White House Announces Cybersecurity National Action Plan

White House Announces Cybersecurity National Action Plan

The passage of the Cybersecurity Information Sharing Act of 2015 is proving to be just the beginning of a national focus and call for a “bold reassessment of the way we approach security in the digital age” in order to not only combat evolving cyber threats but also to cultivate an environment for a continually evolving digital age with boundless opportunities for the American economy. On February 9, 2016, the President directed his Administration to implement a Cybersecurity National Action Plan (CNAP) designed to do just that. The cybersecurity budget increase associated with CNAP is significant: the 2017 Presidential Fiscal Year budget will be $19 billion—35% above that of Fiscal Year 2016. While it remains to be seen how much support will be given by Congress, this request nevertheless signals the Administration’s significant prioritization of cybersecurity in its final year. On February 12, Michael Daniel, Special Assistant to the President and White House Cybersecurity Coordinator explained at a Washington, DC event that the CNAP is a “capstone project for the Administration that brings together seven years of efforts, focused on two key time frames—the next year before the end of the Administration and the long-term—addressing two key areas—the private sector and the Federal Government.” These culminating efforts of the Obama Administration are being driven by a recognition of what Daniel called a “strategic inflection point” for the United States, where the advantages of being a highly connected nation are being undermined by “a strategic volatility that [adversaries] can hold us to, unlike any other domain.” Private Sector In the near term, the CNAP establishes several programs to support the growth and enhancement of public and private sector “connected” businesses, including the creation of a national cybersecurity testing center, a security certification program for networked devices, and an investment in the backbone of Internet “utilities.”  In addition to providing resources and support for those currently engaged in the cybersecurity and connected industries, the CNAP provides for several programs designed to encourage and enrich the development of cybersecurity experts in the years to come. The Commission on Enhancing National Cybersecurity. Among the steps is the creation of a Commission on Enhancing National Cybersecurity. This Commission will be made up of not more than 12 leading non-governmental cyber thinkers, tasked with making recommendations of both public and private actions that can bet taken over the next decade to strengthen cybersecurity. This bi-partisan Commission, which the White House notes has the backing of Congressional Leadership, will draw upon diverse sectors of the digital economy and elements from across the digital ecosystem to develop recommendations for addressing systemic cybersecurity challenges. Recommendations are expected by “December 1, 2016,” according to Daniel. National Cybersecurity Awareness Campaign, Use of Multifactor Authentication. The CNAP calls for the creation of a National Cybersecurity Awareness Campaign, directed toward consumers. The campaign will be geared toward providing consumers with the information they need to protect themselves in an increasingly interconnected world, such as educating consumers on the use of multifactor authentication to secure online accounts. Multifactor authentication includes passwords for log-on, plus use of a biometric or a secondary code received by text or voicemail. The Administration is also calling on companies to enable multifactor authentication for their users. The Cybersecurity Assurance Program. In addition, the Department of Homeland Security will work with industry partners, including Underwriters Laboratories, to create a security certification program for networked devices: the Cybersecurity Assurance Program. This would bring into being a program anticipated since at least the summer of 2015, when leading industry representatives announced their work on a “CyberUL.” Details of the program and the standards are forthcoming. Strengthening Internet “Utilities.” Recognizing that enhancing and growing the nation’s cybersecurity will require strengthening of fundamental technical utilities, the CNAP provides for the coming together of the Government and private sector organizations, such as Linux Foundation’s Core Infrastructure Initiative, to fund and secure open-source software, protocols, and standards, among other things. National Center for Cybersecurity Resilience. The CNAP calls for the establishment of a National Center for Cybersecurity Resilience, where companies and sector-wide organizations will be able to test the security of systems in a contained environment. The Center will be supported by the Department of Homeland Security, the Department of Commerce, and the Department of Energy. Enhance Cybersecurity Education and Training. Among the education and awareness efforts is the creation of a Cybersecurity Core Curriculum, designed to ensure that graduates who wish to join the Federal Government in a cybersecurity-related position have the knowledge and skills that they need to serve and succeed. In addition, the CNAP provides for the creation of a CyberCorps Reserve program. And, the CNAP would enhance the National Centers for Academic Excellence in Cybersecurity Program through increasing the number of academic institutions and students participating in the program, and evolving the cybersecurity curriculum. Modernization of Government IT The Federal Privacy Council. Also a new arrival is a permanent Federal Privacy Council (FPC), composed of the Chief Privacy Officers of agencies across the government. The FPC will look not at private companies’ use of data, but at retention, hiring, professional development, and best practices. Finally, the CNAP provides for the modernization of Government information technology by, among other things, creating a new position of Federal Chief Information Security Officer, and investing $3.1 billion in the Information Technology Modernization Fund, which will be key to avoiding infrastructure challenges that led to the vulnerabilities implicated in major breaches this past year at OPM, the Department of Interior and others. Other enhancements to the Government’s information technology include:

  • Decreasing reliance on Social Security Numbers as a means of identification;
  • Adopting and using effective identity proofing and strong multi-factor authentication methods;
  • Requiring agencies to identify and prioritize their highest value and most at-risk IT assets and take concrete steps to improve the security of those assets;
  • Increasing the availability of government-wide shared IT and cybersecurity services;
  • Enhancing the Department of Homeland Security’s EINSTEIN and Continuous Diagnostics and Mitigation programs, and encouraging widespread agency adoption of the programs; and
  • Increasing the number of Department of Homeland Security civilian cyber defense teams.
Next Steps Notably, in the spring, the Administration will release a policy for national cyber incident coordination as well a severity methodology for evaluating cyber incidents so that the Government and private sector can communicate more effectively. We will cover these, and other updates, as they develop.

Share Back to main blog

Related blog posts

Loading data