As stated by Wired, “It’s all the standard advice you’d give a tech novice,” aptly sums up the White House’s Cybersecurity National Action Plan (CNAP) that President Obama unveiled on February 9, 2016. Announced as part of the President’s overall budget proposal, CNAP is a plea within the federal government to implement a sturdier foundation for its cybersecurity strategy. The administration proposes a 35% increase in cybersecurity funding, much of which would go toward creating programs that are intended to leverage private sector expertise to improve the woefully outdated, if not completely nonexistent, federal government cybersecurity infrastructure.
Among other initiatives, CNAP includes an awareness campaign targeted at personal-level cybersecurity habits, a joint government-private sector commission for compiling cybersecurity best practices, and incentives to entice private sector talent to enlist in the government’s ranks. Although these programs anticipate private sector involvement, they are rooted in the government’s pressing concern about its own vulnerabilities to cyberattacks. The standard refrain is that CNAP seeks to raise the level of cybersecurity for the government and the private sector, but the rhetoric around the announcement belies an overwhelming focus on federal government advancement that will likely have little impact on private sector progress, if the program is implemented at all.
Citizens’ Awareness Campaign
Several of the private sector actors integral to CNAP have already been selected by the government to partner with the National Cyber Security Alliance on a national awareness campaign aimed at U.S. citizens. Google, Facebook, Dropbox and Microsoft are all named by the White House as participants, though no details are provided as to what exactly these private companies will be doing to support the campaign. The key detail of the campaign plan is again, quite foundational: encourage (and empower) individuals to use two-factor authentication to protect personal data and stop relying on passwords alone. Such protection measures are old hat in the private sector and particularly standard for managed security and IT services offerings. The campaign could benefit from private sector input about the appropriateness of more advanced protection technologies, as well as red flags to look for and steps to take after a cyberattack. Such knowledge transfer, however, is a one-way street.
Commission to Enhance Cybersecurity
The President also proposes under CNAP to create a bipartisan Commission on Enhancing National Cybersecurity “comprised of top strategic, business, and technical thinkers from outside of Government”, in addition to members of Congress from both sides of the aisle. The Commission’s private sector representatives will primarily be tasked with using their expertise to make recommendations about how to improve cybersecurity practices, presumably for the benefit of the public sector representatives (members of Congress) who are not tasked with making recommendations. Similarly, CNAP includes a Center of Excellence for the development of new cybersecurity technology through the combined efforts of the private sector and government. If a diverse group of private sector experts are amassed, it is arguable that they will likewise benefit and foster innovative ideas that may apply to the private sector as well, but it is dubious how impactful that benefit might be.
Another major tenet of CNAP is dedicated to increasing the resources available to the federal government to build the cybersecurity workforce it needs to advance. Over the past twenty years, the federal government has relied on contractors from the private sector to provide cybersecurity services and there remains a shortage of skilled labor in this field, such that effectively insourcing the federal government’s cybersecurity needs requires mining private sector talent. The President’s proposal calls for a $62 million workforce investment to fund training of new-hire cybersecurity professionals, but also to offer loan forgiveness to recruits who commit to a career with the federal government. President Obama offers, “We’ll even let them wear jeans to the office,” emphasizing that CNAP depends on the difficult task of enticing cybersecurity experts away from the better-paying private sector.
Overall, CNAP is multi-faceted, makes some strides to give back to the private sector in exchange for what is asked from it (see proposed cybersecurity training to 1.4 million small businesses from the Small Business Administration), and ultimately, may never come to pass. Although the President spoke directly to House Speaker Paul Ryan (R-Wis.) about CNAP and anticipates bipartisan support for the initiative, the budget proposal as a whole received immediate disparagement from Congress, including a statement from Ryan that “President Obama will leave office having never proposed a budget that balances - ever”. Given that much of the budget requires congressional approval, an approval that will undoubtedly be withheld until the moving vans pull up to the White House, CNAP may get left behind in the Obama administration.