7 Keys to President Obama’s
$19 Billion Cybersecurity Plan
President Obama’s final budget included his most detailed proposals yet to modernize Federal Information Technology, including an overall $19 billion investment in cybersecurity and a $3.1 billion revolving fund to help replace aging government systems that are most vulnerable to cyberattacks.
“Too often government IT is like an Atari game in an Xbox world,” Obama wrote in a Feb. 9 Op-ed article in the Wall Street Journal. “The Social Security Administration uses systems and code from the 1960s. No successful business could operate this way.”
The president’s budget submission and a series of executive orders released at the same time, flesh out his plans for improving information technology in government, increasing information security, protecting citizen privacy and educating the public.
What’s in the president’s plan? Here are seven things you need to know:
The Big Picture
President Obama’s budget plan would invest $19 billion in cybersecurity through his Cybersecurity National Action Plan. The plan focuses on four areas:
- Modernizing existing systems with a focus on increasing data security.
- Developing a robust cyber workforce, addressing a national shortage of talent through a combination of training, scholarships and student debt forgiveness programs intended to attract specialists who might otherwise opt for the private sector. “We’ll even let them wear jeans to the office,” Obama joked.
- Public-private partnerships to deter, detect and disrupt threats, including a new cybersecurity Center of Excellence to work with industry to develop new cyber technologies; a national testing lab, where companies can test their systems’ security under simulated attacks; and cyber training for small business through the Small Business Administration.
- Increasing public awareness through a national campaign to encourage industry and the public to “move beyond passwords” and embrace multi-factor authentication.
The president’s final budget submission to Congress includes a $3.1 billion Information Technology Modernization Fund (ITMF), a revolving investment pool that would let agencies fund modernization efforts without having to dip into agency operating or capital funds.
“This revolving fund will enable agencies to invest money up front and realize the return over time by retiring, replacing, or modernizing antiquated IT infrastructure, networks and systems that are expensive to maintain, provide poor functionality and are difficult to secure,” the White House said.
According to the budget report, the fund would be administered by a review board “comprised of experts in IT acquisition, cybersecurity and agile development,” which would select projects for funding based on business cases presented by individual agencies. Projects deemed to have the greatest risk profiles, government-wide impact and probability of success would take priority.
“The board would identify opportunities to replace multiple legacy systems with a smaller number of common platforms,” the report explains, and a team of systems architects and developers would provide oversight and development capabilities.
Most important: The revolving fund would be self-sustaining by requiring agencies to repay investments through the savings yielded by the modernization efforts. The White House estimates that its initial $3.1 billion investment will yield $12 billion in value over 10 years.
Create a new Federal Chief Information Security Officer
The President will appoint a first-ever Federal Chief Information Security Officer (CISO) to lead the Federal government’s cyber security efforts. The White House posted the CISO job description Feb. 9, explaining that the new CISO will report to Federal Chief Information Officer Tony Scott and work in the Office of Management and Budget, the president’s central management organization.
While the new Federal CISO has no direct budget authority, he or she will have oversight responsibility to review budgets “across the entire government” and “provide input into the development of the annual president’s budget so that it reflects cybersecurity priorities across Federal departments and agencies,” according to the job description.
The Federal CISO will also:
- Chair the Information Security and Identity Management Committee (ISIMC) of the Federal CIO Council and work to align agency CISOs under a common vision and approach
- Develop metrics for measuring cybersecurity performance
- Create government-wide role-based cybersecurity and awareness training and establish a government-wide program for recruiting, training and retaining cybersecurity experts”
- Act as a liaison between the White House and the three Federal entities with national-level cyber authority: the departments of Homeland Security and Defense and the Office of the National Director of Intelligence, as well as with other CISOs across government.
Establish a Commission on Enhancing National Cybersecurity
The president established a 12-member bipartisan Commission on Enhancing National Cybersecurity, designating in an executive order that members will be nominated by the majority and minority leaders in the House and Senate. The commission is to issue a final report by Dec. 1 recommending:
- Advances in identity management, authentication, and cybersecurity of online identities
- Approaches to ensuring stable, adaptable national security standards for the Internet of Things and cloud computing
- Areas for research and development investment to enhance cybersecurity
- Ideas for increasing the quality, quantity and expertise of the nation’s cybersecurity workforce (for both government and private sector)
- Strategies for improving commonsense cybersecurity practices for the general public
The broadly written order empowers the panel to develop a governance model for managing cybersecurity risk and seeks strategies the Federal government can use to help state and local entities enhance their own cybersecurity.
Accelerate and Upgrade Cyber Defenses
The budget would:
- Invest $275 million to accelerate the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, a $6 billion effort to enable agencies to monitor their networks and defend against potential cyber threats.
- Provide $471 million to upgrade Einstein, the National Cybersecurity Protection System and accelerate its deployment across the federal government. Einstein is supposed to block suspicious Internet traffic and detect potential intrusions before they blow up into full-scale breaches. But the multi-billion program was criticized by a Government Accountability Office report in January for failing to adequately deal with the most sophisticated threats posed by nation-states; lacking adequate metrics to evaluate performance; and inadequately defined future requirements.
- $318 million in cybersecurity R&D activities at Federal civilian agencies
- $62 million to address cyber workforce shortages
- $24.2 million to support DHS software assurance efforts
Research & Development
The Federal Cybersecurity R&D Strategic Plan released by the National Science & Technology Council Feb. 5 defines three research and development goals “to provide the science, engineering, mathematics, and technology necessary to improve cybersecurity.”
- Near-Term (1-3 years). Achieve science and technology (S&T) advances to counter adversaries’ asymmetrical advantages with effective and efficient risk management.
- Mid-Term (3-7 Years). Achieve S&T advances to reverse adversaries’ asymmetrical advantages, through sustainably secure systems development and operation.
- Long-Term (7-15 years). Achieve S&T advances for effective and efficient deterrence of malicious cyber activities via denial of results and likely attribution.
The report focuses on both research and talent development, specifically calling for increased diversity in the cybersecurity workplace.
Establish a Federal Privacy Council
Addressing cyber is almost impossible without addressing privacy concerns at the heart of much of the cyber debate. After all, it was personal data exposed through breaches at the Office of Personnel Management and at the Internal Revenue Service that raised the greatest outcry about cyber security in government.
By Executive Order Feb. 9, the president established the Federal Privacy Council to govern Federal privacy standards and ensure public trust that “the Government must strive to uphold the highest standards for collecting, maintaining, and using personal data.”
The order requires the Director of the Office of Management and Budget to issue by June 9 new guidance for the senior privacy official at every Federal agency, defining required expertise and resources, and establishes Federal Privacy Council as the principal interagency forum to improve the Government privacy practices of agencies and entities acting on their behalf.
The panel will be chaired by OMB’s deputy director for management and include privacy officers from the departments of State, Treasury, Defense, Justice, Interior, Agriculture, Commerce, Labor, Health and Human Services, Homeland Security, Housing and Urban Development, Transportation, Energy, Education and Veterans Affairs, along with the Environmental Protection Agency, Office of the Director of National Intelligence, Small Business Administration, National Aeronautics and Space Administration, Agency for International Development, General Services Administration, National Science Foundation, Office of Personnel Management and the National Archives and Records Administration.