Obama Launches National Cybersecurity Action Plan, Calls for $19 Billion
FY17 budget request marks an increase of 35 percent and the creation of 2 councils for cyber.
President Barack Obama championed cybersecurity efforts Tuesday in seeking $19 billion for the cause as part of his fiscal year 2017 budget proposal. Additionally, he signed two executive orders to seek to strengthen government networks against cyber attacks while protecting personal information.
The budget proposal for FY17, which begins October 1, is a 35 percent increase over the current fiscal year.
Obama signed an executive order that creates a Commission on Enhancing National Cybersecurity to be established within the Department of Commerce. It will include industry representatives from “cybersecurity, the digital economy, national security and law enforcement, corporate governance, risk management, information technology (IT), privacy, identity management, Internet governance and standards, government administration, digital and social media, communications,” according to the order.
The second order creates a Federal Privacy Council to seek solutions to better protect the vast amounts of citizen data the government collects.
The cybersecurity budget proposal, part of a mammoth $4.1 trillion request sent to Congress, includes a request of $3.1 billion to update federal legacy systems experts say pose some of the gravest cybersecurity vulnerabilities, such as the significant breach on the Office of Personnel Management systems that let hackers swipe the personal data of millions of current and former federal employees, some of whom sought top secret clearances.
The Cybersecurity National Plan (CNAP) is designed to build upon lessons learned from cybersecurity trends, threats and intrusions. Some of its highlights include actions to:
- Modernize government and transform cybersecurity management through the proposal of the requested $3.1 billion Information Technology Modernization Fund, which will enable the retirement, replacement and modernization of legacy IT that is difficult to secure and expensive to maintain.
- Create the federal chief information security officer position to drive these changes across the government.
- Empower U.S. citizens and residents to secure their online accounts by moving beyond just passwords and adding an extra layer of security.
- The plan also lays out strategic research and development goals for the nation to advance cybersecurity technologies.
“The federal government is finally taking bold steps to fulfill what the Constitution says in its preamble: ‘to provide for the common defense.’ In this case, the common cyber defense,” says Ray Rothrock, CEO of RedSeal, a U.S. enterprise software company that models network security infrastructure to defend against cyber attacks.
"The actions and budget announced today are an important recognition and investment in the defense of the critical information infrastructure of the United States, and provides an example for governments, businesses, and [non-governmental organizations] worldwide,” Rothrock adds.
The move to create the councils mirrors calls by some in industry for a cyber corps to build a well-educated work force to respond to the increasingly sophisticate cyber attacks from a promising ecosystem of cyber criminals and terrorists.
“I commend the White House for [its] Cybersecurity National Action Plan—specifically the portions addressing privacy and workforce development,” says Chris Young, general manager and executive vice president of Intel Security. “The White House’s creation of the first-ever permanent federal privacy council is a landmark development that will have a major impact on both privacy and security initiatives. The council will be the principal interagency forum to improve how privacy is addressed at agencies across the government."
The cyberthreats are tantamount to a declaration of war by attackers, and coordinated security responses must come from the federal government, something along the lines of a cyber national guard, Young says.
“The security industry has talked at length about the latest hacks and breaches, but we haven’t brought enough urgency to solving the cybersecurity talent shortage,” Young continues. “More than 209,000 cybersecurity jobs in the U.S. alone were unfilled in summer 2015, and cybersecurity leaders expect 1.5 million more jobs than takers by 2019. Right now, Intel has more than 250 security jobs available in the United States.
A White House fact sheet describes the plan as the capstone of "more than seven years of determined effort" by the administration, building upon lessons learned from cybersecurity trends, threats and intrusions. It calls for creating the cyber corps through grants, programs and scholarships to entice the work force toward cybersecurity jobs and train the next generation of workers.
The fact that cybersecurity was quite prominently mentioned in the overall federal budget release signals the importance the government has placed on addressing the vulnerability, says Amjed Saffarini, CEO of CyberVista, a new cybersecurity training and work force development education and training center.
The government trails industry in employing advanced technology and this is a step to catching up. The financial and insurance markets, for example, already have fairly robust and secure cyber capabilities because they have to, Saffarini says. Tuesday’s White House announcements now tell the nation that as a government, “We care, and you should too,” he notes.
The creation of a cyber corps addresses an interesting paradox, Saffarini points out: For a while now, experts have said cybersecurity is a people problem, but offer products and services as the solutions. The boosted concentration training, education and building a work force draws much-needed attention to the people aspect of curbing cyberthreats. The civilian side of the government needs its equivalent to the cyber commands stood up within the Defense Department to entice and motivate highly skilled personnel, he adds.
Lacking in the plans, however, are clear references to the National Institute of Standards and Technology (NIST) cybersecurity framework, which is quickly picking up steam in the private sector, Saffarini says. A lot of progress has resulted in the hardening networks and systems since the release in February 2014, and could serve as an effective building block for the newly created councils.