President Obama's bold Cybersecurity National Action Plan (CNAP) drew praise for Tuesday, Safer Internet Day, for including a significant dollar commitment in the fiscal 2017 budget and the creation of a Cybersecurity Commission and a Privacy Council established under two Executive Orders.
“This is a really broad-based action plan,” Michael Kaiser, executive director of the National Cybersecurity Alliance (NCSA), told SCMagazine.com, calling CNAP a “classic” cybersecurity initiative. “We're glad to see this effort.”
Mark Weatherford, chief cybersecurity strategist at vArmour, also applauded Obama's actions. “The same proactive stance he's taken during the past seven years of the administration - to address cybersecurity and make it a national priority,” Weatherford said in comments emailed to SCMagazine.com. “Security needs to be a team sport where innovation meets policy, and where the technology community and Washington D.C. collaborate to address the nation's cybersecurity challenges.”
The President expressed faith in the plan in a piece penned for the Wall Street Journal. “I'm confident we can unleash the full potential of American innovation, and ensure our prosperity and security online for the generations to come,” Obama wrote.
The federal government has drawn continuous fire for its “swiss cheese” security schema after several agencies were hit multiple times by data breaches, most notably at the Office of Personnel and Management (OPM) where the information on millions was tapped and at the State Department where hackers lurked for many months before being excised from the systems. Critics complained that the government simply had too many holes to plug and had moved slowly and indecisively to secure its assets.
Upon CNAP's unveiling, the latter, at least, is no longer accurate.
In addition to the $19 billion budget allotment in fiscal 2017, the plan called for the establishment of a Commission on Enhancing National Cybersecurity, which will be composed of business, tech and strategic thinkers from outside the government. The group, which will include members “designated by bipartisan Congressional leadership,” will recommend actions to bolster cybersecurity in the private and public sectors over the next 10 years.
A $3.1 billion Information Technology Modernization Fund is aimed at modernizing government IT and the management of cybersecurity. A newly created position, the Federal Chief Information Security Officer (CISO), will be responsible for spearheading the modernization effort.
Saying that the creation of a federal CISO is important, Weatherford contended the CISO “will not be successful without true policy, procurement and operational authority over federal agencies.” The person who assumes the position “needs to be both a leader and a recognized cybersecurity expert who can move the needle quickly and make decisions on behalf of the entire federal government,” he said. “Without this level of authority, there is no chance for any real success.”
The plan also called for the empowerment of “Americans to secure their online accounts by moving beyond just passwords and adding an extra level of security” in the form of multifactor authentication. The NCSA is charged with creating a National Cybersecurity Awareness Campaign to raise consumer awareness and provide them with information on the ways they can protect themselves with multifactor authentication being at the heart of the campaign. “In addition, the Federal Government will take steps to safeguard personal data in online transactions between citizens and the government, including through a new action plan to drive the Federal Government's adoption and use of effective identity proofing and strong multi-factor authentication methods and a systematic review of where the Federal Government can reduce reliance on Social Security Numbers as an identifier of citizens,” according to the White House CNAP fact sheet.
"We're excited by the prospect of the president calling for measures beyond passwords," said NCSA's Kaiser, who noted that multifactor has been around for quite some time and more recently widely available. "You just have to turn it on." The campaign, the details of which have not been laid out, will aim at prompting consumers to do just that.
Kaiser said that's likely to be an easier sell after "all the data breaches and loss of medical information" that have been reported in the last couple of years. Consumers are looking for a way to protect their information and multifactor authentication puts it in their control. "It's something they can do," he said. "There is some risk they can't guard against but this is proactive and easy to do."
Noting that "email is kind of like the gateway" to accessing sensitive information, multifactor authentication is like "putting a layer of security around your crown jewels."
The Center for Democracy & Technology (CDT) gave the thumbs up to CNAP, particularly the new, permanent federal privacy officer council established by Executive Order that will include officials from 24 government agencies and groups.
"The new privacy council is an important step forward in formalizing privacy oversight throughout the federal government. It has the potential to be a valuable mechanism for agencies with strong privacy practices, such as the Department of Homeland Security, to share their expertise across the government. Privacy should be treated more consistently across agencies and this should help achieve that result," Greg Nojeim, CDT director of the Freedom, Security, and Technology Project, said in a release.
While increased funding for cybersecurity is a step forward, for Jeff Hill, channel marketing manager at STEALTHbits Technologies, the dollars committed still weren't enough or on parity with the threat posed by cybersecurity issue.
Calling the $19 billion allotment, a $5 billion year-over-year increase from 2014, “nothing to sneeze at,” Hill noted that even the more robust funding puts cybersecurity at only 2.7 percent of the $700 billion overall budget in 2017 for Defense, Intelligence and Homeland Security (up from 2 percent in fiscal 2016). “This budget priority reality begs the question: do cyber-attacks – from organized state actors, to well-healed crime syndicates, to independent hackers looking to make a name for themselves – represent a mere 2 or 3 percent of the risk to our nation's economy and the safety of its citizens?” asked Hill, adding that “three percent priority might be progress, but we've got a long way to go.”
Weatherford cautioned that action needed to be immediate, given Obama's ten months remaining in office. “To ride the momentum of this announcement, immediate means a plan of action in 30-60 days,” he said. “Any longer than that and they will lose the energy necessary to get this going. The federal government doesn't work fast so this will be a true test to see how much capital the administration is willing to devote to it.”
And Weatherford said, the federal government has a lot of fences to mend to build private sector trust, after the Snowden revelations and with the tone of the current discussions around encryption and privacy. “This is not trivial and can't be fixed with pretty words,” he contended. “It's going to take long-term commitment on the part of the government to mend the fracture and it probably can't be overcome in the short time necessary to get this moving.”