave our government with no obvious replacements is a decision that needlessly tosses a half-decade of good-will with industry out the window. If you asked me to spend six months searching, I suspect that I could not find two better cyber security officials than these fine former civil servants. This is a tough loss for Americans (Grade: D).

The Protection of Government Assets is President Trump at his worst in cyber. Again, regardless of your politics, if your new boss absolutely refused to stop publicly tweeting sensitive information, and refused to stop using an insecure Android phone, then your cyber security team would go nuts. Please set aside the partisanship for a moment: If you are a cyber security expert, then you know that you would be furious, and you know that you would demand that the boss immediately stop violating cyber security policy. I hope this improves soon (Grade: F).

The Presidential Directives in Cyber category reflects much better for President Trump (Grade: B). I like his enthusiasm and his tough emphasis on promoting fewer regulations. But a better negotiator (ahem) would know that the “no new regulations unless you dump two others” directive will result in absolutely no existing regulations being removed by anyone in DC. Once you assign trading value to existing regulations, you’ve just turned them into poker chips. This is a rookie mistake that anyone on K Street could have warned about in advance.

And finally, the Response to Security Incidents category is also a tough one for President Trump, who has fought endlessly with our nation’s intelligence community about the origins of the most consequential attack in American history. In so doing, Mr. Trump seriously undermines our present and future response to this terrible breach. The only reason this does not get from me a grade of F is that the President seems to have softened considerably after meeting with our leading officials. Let's hope and assume that he is maturing in this area (Grade: C -).

If you do the rough math for President Trump – again, based only on three weeks of data – then you will find that he receives an overall progress report of C-minus, which puts him on an initial path toward being our nation’s worst President for cyber security. And just as you would take seriously any such early warning from a teacher about your child’s performance after three weeks of school, I hope the new Administration takes my assessment just as seriously. It is offered in the spirit of sincere guidance and help.

I’ll update this assessment and post when it seems appropriate. In the meantime, let me know what you think.