Picks of the Week: The White House’s New Cybersecurity Action Plan & Budget
Cybersecurity National Action Plan | The White House,
The Real Reason to Like the President’s Cybersecurity Plan | Net Politics
Opinion: $19 billion alone won’t fix Washington’s cybersecurity problem | Passcode
President Barack Obama recently announced the Cybersecurity National Action Plan (CNAP), which would allocate $19 billion for cybersecurity initiatives at federal agencies and would establish a chief information security officer (CISO) for the federal government. The plan, although overdue, demonstrates a renewed focus on cybersecurity and represents the culmination of seven years of this administration’s work on a dynamic and critical topic.
Cybersecurity has been an important issue for this administration since day one—the President ordered a 60-day review of federal government cybersecurity policies and programs after first taking office in 2009—but it has taken several years to make palpable progress in this field, even though the country has suffered rampant cyber crime, data breaches, and IP theft since that time.
The most successful initiative of this administration has been the NIST’s Cybersecurity Framework, a roadmap for organizations to review their cybersecurity risk and a guide to strengthen their overall cybersecurity posture by mapping a variety of global standards. Since its release in February 2014, the Framework has facilitated behavioral change in organizations, encouraged them to examine and understand key priorities and vulnerabilities, and supported cyber resiliency within and across sectors. Indeed, while the framework was aimed at critical infrastructure, in practice, it has provided a toolkit for institutions of all shapes and sizes. Moreover, its success has shown that a lot can be accomplished by encouraging thorough and continuous attention to good housekeeping and cyber hygiene.
In addition, Congress had finally passed the bi-partisan and long-anticipated Cybersecurity Information Sharing Act (CISA)—a bill meant to facilitate the voluntary sharing of cyber threat information between companies and the federal government. And most recently, the Departments of Justice and Homeland Security had issued guidelines for private sector information sharing.
The new White House initiative focuses on getting the federal house in order, creating a ‘cyber workforce’ through financial incentives, encouraging more effective work and ‘knowledge-sharing’ between both private and public sectors, and creating a nationwide campaign to raise public awareness of the importance of cybersecurity. As Cameron Kerry from Brookings notes, “rather than introducing new solutions, the Cybersecurity National Action Plan provides more resources, leadership, and focus to the challenges of government cybersecurity.” A major part of the initiative will consist in hiring a CISO to oversee the security practice of federal agencies and the overhaul of the federal government’s computer systems—a task that some security experts initially worried would prove a massive (and maybe impossible) undertaking. Most private companies today already have CISOs and, if the federal government is going to be serious about protecting its own cybersecurity, it should do the same while also putting additional resources into the task.
Critics of the plan have argued that simply throwing more money at the problem, without providing specific policy proposals and organizational initiatives to protect US networks from nefarious cyber criminals, won’t improve cybersecurity. Indeed, while more resources are needed, their deployment needs to be prioritized. The Obama administration will respond to this concern as it articulates how agencies should decide what needs to be replaced and upgraded. Moreover, long-standing impediments to effective government programs’ execution, like federal acquisition policies and workforce policies, should be addressed to make it easier for the government to invest in leading-edge technologies and compete for tech talent with Silicon Valley. Additional steps should be taken by the administration and Congress to make sure that the new cybersecurity budget is spent effectively and efficiently, reducing the government’s vulnerability to large-scale hacks and data breaches and ultimately ensuring that it is prepared to play its critical role in addressing today’s digital threats.
Overall, President Obama’s action plan and new fiscal 2017 budget—which includes $3.1 billion for IT modernization of federal systems—reflect a serious investment in tackling the significant cyber threats facing the US and reducing the ongoing harm to the nation’s security and economic prosperity. Changing the government’s cybersecurity culture—and getting employees at the various agencies on board with taking security seriously—however, may prove the biggest challenge yet…- Senior Fellow Francesca Spidalieri