President Obama on Tuesday unveiled an expansive plan to bolster government and private-sector cybersecurity, establishing a federal coordinator for cyber efforts, proposing a commission to study future work, and asking Congress for funds to overhaul dangerously obsolete computer systems.
The Cybersecurity National Action Plan contains initiatives to better prepare college students for cybersecurity careers, streamline federal computer networks, and certify Internet-connected devices as secure. It also establishes a Federal Privacy Council to review how the government stores Americans’ personal information, creates the post of Chief Information Security Officer, and establishes a Commission on Enhancing National Cybersecurity.
“I’m confident that if we take these steps, we can make a different and substantially improve our cybersecurity both now and in the long run,” Michael Daniel, Obama's cybersecurity coordinator, told reporters during a press call on Monday afternoon.
Obama is asking Congress for $19 billion in cybersecurity funding, a 35 percent increase.
The executive branch can undertake some of the new initiatives on its own, but others will require funding from Congress. As part his Fiscal Year 2017 budget request, Obama is asking Congress for $19 billion in cybersecurity funding, a 35 percent increase over the amount that lawmakers approved for the current fiscal year.
Obama is requesting $62 million for programs to address the dire shortage of cybersecurity professionals, including a “CyberCorps Reserve” program, which will give young people cybersecurity scholarships in exchange for several years of government service; a unified cybersecurity curriculum, ensuring that graduates are prepared to take on those government jobs; and expanded loan forgiveness for students who become federal cybersecurity employees.
The new plan responds to criticisms of redundant and outdated federal computing equipment by devoting $3.1 billion in requested funds to IT modernization and expanding the use of shared services across agencies. The goal of centralizing services, Daniel said, is for the government to operate “much more like a unified enterprise.”
Two major initiatives will help the private sector combat its own cybersecurity challenges. The administration will establish a National Center for Cybersecurity Resilience, a virtual environment in which companies can test their systems against various threats. It will also launch the Cybersecurity Assurance Program to certify the security of networked products like smart-home appliances, a cyber equivalent of the Energy Star label.
Obama is tasking the Commission on Enhancing National Cybersecurity with recommending how the government should act in this area over the next decade. The commission, to be composed of leading government and industry experts, will deliver its report “before the end of 2016,” the White House said in a fact sheet.
The federal CISO will report to Tony Scott, the government's chief information officer. Scott told reporters on Monday that the Obama administration expected to hire someone within the next two to three months. The federal CISO, he said, would supervise the “policy, practice, and coordination of information security across the civilian agencies of the federal government” and work with similar officials in the military and the intelligence community.
The Federal Privacy Council's role remains unclear. It will convene privacy officers from across the government, but it will not have any power to issue directives related to the handling of Americans’ personal data. Instead, Scott said, it will simply let privacy officials “share best practices” among themselves.
The release of the new plan comes as the Obama administration continues to implement major cybersecurity reforms unveiled last October, including mapping out the entire federal computer system and designing new ways for employees to securely log into their agencies’ networks.
Scott told reporters on Monday that the government had “made great progress” on many of that plan's key goals, including patching serious computer bugs, expanding the use of two-factor authentication, and reducing the number of federal workers with high-level network access.
Despite attention-grabbing items like a new commission and a privacy council, however, the Cybersecurity National Action Plan does not lay out concrete steps to improve the government's primary cyberdefense system.
The Cybersecurity National Action Plan does not lay out concrete steps to improve the government's primary cyberdefense system.
The Government Accountability Office last month issued a critical report about that system, known as EINSTEIN. The program has faced significant criticism because it cannot dynamically detect new kinds of cyber intrusions; it can only stop known threats. Given the rapid pace of malware creation—27 percent of all known malware surfaced in 2015—EINSTEIN's critics say that its approach to threat detection is woefully insufficient.
Daniel acknowledged that EINSTEIN was “not as effective as it needs to be” but said that it was just one piece of the puzzle. Scott added that “anybody who thinks any one thing is the absolute defense is probably mistaken.”
Federal networks have long been a target of state-sponsored and rogue hackers, but 2014 and 2015 saw an uptick in successful penetrations. Attackers breached servers at the White House; the departments of State, Health and Human Services, and Defense; the U.S. Postal Service; the National Oceanic and Atmospheric Agency; the Internal Revenue Service; and the Federal Aviation Administration, among others.
The most famous penetration of federal computer networks, the Office of Personnel Management data breach, resulted in the theft of nearly 22 million federal employees’ background-check records and 5.6 million employees’ fingerprints. Officials have privately concluded that China was behind the attack.
Photo via Ted Eytan/Flickr (CC BY 2.0) | Remix by Max Fleishman