President Barack Obama is seeking funding for a broad, $19 billion cybersecurity initiative as part of the last budget proposal of his administration. The cybersecurity plan includes multiple elements aimed at enhancing security for the federal government’s systems as well as U.S. networks and data more broadly.
Among its many parts is a $3.1 billion revolving fund to retire legacy federal IT systems and modernize them; old technology often has more vulnerabilities than newer systems.
The total $19 billion cybersecurity funding level for fiscal 2017 would represent a 35 percent increase from the last fiscal year’s $14 billion, FedScoop notes.
Developing a National Cybersecurity Plan
The budget calls for the implementation of a Cybersecurity National Action Plan (CNAP), according to a White House fact sheet. The plan directs the federal government to “take new action now and fosters the conditions required for long-term improvements in our approach to cybersecurity across the federal government, the private sector, and our personal lives.”
The plan will establish the “Commission on Enhancing National Cybersecurity,” which will include key strategic, business and technical thinkers from outside of government, to be chosen by leaders of both parties in Congress.
The Commission’s goal will be to recommend actions that can be taken by the federal government and private sector over the next decade to enhance cybersecurity while protecting privacy, fostering development of new technologies and promoting cooperation between government and industry.
The administration will drive a new awareness campaign to promote the use of multifactor authentication for passwords, and will work with technology companies such as Google, Facebook, Dropbox and Microsoft “to make it easier for millions of users to secure their online accounts”; and with financial services firms such as MasterCard, Visa, PayPal and Venmo that are making transactions more secure. The federal government will take steps to safeguard personal data in online transactions between citizens and the government, including a new plan to use “effective identity proofing and strong multifactor authentication methods” as well as “a systematic review” of how the government can move away from relying on Social Security numbers as an identifier of citizens.
New Money to Replace Old Systems
The $3.1 billion fund in the CNAP dubbed the “Information Technology Modernization Fund” will speed along the retirement and updating of “legacy IT that is difficult to secure and expensive to maintain,” the White House fact sheet states. According to Federal Times, the General Services Administration will administer the fund, and the administration says there will be several factors that will determine which technologies are replaced first — and which agencies will be most affected.
“We’re going to prioritize applications and federal agencies that have high cybersecurity challenges,” federal CIO Tony Scott told reporters during a call on Monday, according to Federal Times. “We’re going to look for applications that can utilize shared services, the cloud and other more modern architectures, and we’re also going to focus on those applications that are high-cost to operate.”
The plan also creates a new position, the federal chief information security officer, who will report to Scott, according to Wired. The new CISO, who has not yet been named, will be responsible for driving cybersecurity policy as part of the CNAP.
“This is the first time that there will be a dedicated senior official who is solely focused on developing, managing, and coordinating cybersecurity strategy, policy, and operations across the entire federal domain,” states the White House.
The administration is requiring agencies to “identify and prioritize their highest value and most at-risk IT assets and then take additional concrete steps to improve their security.”
Additionally, the Department of Homeland Security, GSA and other federal agencies “will increase the availability of governmentwide shared services for IT and cybersecurity, with the goal of taking each individual agency out of the business of building, owning, and operating their own IT when more efficient, effective, and secure options are available, as well as ensuring that individual agencies are not left on their own to defend themselves against the most sophisticated threats.”
That step, along with the creation of the CISO position, seems to indicate that the administration wants to centralize the assessment of cybersecurity threats to federal IT infrastructure and develop plans to protect against the threats.
DHS is also “dramatically increasing the number of federal civilian cyberdefense teams to a total of 48, by recruiting the best cybersecurity talent from across the federal government and private sector,” the White House states. The teams will “protect networks, systems and data across the entire federal civilian government by conducting penetration testing and proactively hunting for intruders, as well as providing incident response and security engineering expertise.”