Obama Creating Federal CISO PostAlso, New Commission Will Recommend Steps to Strengthen Information Security
(This story has been updated.)
See Also: Case Study: The Road to Zero Trust
President Obama is creating the position of federal chief information security officer as part of a multifaceted initiative aimed at strengthening the nation's IT security.
Related steps include the formation of a public-private Commission on Enhancing National Cybersecurity, as well as a proposal to boost government cybersecurity spending next fiscal year by 35 percent to $19 billion.
"Cyberthreats are a national-security risk few of my predecessors faced, but they will be ones my successors, regardless of party, must address," Obama wrote in a Feb. 9 Wall Street Journal op-ed. "As long as I'm president, protecting America's digital infrastructure is going to remain a top national-security priority. We won't resolve all these challenges over the coming year, but we're laying a strong foundation for the future. By taking these steps together, I'm confident we can unleash the full potential of American innovation, and ensure our prosperity and security online for the generations to come."
A centerpiece of the initiative, known as the Cybersecurity National Action Plan, is a $3.1 billion Information Technology Modernization Fund, which would allow the retirement, replacement and modernization of legacy IT within the federal government that is difficult to secure and expensive to maintain.
White House Cybersecurity Coordinator Michael Daniel sees a "deep relationship" between modernizing federal IT and cybersecurity. "It is critically important that we begin to address the underlying structural weakness that we have in cybersecurity by modernizing underlying IT," Daniel said at a White House briefing on Feb. 9.
The new federal CISO would drive these changes across the government. The federal CISO would report to the federal CIO and be located in the White House Office of Management and Budget (see: 10 Facts About New Federal CISO Position).
The cybersecurity community has been mystified about why the federal government hasn't had its own CISO, says Justin Harvey, chief security officer at Fidelis Cybersecurity. "It looks like we're going to get our wish," he says.
But Harvey wonders if the federal CISO will have enough control over resources, policy, strategy and operations to have an impact. "This plan needs a single owner to be held accountable for cybersecurity while also holding each individual government agency's feet to the proverbial fire for their compliance," he says.
National Cybersecurity Action Plan Key Components
Other key elements of the cybersecurity initiative include:
- Requiring agencies to identify and prioritize their highest value and most at-risk IT assets and then take additional concrete steps to improve their security.
- Increasing the availability of governmentwide shared services for IT and cybersecurity, with the goal of taking each individual agency out of the business of building, owning and operating their own IT when more efficient, effective and secure options are available.
- Expanding the Einstein intrusion protection and Continuous Diagnostics and Mitigation programs. The president's fiscal 2017 budget supports all federal civilian agencies adopting these capabilities.
- Increasing the number of federal civilian cyber defense teams to a total of 48 by recruiting cybersecurity talent from across the federal government and private sector. These standing teams will protect networks, systems and data across the entire federal civilian government by conducting penetration testing and hunting for intruders, as well as providing incident response and security engineering expertise.
- Investing $62 million to promote cybersecurity education, develop a cybersecurity core curriculum to ensure graduates joining the federal workforce have requisite knowledge and skills and increase the number of academic institutions participating in the National Centers for Academic Excellence in Cybersecurity Program.
Currently, thousands of cybersecurity positions remain vacant in the federal government, says federal CIO Tony Scott. "That's not a number that we're going to easily satisfy unless we change the way we're doing this and building the skill sets," he says.
The federal government will rethink how it staffs cybersecurity positions "The current model that we have requires literally every agency to go do its own cyberdefense," Scott says. "[That] means you've got to have people there, not only to design it [and] architect it but to operate it. ... Every agency, no matter what size would be required in today's model to stand that up."
In the audio clip below, Scott explains how the government will confront this challenge.
The Commission on Enhancing National Cybersecurity would comprise top strategic, business and technical thought leaders from outside of government, including members to be designated by the bipartisan Congressional leadership.
A White House fact sheet says the commission would make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in the government and private sectors while protecting privacy; maintaining public safety and economic and national security; fostering discovery and development of new technical solutions; and bolstering partnerships between federal, state and local government and the private sector in the development, promotion and use of cybersecurity technologies, policies and best practices.
The president's new initiative also aims to empower Americans to secure their online accounts by moving beyond passwords and adding an extra layer of security, with an emphasis on authentication. Federal Deputy Chief Technology Officer Ed Felten says implementing extra security will safeguard citizens when they go to government sites to transact business. "When Americans come to government sites, they ought to be able to expect strong identity proofing and multifactor authentication," he said at the White House briefing.
"By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure," the administration statement says. "This focus on multifactor authentication will be central to a new National Cybersecurity Awareness Campaign launched by the National Cybersecurity Alliance designed to arm consumers with simple and actionable information to protect themselves in an increasingly digital world."
The National Cybersecurity Alliance, a not-for-profit, public-private partnership, will join with leading technology firms, including Google, Facebook, Dropbox and Microsoft, to make it easier for millions of users to secure their online accounts, as well as financial services companies, such as MasterCard, Visa, PayPal and Venmo, that are making transactions more secure, according to the White House.
The federal government also will take steps to safeguard personal data in online transactions between citizens and the government, including through a new action plan to drive the federal government's adoption and use of effective identity proofing and strong multifactor authentication methods and a systematic review of where the federal government can reduce reliance on Social Security numbers as an identifier of citizens.
More Work to Do
A longtime advocate for increased government cybersecurity spending, Larry Clinton, president of the trade group Internet Security Alliance, characterizes the administration's moves as a welcome step in the right direction, but says much more must be done.
"There needs to be better management of the money we are investing in cybersecurity," Clinton says. "Programs ought to be subjected to systematic cost-benefit analysis so that we can document where they are, and are not, succeeding."
The latest administration moves on cybersecurity come as the reverberations continue to echo in the halls of government from a series of hacks on federal government IT systems, including the breach uncovered last year of the Office of Personnel Management, in which the personal information of 21.5 million individuals had been disclosed.