On February 9, 2016, President Obama directed his Administration to implement a Cybersecurity National Action Plan (CNAP), calling it a “bold reassessment of the way we approach security in the digital age.” Certainly, the cybersecurity budget increase associated with CNAP is significant: the 2017 Presidential Fiscal Year budget will be $19 billion—35% above that of Fiscal Year 2016.
What is likely most significant about CNAP, however, is that it represents continuity of focus and investment in cybersecurity even at the end of an Administration when it would be all too easy to defer action. Cybersecurity remains on the front burner of the government’s agenda. According to statements made by Michael Daniel, Special Assistant to the President and White House Cybersecurity Coordinator, at a February 12 Washington, DC event, the CNAP is a “capstone project for the Administration that brings together seven years of efforts, focused on two key time frames—the next year before the end of the Administration and the long-term—addressing two key areas—the private sector and the Federal Government.”
CNAP’s Private Sector-Focused Initiatives
In the near term, the CNAP thematically brings together several programs to support the private sector, including the creation of a national cybersecurity testing center, a security certification program for networked devices, and an investment in the backbone of Internet “utilities.” In addition to providing resources and support for those currently engaged in the cybersecurity and connected industries, the CNAP provides for several programs designed to encourage and enrich the development of cybersecurity experts in the years to come.
The Commission on Enhancing National Cybersecurity. Among the steps is the creation of a Commission on Enhancing National Cybersecurity. This Commission will be made up of not more than 12 members of the private sector tasked with making recommendations for both public and private sector actions that can be taken over the next decade to strengthen cybersecurity. Recommendations are expected by “December 1, 2016,” according to Daniel.
National Cybersecurity Awareness Campaign, Use of Multifactor Authentication. The CNAP calls for the creation of a National Cybersecurity Awareness Campaign, directed toward consumers. The campaign will be geared toward providing consumers with the information they need to protect themselves in an increasingly interconnected world, such as educating consumers on the use of multifactor authentication to secure online accounts. (Multifactor authentication includes passwords for log-on, plus use of a biometric or a secondary code received by text or voicemail.) The Administration is also calling on companies to enable multifactor authentication for their users. In many ways, this campaign is not new. The National Cybersecurity Awareness Month was launched in October 2004 and the STOP.THINK.CONNECT campaign was launched as a year-round effort in October 2010. Multi-factor authentication has been an emerging trend for some years, but the CNAP’s recommendation for increased usage is a new milepost that can be expected to accelerate adoption and make it more difficult for companies to avoid implementing this type of security control.
The Cybersecurity Assurance Program. In addition, the Department of Homeland Security will work with industry partners, including Underwriters Laboratories, to create a security certification program for networked devices: the Cybersecurity Assurance Program. This would bring into being a program anticipated since at least the summer of 2015, when leading industry representatives announced their work on a “CyberUL.” Although efforts have been underway for some time, details of the program and the standards are forthcoming.
Strengthening Internet “Utilities.” Recognizing that enhancing and growing the nation’s cybersecurity will require strengthening of fundamental technical utilities, the CNAP provides for the coming together of governmental and private sector organizations, such as the Linux Foundation’s Core Infrastructure Initiative, to fund and secure open-source software, protocols, and standards, among other things.
National Center for Cybersecurity Resilience. The CNAP calls for the establishment of a National Center for Cybersecurity Resilience, which opened in Rockville, Maryland, on February 8, the day before CNAP was released. The center will allow companies and sector-wide organizations to be able to test the security of systems in a contained environment. The Center will be supported by the Department of Homeland Security, the Department of Commerce, and the Department of Energy. The Center has its roots in annual appropriations starting in 2012, including from the consolidation of the National Trusted Identities in Cyberspace initiative.
Enhance Cybersecurity Education and Training. Among the education and awareness efforts is the creation of a Cybersecurity Core Curriculum, designed to ensure that graduates who wish to join the Federal Government in a cybersecurity-related position have the knowledge and skills that they need to serve and succeed. In addition, the CNAP provides for the creation of a new CyberCorps Reserve program. And, the CNAP would enhance the National Centers for Academic Excellence in Cybersecurity Program through increasing the number of academic institutions and students participating in the program, and evolving the cybersecurity curriculum. These efforts are a continuation of information systems workforce development efforts within government since the late 1980s, which were expanded in 2010 under the National Initiative for Cybersecurity Education banner.
CNAP’s Government-Focused Initiatives
The Federal Privacy Council. A new arrival is a permanent Federal Privacy Council (FPC), composed of the Chief Privacy Officers of agencies across the government. The FPC is expected to function similarly to the existing CIO Council, as a convening and coordinating body for harmonization of policies and best practices across government.
The CNAP also provides for the modernization of government information technology by, among other things, creating a new position of Federal Chief Information Security Officer, and investing $3.1 billion in the Information Technology Modernization Fund, which will be key to avoiding infrastructure challenges that led to the vulnerabilities implicated in major breaches this past year at OPM, the Department of Interior and others.
Other enhancements to the Government’s information technology include:
- Decreasing reliance on Social Security Numbers as a means of identification;
- Adopting and using effective identity proofing and strong multi-factor authentication methods;
- Requiring agencies to identify and prioritize their highest value and most at-risk IT assets and take concrete steps to improve the security of those assets;
- Increasing the availability of government-wide shared IT and cybersecurity services;
- Enhancing the Department of Homeland Security’s EINSTEIN and Continuous Diagnostics and Mitigation programs, and encouraging widespread agency adoption of the programs; and
- Increasing the number of Department of Homeland Security civilian cyber defense teams.
In the Spring the Administration is expected to release a policy for national cyber incident coordination as well a severity methodology for evaluating cyber incidents so that the Government and private sector can communicate more effectively. The new Commission’s members will likely be named, details on a number of the CNAP’s initiatives are expected to be forthcoming. We will cover these, and other updates, as they develop.