The Obama administration Feb. 9 proposed a federal budget request for FY ’17 that includes more than $19 billion for cyber security efforts, a 35 percent increase over FY ’16 levels, to help combat growing cyber threats to public and private networks and infrastructure, White House officials said on Feb. 8.
Nearly half of the proposed increase, $3.1 billion, will come from a new account for modernizing government information technology (IT) to retire, replace and modernize legacy IT systems, the officials said on a conference call with reporters that was embargoed until the morning of Feb. 9.
“I’ve become acutely aware of the challenges that agencies face in trying to upgrade and modernize systems in the agencies across the federal government,” said Tony Scott, the United States Chief Information Officer (CIO). “We have a broad surface area of old, outdated technology that’s hard to secure, expensive to operate, and on top of all that the skill sets needed to maintain the systems are disappearing rather rapidly.
Some of the IT Modernization account will be put toward the creation of a Federal Chief Information Security Officer (CISO), who will report to the United States Chief Information Officer. The CISO will “drive” the IT modernization across the government, a White House fact sheet says.
The new CISO job was announced Feb. 9 and the White House expected to fill the role in the following 60 to 90 days, Tony Scott, the federal CIO, said on a conference call with reporters on the evening of Feb. 8 that was embargoed until the morning of Feb. 9. The CISO “will be responsible for the policy, practice, and coordination of information security across the civilian agencies in the federal government and will work closely with military and intelligence officials across the government,” he said.
Michael Daniel, the White House cybersecurity coordinator, warned that “the cyber threat continues to outpace our current efforts, and particularly as we continue to hook more and more of our critical infrastructure up to the Internet and as we build up the Internet of Things, cyber threats will only become more frequent and more serious. If we do not begin to address the fundamental cyber security challenges we face effectively, we risk cyber security of the Internet becoming a strategic liability for the U.S.”
The larger budget requests for federal departments and agencies will be released this afternoon, although the White House offered a number of specifics in its fact sheet. It says that the budget proposal supports all federal civilian agencies adopting the Department of Homeland Security’s (DHS) EINSTEIN cyber intrusion detection and prevention system and the Continuous Diagnostics and Mitigation program. It also says that DHS, General Services Administration (GSA) and other federal agencies “will increase the availability of government-wide share services for IT and cybersecurity, with the goal of taking each individual agency out of the business of building, owning and operating their own IT when more efficient, effective, and security options are available, as well as ensuring that individual agencies are not left on their own to defend themselves against the most sophisticated threats.”
The fact sheet also says that the Justice Department, including the FBI, is increasing its cyber security-related funding by more than 23 percent “to improve their capabilities to identify, disrupt, and apprehend malicious cyber actors.”
Daniel said that Obama believes more needs to be done in the cyber security domain, which is why the White House on Feb. 9 announced a series of new measures, some of which are within his executive authorities, and others like the IT Modernization account, will require congressional approval.
The new initiatives build on a number of actions the president has taken since coming to office in 2009 to bolster the nation’s cyber security posture such as creating the voluntary Cybersecurity Framework and Information Sharing and Analysis Organizations, establishing the Cyber Threat Intelligence Integration Center, and most recently signing bipartisan comprehensive cyber security legislation, Daniel said.
A key new effort is the Cybersecurity National Action Plan (CNAP), which is aimed at the federal government and “our broader digital society,” Daniel said. The CNAP has near-term and longer-term initiatives “and is intended to go after the underlying causes of our cyber security challenges, not just the symptoms,” he said.
The CNAP includes the IT Modernization fund and a new Commission on Enhancing National Cybersecurity, which will includes strategic, business and technical “thinkers” from outside the government. The Commission will make recommendations on actions to take to strengthen cyber security in the public and private sectors, including privacy protections, the White House said.
The increased federal investments as part of the $19 billion request in FY ’17 are part of the CNAP and will include $62 million for training and hiring more cyber security professional for the federal government.
Another aspect of the plan is a new National Cybersecurity Awareness Campaign being launched by the National Cyber Alliance to improve online security of all Americans in part by recommending the use of multifactor authentication to secure accounts. Companies like Alphabet’s [GOOG] Google, Microsoft [MSFT], PayPal [PYPL] and Visa [V] will be partnering with the Alliance to help people safeguard their accounts.
The federal government will also do more to protect transactions between citizens and the government, including a new action plan for the government to used identity proofing and multi-factor authentication to reduce reliance on Social Security Numbers, according to a fact sheet the White House released.
Congress will have a say in appointing commission members, the White House said.
DHS will also double the number of its advisers that assist the private sector with cyber security assessments and implementing best practices. As part of a strengthened outreach with the private sector, DHS and the Departments of Commerce and Energy will also establish a National Center for Cybersecurity Resilience for companies and sector-wide organizations can test the security of system in a contained environment, “such as by subjecting a replica electric grid to cyber attack,” the fact sheet says.
DHS, working with Underwriters Laboratory and industry, will also develop a Cybersecurity Assurance Program, that will “test and certify networked devices within the ‘Internet of Things’” to ensure it has been certified to meet security standards, the fact sheet says.
The IT Modernization Fund will be self-sustaining, revolve over time and be administered by the GSA. The fund will prioritize applications in agencies with a “high cyber security challenge” with a focus on applications that are costly to operate and “can utilize shared services, the cloud and other more modern architectures,” which will make it easier for smaller agencies to get the help they need, Scott said.
The revolving nature of the fund means successful agencies “will get sourcing from this fund” in increments, which “will encourage incremental development as they hit key milestones and objectives,” Scott said. Agencies will also have to pay back over time the funds they receive from the account, he said, which “will encourage engagement of senior executives within the agency” in the interests of “better governance.”
Scott said this approach through the IT Modernization account will foster between $12 billion and $15 billion of new application development over time.
Other announcements coming from the White House Feb. 9 include release of the congressionally-mandated 2016 Federal Cybersecurity Research and Development Strategic Plan that shows the strategic research and development goals for the United States to advance cyber security technologies, working with the Linux Foundation’s Core Infrastructure Initiative to fund and secure common Internet utilities such as open-source software, and creation of a permanent Federal Privacy Council consisting of privacy officials from across the government to “help ensure the implementation of more strategic and comprehensive federal privacy guidelines,” the fact sheet says.