The landscape of cyber threats is dominated by criminals, nations
and hackers seeking to exploit vulnerabilities. In February 2016, the
Obama Administration rolled-out several initiatives as part of a
Cybersecurity National Action Plan—the goal being to move from defense
to resiliency.
For years, businesses sought products and services to keep hackers out of their systems. Defense was the call. Now, one innocent but accidental click on a malicious attachment can grant unauthorized access to an attacker. Businesses now find themselves alongside governments, operating under a presumption of breach. Resiliency in the face of compromise has now become the focus. How does the Obama Administration’s Cybersecurity National Action Plan address these threats?
1. A $19 billion investment in cybersecurity for FY2017
This represents a 35% increase in cybersecurity spending. While this dramatic increase represents an important focus of attention for the administration, the risk continues to be throwing too much money too quickly at the wrong problems. Ultimately, skill and training are the top commodities for government and business alike. Over the long term, resources need to reduce the national attack surface, moving beyond “security as an afterthought” and moving towards “security by design.”
2. A $3.1 billion Information Technology Modernization Fund
This will phase-out obsolete systems across the federal government. This is a long-overdue investment. If married with timely, smart, and security-minded replacements, informed by the work of the U.S. digital services, this fund could go a long way towards reducing the vulnerabilities of federal systems. Next steps include how to measure if and how modernization is and is not improving security, the standardization of authentication and encryption practices, and which steps states can apply to modernize their own systems.
3. A new Federal Chief Information Security Officer
They’ll encourage security-minded practices and reforms across the federal government. This too is a long-overdue step in the evolution of how government organizes itself for cybersecurity. As always, the challenge will be for this new individual to build alliances throughout the federal government and to build consensus as to how the IT modernization funds are spent. Next steps will be for White House leadership to decide how much of a role this individual will play in the development of broader cybersecurity policy and the authorities this individual will possess to drive change across government as a whole.
4. A new Commission on Enhancing National Cybersecurity
Led by former National Security Adviser Tom Donilon, the new commission will provide recommendations about how to improve cybersecurity over a 10-year horizon. Contrary to some arguments that technology changes too fast to think long-term, this commission has an important opportunity to chart a road-ahead for the technology, business, privacy, and government communities. Because so many hacks continue to be the result of exploiting known vulnerabilities, an emphasis on reducing vulnerabilities in software should be a key priority.
5. A new Federal Privacy Council
The council will help ensure the government’s efforts in the short- and long-term are informed by privacy considerations. That the President issued an executive order to create this council shows just how critical the privacy community’s voice remains to the national dialogue about cybersecurity. The opportunity for businesses to explain how new products increase the protections over a user’s private data will be significant. The challenge will be not to oversell these protections in the face of inevitable vulnerabilities that will continue to be discovered in new software.
bgov.com
For years, businesses sought products and services to keep hackers out of their systems. Defense was the call. Now, one innocent but accidental click on a malicious attachment can grant unauthorized access to an attacker. Businesses now find themselves alongside governments, operating under a presumption of breach. Resiliency in the face of compromise has now become the focus. How does the Obama Administration’s Cybersecurity National Action Plan address these threats?
1. A $19 billion investment in cybersecurity for FY2017
This represents a 35% increase in cybersecurity spending. While this dramatic increase represents an important focus of attention for the administration, the risk continues to be throwing too much money too quickly at the wrong problems. Ultimately, skill and training are the top commodities for government and business alike. Over the long term, resources need to reduce the national attack surface, moving beyond “security as an afterthought” and moving towards “security by design.”
2. A $3.1 billion Information Technology Modernization Fund
This will phase-out obsolete systems across the federal government. This is a long-overdue investment. If married with timely, smart, and security-minded replacements, informed by the work of the U.S. digital services, this fund could go a long way towards reducing the vulnerabilities of federal systems. Next steps include how to measure if and how modernization is and is not improving security, the standardization of authentication and encryption practices, and which steps states can apply to modernize their own systems.
3. A new Federal Chief Information Security Officer
They’ll encourage security-minded practices and reforms across the federal government. This too is a long-overdue step in the evolution of how government organizes itself for cybersecurity. As always, the challenge will be for this new individual to build alliances throughout the federal government and to build consensus as to how the IT modernization funds are spent. Next steps will be for White House leadership to decide how much of a role this individual will play in the development of broader cybersecurity policy and the authorities this individual will possess to drive change across government as a whole.
4. A new Commission on Enhancing National Cybersecurity
Led by former National Security Adviser Tom Donilon, the new commission will provide recommendations about how to improve cybersecurity over a 10-year horizon. Contrary to some arguments that technology changes too fast to think long-term, this commission has an important opportunity to chart a road-ahead for the technology, business, privacy, and government communities. Because so many hacks continue to be the result of exploiting known vulnerabilities, an emphasis on reducing vulnerabilities in software should be a key priority.
5. A new Federal Privacy Council
The council will help ensure the government’s efforts in the short- and long-term are informed by privacy considerations. That the President issued an executive order to create this council shows just how critical the privacy community’s voice remains to the national dialogue about cybersecurity. The opportunity for businesses to explain how new products increase the protections over a user’s private data will be significant. The challenge will be not to oversell these protections in the face of inevitable vulnerabilities that will continue to be discovered in new software.
bgov.com