President Obama, in a commentary piece in the Wall Street Journal, has laid out what is described as “Our new national action plan includes $3 billion to kick-start an overhaul of federal computer systems.” It has been characterized as not only an important initiative but one that is long overdue.
As the President explains:
“More than any other nation, America is defined by the spirit of innovation, and our dominance in the digital world gives us a competitive advantage in the global economy. However, our advantage is threatened by foreign governments, criminals and lone actors who are targeting our computer networks, stealing trade secrets from American companies and violating the privacy of the American people.”
He goes on to cite a few of the well know data breaches in the last few months, and the fact that surveys have found that nine out of 10 Americans say they feel like they’ve lost control of their personal information. In fact, it is actually surprising that it isn’t 100 percent, at least of those who engage in e-commerce transactions.
Following the reasons why cyberthreats pose such a clear present and future danger to national security as well as national economic vitality, the president highlights a few of the steps that have already been taken to shore up our cyber defenses, including the signing of legislation in December that is aimed at better sharing of information between government and industry.
The president also notes that those with malicious intent are getting more sophisticated and their attacks more pernicious, and that the U.S. needs to invest more in protecting our personal and corporate information.
As a result, he announced a new Cybersecurity National Action Plan. “Backed by my proposal to increase federal cybersecurity funding by more than a third, to over $19 billion, this plan will address both short-term and long-term threats, with the goal of providing every American a basic level of online security.”
The specifics are as follows:
Those are the broad strokes. For those interested in more granularity, the White House has also released an FAQ called The President’s National Cybersecurity Plan: What You Need to Know.
As you might expect, my inbox has been flooded with comments from cybersecurity experts on the announcement. Two that I thought are worth sharing follow.
Jon Oberheide, CTO of Duo Security noted: "We're encouraged to see that the Federal Government is taking a proactive approach to security. Within this initiative is the use of two-factor authentication, which is a basic step to significantly improving the overall security hygiene and protecting against data breaches. We'd like to encourage that organizations of all sizes, across all industries consider adding basic security measures to protect their corporate data and two-factor is a great first step."
After a government official acknowledged that just “throwing money at the problem” will not work, and that “You’ve got to do business differently,” Oberheide responded that: "The acknowledgement that 'just throwing money at the problem will not work' is right on. We've seen a huge increase in spending in the area of cybersecurity and yet the breaches continue. It's about finding security solutions that are manageable and that your employees will use. Otherwise, without adoption by employees and contractors, these security measures don't have a chance of being effective against a breach. We're pleased to see that the government is rethinking the idea of cybersecurity and improving their overall security hygiene."
Jeff Hill, Channel Marketing Manager at STEALTHbits Technologies had an interesting take that is real food for thought. He noted that:
“In absolute terms, the figures released by the White House are encouraging, as $19 billion is nothing to sneeze at, nor is a $5 billion year-over-year budget increase…More telling, however, is that the Federal Government spends about $700 billion annually on Defense, Intelligence, and Homeland Security. So the cybersecurity budget is proposed to increase from 2 percent ($14 billion in FY2016) of the overall budget for protecting our nation’s interests and its people to 2.7 percent ($19 billion in FY2017).
This budget priority reality begs the question: do cyber-attacks – from organized state actors, to well-healed crime syndicates, to independent hackers looking to make a name for themselves – represent a mere 2 or 3 percent of the risk to our nation’s economy and the safety of its citizens? Three percent priority might be progress, but we’ve got a long way to go.”
I chose these from the multitudes received because they hit on two important points. The first is that we all have to do our fair share as individuals and IT administrators to use common sense and readily available best practices like anti-virus and anti-malware software, two-factor authentication, encryption, etc. The reason as every IT security professional agrees is that while no set of security solutions is fail-safe, the goal is to force bad actors to really work to create mischief and hopefully to make them look for softer targets.
Second, that issue of whether we are spending enough, even with the new proposals, to protect our national security and economic vitality is a good one. Hill’s last sentence about what can be viewed as an incremental increase in spending on cybersecurity given the risk is not just astute, but should be a call to action for the industry to keep the pressure on for an even more aggressive approach.
Many years ago, at one of the first public security conferences I attended, a distinguished panel of experts was asked to choose the nightmare scenario from, as memory serves me, the following options:
Obviously, all of the options really are nightmares. However, the panel was unanimous in selecting the last one. And it must be noted that this was before the mass adoption of the Internet. In the intervening years, access to the Internet has become pervasive and bad guys of all types, as we are painfully aware, have become extremely sophisticated. In short, the stakes of what is at risk have risen exponentially.
This is certainly true for the U.S. federal government, where the number of daily hacker attempts has become almost mind-boggling, and where aged computer systems that hold absolutely critical information are highly vulnerable and common. It is equally true for enterprises where customer data and intellectual property has been pilfered at alarming rates.