President Obama has long discussed the importance of improving governmental cybersecurity, but the issue gained significant traction last year after two massive breaches at the Office of Personnel Management (OPM). In February 2016, the President issued an Executive Order to establish a so-called Federal Privacy Council, charged with ensuring that all agencies of the federal government strive “to uphold the highest standards for collecting, maintaining, and using personal data.”
The chair of the Privacy Council will be the OMB Deputy Director for Management, who can designate a Vice Chair, establish working groups and assign responsibilities. Council membership will also include senior privacy officials from 24 key federal agencies, from the Department of State to NASA. The OMB Director will determine the duties of these agency officials.
The establishment of this Council is part of the President’s Cybersecurity National Action Plan, which also includes a fund to modernize and improve the federal government’s IT infrastructure and calls for a Commission on Enhancing National Cybersecurity to bring lawmakers and private sector leaders together to make recommendations regarding government cybersecurity.
Major questions remain concerning the Privacy Council and the president’s larger cybersecurity agenda. The first is whether the proposals will garner the required support and cooperation of Congress. President Obama included $19 billion in his annual budget proposal for cybersecurity, but Republican lawmakers have so far been hostile toward other areas of his budget proposal. Obama met with Speaker Paul Ryan specifically on cybersecurity, an area that generally has bipartisan support, and has indicated that he anticipates success in finding the support he needs in Congress.
The second is whether the Privacy Council and related initiatives are staffed and structured to achieve success. The OMB director has not yet set out a role for the dozens of senior agency privacy officials and the Privacy Council Chair has not yet been appointed. Enforcement processes also remain unspecified, which can present problems for inter-agency programs.
Given the limited time left in Obama’s presidency and other challenges, it appears unlikely that the Council will make a significant impact—at least, not on its own and not in the near term. But the hope is that it can play a meaningful part in the broader, ongoing effort to reform the federal government’s outdated approach to cybersecurity.