President Obama’s recent announcement of the creation of the Cybersecurity National Action Plan (CNAP) made waves across government and tech audiences, as it proposed a $19 billion budget to bulk up cybersecurity across the U.S. government and the private sector. While the announcement seemed abrupt to many, it has been a long time coming — and gives the president the power to highlight cybersecurity issues before he leaves office.
From the start, I think we have to give the president a lot of credit — he has done more to advance cybersecurity than all previous administrations combined. Of course, while much of this is due to the simple fact that cybersecurity has become the issue du jour, the Obama administration has been fairly proactive throughout the past seven years in advancing the cybersecurity conversation.
When I was at the Department of Homeland Security, the White House was a strong supporter of Senators Lieberman and Collins’ Cybersecurity Act of 2012, which, while not successful in getting a Senate hearing, certainly laid the groundwork for much of the legislation we’ve seen in the past three years.
It’s fitting now that toward the end of his administration, President Obama is kicking off serious security measures that could change the face of the U.S. government, and cybersecurity in general. That being said, this is the start of an uphill battle to ensure that CNAP’s main elements — budget, establishing a federal CISO and the Commission on Enhancing National Cybersecurity — are executed in a way that actually helps the government’s current security situation.
It pains me greatly to say it, but this budget increase is likely not enough. Especially for the infrastructure overhaul, the $3 billion bump is probably more of a down payment on updating the antiquated infrastructure — which is at least partially responsible for the recent OPM and IRS security incidents.
Funds are rarely spent in the most consistent and efficient manner.
Further, the allocation of the rest of the proposed funds is potentially concerning. Each federal agency has its own budget, its own cybersecurity priorities, its own IT infrastructure, its own security requirements, its own CISO and, most importantly, its own culture. This means funds are rarely spent in the most consistent and efficient manner.
But the most obvious question around the proposed budget is whether Congress will approve it. Given the lack of cooperation between the Executive branch and the Legislative branch over the past few years, I’d say it is a huge question mark — they are already saying that the President’s budget will not be considered. It’s a shame.
The appointment of a federal CISO is a matter for which managing expectations is important from Day One — and Day One was when CNAP was announced. For instance, the CISO will not have the operational authority of most traditional CISOs; rather, he or she will have a policy-based position with (hopefully) broad responsibilities for all federal agencies.
The challenge will be how much practical authority will come with the role. Responsibility is one thing, but having the authority to carry out actions is an entirely different issue. One measure of how much gravitas the president expects out of this role is how much authority it has over budgeting and spending. My hope is that the government appoints an experienced CISO from the private sector and backs him or her up with a competent staff of policy and budgeting experts who are willing and authorized to do things that may shock bureaucrats.
Commission on Enhancing National Cybersecurity
There have been dozens of commissions, boards, councils, working groups, etc. over the past decade. Most of them have provided valuable insight and advice, though I’m not sure we have a good measure for how much of it was followed. For example, the report by the CSIS Commission on Cybersecurity for the 44th Presidency was released in December 2008, providing a comprehensive roadmap of recommendations.
There is a difference between what sounds good on paper and what actually works in the trenches.
However, I think you would find that not many of the recommendations have been ingested. This commission has the potential to be successful, but in addition to including recognized policy experts, it should be populated with a sprinkling of nationally recognized cybersecurity leaders, because there is a difference between what sounds good on paper and what actually works in the trenches.
Location and timing
Trying to cram too much into one initiative provides the potential of getting bogged down, and CNAP is already close to falling prey to this. One thing that would have tremendous impact on the government’s ability to provide better cybersecurity services among federal agencies would be to begin moving operations out of the D.C. metro area.
The cost of living in D.C. is incredibly high, and there is far too much competition for cyber talent between federal agencies and defense contractors. There are established federal centers around the country with excess capacity and, more importantly, located where people actually want to live. In areas like Colorado Springs, CO and Pensacola, FL, there are a number of military facilities, which is a great place to recruit cyber talent leaving active duty.
Regardless of location, the timing couldn’t be better — or worse. It reminds me of the old adage, “When’s the best time to plant an oak tree? A hundred years ago.” If they can get a strategy underway now, it could begin building momentum and perhaps minimize the growing pains of the new administration in January 2017.
Ultimately, time is the enemy and the greatest challenge to the success of CNAP. There’s just not enough of it, and the government thrives on inertia. People who have never worked in Washington, D.C. simply can’t comprehend how disabling the bureaucracy is and how it works against a sense of urgency.
With only 11 months left in the Obama administration, this initiative needs to get moving immediately to have any chance of success. Some of the things included in this initiative, such as requiring agencies to identify and prioritize highest-value and most-at-risk assets, are what the security industry calls table stakes. While the announcement created some initial momentum, now they need to ride that wave and immediately establish some markers to measure regular success.