Last December, owing to strong bipartisan majorities in Congress and a strong, organized push by industry, President Barack Obama signed landmark legislation to bolster cooperation and cyber threat information sharing between government and industry. Since then, many cyber observers have speculated on what policymakers would address next.
As part of the president’s fiscal year 2017 budget, his administration laid out its cybersecurity priorities. The Cybersecurity National Action Plan (CNAP) features short- and long-term initiatives to tackle the nation’s cyber vulnerabilities.
It is good to see these next steps unveiled as our cyber adversaries continue to steal industry trade secrets and millions of Americans’ personal information. The estimated impact of their criminal activity to the global economy is $445 billion. Cyber threats must be addressed by this administration and the next.
CNAP recognizes that the private sector can shape, in close collaboration with the public sector, voluntary and flexible cybersecurity programs. Key elements of CNAP that industry needs to know:
Commission on Enhancing National Cybersecurity: The commission, established by executive order, will be composed of 12 unpaid, presidential appointees from outside of government. By Dec. 1, the commission will recommend actions to diagnose and address the causes of cyber vulnerabilities.
Information Technology Modernization Fund (ITMF): ITMF requires agencies to identify and prioritize their highest value and most at-risk IT assets. The president’s fiscal year 2017 budget will include a $3.1 billion ITMF to help federal agencies and departments replace legacy information systems and modernize their cybersecurity postures.
Federal Chief Information Security Officer (CISO): The administration will create a federal CISO at the career, senior executive service level to drive cybersecurity policy, planning, and implementation across the federal government.
Federal Cyber Workforce Development: The budget proposes to invest $62 million in cybersecurity personnel. Aspects of the program include building a federal cybersecurity reserve of professionals, writing a core cybersecurity curriculum, and forgiving student loan for cybersecurity experts.
Privacy Executive Order (EO): A privacy executive order creates a permanent federal council made up of agency and department chief privacy officers. The council is expected to focus on sharing privacy best practices, and not on investigating companies’ use of data.
Additionally, CNAP involves:
- Enactment of the Cybersecurity Act of 2015 expands the EINSTEIN (an intrusion detection system that monitors federal civil networks for unauthorized traffic) program managed by the Department of Homeland Security (DHS). The budget supports the rollout of these programs in all federal civilian agencies.
- DHS is increasing the number of federal civilian cyber defense teams to a total of 48. These teams will conduct penetration testing and proactively hunt for intruders.
- This spring the administration is expected to release a policy for national cyber incident coordination and an accompanying severity methodology.
To implement CNAP, the administration requests $19 billion for cybersecurity in its fiscal year 2017 budget, a 35% spending bump over the fiscal year 2016 enacted amount. This is a big deal and signals the administration's prioritization of cybersecurity.
Read more: For those of you who missed the ISAO (information sharing and analysis organization) conference in San Antonio, click here for a quick look at what you missed and the challenges and opportunities that lie ahead.