- How to stream ‘Pretty Little Liars: The Perfectionists’ for free 3 Years Ago
- As followers get more violent, should 8chan ban QAnon? 3 Years Ago
- What you need to know about DVR on DirecTV Now Today 5:30 AM
- How to stream Hulu’s ‘The Act’ free Today 5:00 AM
- Devin Nunes’ lawsuit with Twitter over parody accounts inspires more parody accounts Tuesday 7:53 PM
- Alexandria Ocasio-Cortez posts SpongeBob meme to diss Green New Deal adversaries Tuesday 7:23 PM
- Twitter blasts Benny Johnson over heinous Native American ‘socialist’ reservations take Tuesday 6:16 PM
- New Zealand arrests 2 for sharing video of mosque shooting Tuesday 4:44 PM
- ‘Queer Eye’ season 3 serves more frothy fun and cathartic realness Tuesday 4:30 PM
- Everyone is roasting this photo of Kourtney Kardashian in a bubble bath Tuesday 4:15 PM
- White House report has a lot of superheroes listed as interns Tuesday 4:06 PM
- Google to launch ‘Stadia’ cloud gaming service this year Tuesday 3:55 PM
- Amy Schumer addresses her ‘Growing’ pains in new Netflix special Tuesday 2:04 PM
- This Bitcoin tie is everyone’s favorite part of the Theranos documentary Tuesday 1:56 PM
- Trump’s social media guru gets suspended on Facebook Tuesday 1:51 PM
The new plan is a grab-bag of programs and initiatives to tackle persistent cyber issues.
President Obama on Tuesday unveiled an expansive plan to bolster government and private-sector cybersecurity, establishing a federal coordinator for cyber efforts, proposing a commission to study future work, and asking Congress for funds to overhaul dangerously obsolete computer systems.
The Cybersecurity National Action Plan contains initiatives to better prepare college students for cybersecurity careers, streamline federal computer networks, and certify Internet-connected devices as secure. It also establishes a Federal Privacy Council to review how the government stores Americans’ personal information, creates the post of Chief Information Security Officer, and establishes a Commission on Enhancing National Cybersecurity.
“I’m confident that if we take these steps, we can make a different and substantially improve our cybersecurity both now and in the long run,” Michael Daniel, Obama’s cybersecurity coordinator, told reporters during a press call on Monday afternoon.
Obama is asking Congress for $19 billion in cybersecurity funding, a 35 percent increase.
The executive branch can undertake some of the new initiatives on its own, but others will require funding from Congress. As part his Fiscal Year 2017 budget request, Obama is asking Congress for $19 billion in cybersecurity funding, a 35 percent increase over the amount that lawmakers approved for the current fiscal year.
Obama is requesting $62 million for programs to address the dire shortage of cybersecurity professionals, including a “CyberCorps Reserve” program, which will give young people cybersecurity scholarships in exchange for several years of government service; a unified cybersecurity curriculum, ensuring that graduates are prepared to take on those government jobs; and expanded loan forgiveness for students who become federal cybersecurity employees.
The new plan responds to criticisms of redundant and outdated federal computing equipment by devoting $3.1 billion in requested funds to IT modernization and expanding the use of shared services across agencies. The goal of centralizing services, Daniel said, is for the government to operate “much more like a unified enterprise.”
Two major initiatives will help the private sector combat its own cybersecurity challenges. The administration will establish a National Center for Cybersecurity Resilience, a virtual environment in which companies can test their systems against various threats. It will also launch the Cybersecurity Assurance Program to certify the security of networked products like smart-home appliances, a cyber equivalent of the Energy Star label.
Obama is tasking the Commission on Enhancing National Cybersecurity with recommending how the government should act in this area over the next decade. The commission, to be composed of leading government and industry experts, will deliver its report “before the end of 2016,” the White House said in a fact sheet.
The federal CISO will report to Tony Scott, the government’s chief information officer. Scott told reporters on Monday that the Obama administration expected to hire someone within the next two to three months. The federal CISO, he said, would supervise the “policy, practice, and coordination of information security across the civilian agencies of the federal government” and work with similar officials in the military and the intelligence community.
The Federal Privacy Council’s role remains unclear. It will convene privacy officers from across the government, but it will not have any power to issue directives related to the handling of Americans’ personal data. Instead, Scott said, it will simply let privacy officials “share best practices” among themselves.
The release of the new plan comes as the Obama administration continues to implement major cybersecurity reforms unveiled last October, including mapping out the entire federal computer system and designing new ways for employees to securely log into their agencies’ networks.
Scott told reporters on Monday that the government had “made great progress” on many of that plan’s key goals, including patching serious computer bugs, expanding the use of two-factor authentication, and reducing the number of federal workers with high-level network access.
Despite attention-grabbing items like a new commission and a privacy council, however, the Cybersecurity National Action Plan does not lay out concrete steps to improve the government’s primary cyberdefense system.
The Cybersecurity National Action Plan does not lay out concrete steps to improve the government’s primary cyberdefense system.
The Government Accountability Office last month issued a critical report about that system, known as EINSTEIN. The program has faced significant criticism because it cannot dynamically detect new kinds of cyber intrusions; it can only stop known threats. Given the rapid pace of malware creation—27 percent of all known malware surfaced in 2015—EINSTEIN’s critics say that its approach to threat detection is woefully insufficient.
Daniel acknowledged that EINSTEIN was “not as effective as it needs to be” but said that it was just one piece of the puzzle. Scott added that “anybody who thinks any one thing is the absolute defense is probably mistaken.”
Federal networks have long been a target of state-sponsored and rogue hackers, but 2014 and 2015 saw an uptick in successful penetrations. Attackers breached servers at the White House; the departments of State, Health and Human Services, and Defense; the U.S. Postal Service; the National Oceanic and Atmospheric Agency; the Internal Revenue Service; and the Federal Aviation Administration, among others.
The most famous penetration of federal computer networks, the Office of Personnel Management data breach, resulted in the theft of nearly 22 million federal employees’ background-check records and 5.6 million employees’ fingerprints. Officials have privately concluded that China was behind the attack.
Photo via Ted Eytan/Flickr (CC BY 2.0) | Remix by Max Fleishman
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.