President Obama this week announced a broad initiative, the Cybersecurity National Action Plan ("CNAP").
The CNAP is a massive, broad-ranging effort to improve cybersecurity and privacy in the public and private sectors. Some of the actions and proposals include:
- Establishment of the "Commission on Enhancing National Cybersecurity"
- This 12-member commission will be tasked with making "detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices." Its report is due to the President by December 31, 2016.
- The Executive Order provides that the members will be appointed by the President, however, the White House has stated that Congressional leadership of both parties will have a say in the Commission's makeup.
- Creation of a permanent "Federal Privacy Council"
- This body will "bring together the privacy officials from across the Government to help ensure the implementation of more strategic and comprehensive Federal privacy guidelines"
- It will include the head privacy officers for 24 federal agencies, and other members from the federal government as invited by the Council chair
- It will be charged with duties to:
- develop recommendations for the Office of Management and Budget on Federal Government privacy policies and requirements;
- coordinate and share ideas, best practices, and approaches for protecting privacy and implementing appropriate privacy safeguards;
- assess and recommend how best to address the hiring, training, and professional development needs of the Federal Government with respect to privacy matters; and
- perform other privacy-related functions, consistent with law, as designated by the Chair
- A proposal to overhaul federal cybersecurity infrastructure, including
- a proposed $3.1 billion IT Modernization Fund
- a push to centralize IT and cybersecurity functions across all federal agencies
- the creation of a new Federal Chief Information Security Officer position "to drive cybersecurity policy, planning, and implementation across the Federal Government"
- A proposal to offer cybersecurity training for small business
- A push for the implementation of multi-factor authentication in all consumer online accounts, through the National Cyber Security Alliance in partnership with leading tech companies
- Increased personnel funding for additional government cybersecurity professionals
- Expansion of DHS programs EINSTEIN and CDM to protect the government from cyber attacks
- Federal Cybersecurity R&D Strategic Plan for the development and innovation of cybersecurity technologies
The announcements and executive orders this week should do well to cement Obama's legacy as a President who took seriously and advanced the causes of both privacy and cybersecurity.
These new initiatives may present opportunities for business as well as new challenges for compliance.