White House unveils broad strategy for strengthening cybersecurity
President Obama unveiled a sweeping cybersecurity strategy Tuesday, which directs his administration to implement a series of "near-term actions" to enhance the nation's cybersecurity.
The Cybersecurity National Action Plan, or CNAP, stands up a handful public-private partnerships, several intragovernmental centers focused on cyber issues, a senior administration position for cybersecurity and launches a new public awareness campaign.
CNAP includes substantial investments in IT modernization and cybersecurity, which will be included in the president's Fiscal 2017 budget proposal. In coordination with CNAP, Obama issued an executive order this morning that created a permanent Federal Privacy Council.
A White House fact sheet called the plan "the capstone of more than seven years of determined effort" by the administration to glean lessons learned and best practices from cybersecurity trends, threats and intrusions.
Through short-term actions, the administration said the plan sets in motion a "long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security."
Additional positions, councils and centers
Through the CNAP, the administration announced the creation of a federal chief information security officer position. This person will drive cybersecurity policy, planning and implementation across the federal government.
The Homeland Security, Commerce and Energy departments will jointly establish the National Center for Cybersecurity Resilience. This center will provide a place for companies and sector-wide organizations to test the security of systems in a contained environment – "such as by subjecting a replica electric grid to cyberattack."
The Federal Privacy Council, established through executive order today, will bring together agency and department privacy officials to guide more comprehensive federal privacy efforts.
"Like cybersecurity, privacy must be effectively and continuously addressed as our nation embraces new technologies, promotes innovation, reaps the benefits of big data and defends against evolving threats," said the fact sheet.
The CNAP establishes the Commission on Enhancing National Cybersecurity, which will bring together leading technical minds from industry, as well as executive and legislative branch experts to make recommendations for strengthening public and private sector cybersecurity over the next decade.
"The Commission will report to the President with its specific findings and recommendations before the end of 2016, providing the country a roadmap for future actions that will build on the CNAP and protect our long-term security online," said the fact sheet.
The administration has also asked the National Cybersecurity Alliance and leading technology firms to raise public awareness for two-factor authentication. At the same time, the federal government will adopt more effective identity proofing solutions, strong multi-factor authentication and reduce its reliance on the Social Security number as an identifier, said the fact sheet.
The administration unveiled additional industry outreach and collaboration plans under CNAP. The government will work with Linux Foundation's Core Infrastructure Initiative, and other organizations in a effort to secure Internet "utilities" such as open-source software, protocols and standards.
DHS will also work with industry partners to develop a Cybersecurity Assurance Program "to test and certify networked devices within the 'Internet of Things.'"
Finally, the administration said it is "calling on" health insurance companies to improve data stewardship but outlined no concrete plans for collaboration or additional requirements that would nudge them to do so.
Investment in IT modernization and cybersecurity
The president's Fiscal 2017 budget request to Congress (to be released today) allocates more than $19 billion for cybersecurity, representing a more than 35 percent increase from the fiscal 2016 enacted level.
Included in the increase is a more 23 percent bump in funding for cybersecurity related activities at the Justice Department to better identify, disrupt and apprehend malicious cyber actors, said the fact sheet.
The request also includes a $3.1 billion Information Technology Modernization Fund, "which will enable the retirement, replacement and modernization of legacy IT that is difficult to secure and expensive to maintain," said the fact sheet.
As part of the plan, the budget request is poised to lay out a number of cybersecurity personnel initiatives:
DHS will increasing the number of federal civilian cyber defense teams to a total of 48
DHS will also double the number of cybersecurity advisors that work with private-sector organizations
U.S. Cyber Command's Cyber Mission Force of 6,200 military, civilian and contractor support personnel, comprising 133 teams will be fully operational in 2018
Student loan forgiveness programs will be adjusted favorably for cybersecurity experts joining the federal workforce
Continuing themes set forth in the administration's Cybersecurity Strategy Implementation Plan, agencies are required to report to the Office of Management and Budget their highest value and most at-risk IT assets and craft a plan to improve their security.
The CNAP also directs DHS, the General Services Administration and other agencies to "increase the availability of government-wide shared services for IT and cybersecurity." DHS is to enhance its Einstein and Continuous Diagnostics and Mitigation programs and agencies are to adopt the new capabilities.
In conjunction with the new plan's rollout, the administration also released its 2016 Federal Cybersecurity Research and Development Strategic Plan, which set specific R&D goals that will advance cybersecurity technologies.
Finally, the administration promised to – by this spring – issue publicly a policy for national cyber incident coordination. Along with the policy, the White House will share "severity methodology," to evaluate incidents and ensure "an appropriate and consistent level of response."
- read the fact sheet