In the wake of high-profile hacks such as the Office of Personnel Management data breaches and the breach affecting the Department of Justice and Department of Homeland Security disclosed just days ago, almost everyone agrees that cybersecurity issues must be addressed. However, the recently-enacted Cybersecurity Act of 2015 is controversial for its impact on privacy. While the Cybersecurity National Action Plan that President Obama released February 9 is likely to be overshadowed by the debate over the 2017 budget proposal he also released that day, several of the provisions are worth noting.
Overall, the plan aims to centralize government planning for cybersecurity with a national commission to make cybersecurity recommendations, a Federal Privacy Council comprised of privacy officials from across the government, and a new position of Federal Chief Information Security Officer to address cybersecurity issues for the federal government. On the technical side, the plan provides for increased availability of “government-wide shared services for IT and cybersecurity,” with the aim of ensuring that all agencies have access to “more efficient, effective, and secure options.” However, such centralization also carries its own risks by increasing the amount of data potentially available in the case of a breach.
Recognizing what is good for the goose is good for the gander, the plan also includes easily implemented, common sense solutions regularly used by the private sector. Encouraging government agencies to perform ex-post reviews of the circumstances leading to previous data breaches is a tactic regularly used by businesses, and encouraged by courts, to beef up security moving forward. Further, the directive to “identify and prioritize their highest value and most at-risk IT assets and then take additional concrete steps to improve their security,” is precisely the type of flexible approach to cybersecurity that government regulators regularly impose upon businesses. Indeed, as we have noted previously on this blog, “a one-size-fits-all approach to cyber security just does not work.”
The plan also includes a public relations campaign to encourage Americans to secure their online accounts through multi-factor authentication. With the exponential growth of processing power, so-called ‘brute force’ attacks on password security are growing. Just this week, an affiliate of Alibaba – the eBay of China – fell victim to a brute force attack that caused a data breach affecting 20% of their customer base. Not that powerful processors are required to crack the password most frequently utilized by Americans:123456. Encouraging, for example, biometric passwords would enable secure passwords to be used without the need to remember complicated strings of characters currently required for a ‘strong’ password.
Some of the plan’s more ambitious provisions will be dependent on the budget, including $3.1 billion to modernize government IT infrastructure and $62 million in cybersecurity educational incentives and programs. The president has proposed over $19 billion for cybersecurity as part of the 2017 budget, which has already drawn Republican criticism. Others criticize the simplicity of the plan’s security efforts.
While some of the more costly initiatives may continue to meet resistance – there are also cost-efficient proposals in the National Action Plan that the government (and yes, private industries too) should jump at the opportunity to implement. That might just explain why so many – Republicans and Democrats alike – agree that the President struck the correct balance on this one.