The White House on Monday announced sweeping reforms to federal cybersecurity policy that will include a congressional commission, executive orders, a new federal cybersecurity official, a move by the federal government to reduce the use of Social Security numbers, and a request to Congress for billions in funding.
“The President’s Cybersecurity National Action Plan is the capstone of more than seven years of determined effort by this administration,” White House Cybersecurity Coordinator Michael Daniel said in a call with reporters on Monday.
Daniel said the plan would direct the federal government to focus on making long-term improvements in cybersecurity infrastructure. Those measures include a Commission on Enhancing National Cybersecurity, which would require congressional authorization; and a Federal Privacy Council, which will be created pursuant to an executive order signed by the president on Monday.
“Like cybersecurity, privacy must be effectively and continuously addressed as our nation embraces new technologies, promotes innovation, reaps the benefits of big data and defends against evolving threats,” Daniel said.
The initiatives will not be cheap. The president’s fiscal 2017 budget proposal released Tuesday will include an allocation of $19 billion for cybersecurity efforts, an increase of 35 percent over the previous year.
The announcement comes after a Sunday report indicating that a breach at the Department of Justice had led to the theft of data on nearly 30,000 officials at the Federal Bureau of Investigation and the Department of Homeland Security.
“It shows you that this is a continuing threat,” Daniel said. “We’re still sort of understanding better exactly what happened there. I think the truth is that no matter how good we get, we will never stop 100 percent of all intrusions.”
While congressional approval of additional funding would be helpful, Daniel said, it would not be entirely necessary. The administration intends to drive “existing authorities to the limit.”
“Much of this package we can do under either existing executive authorities, or can get done by driving our existing authorities to the limit,” he said. “This plan really is as aggressive as we can get under existing authorities. We can do quite a bit of it even without additional resources, but that is going to be a key part of it.”
The plan includes a “Cybersecurity Awareness Campaign” that would encourage consumers to use multifactor authentication on their accounts. That would involve major companies in the tech and financial industries including Google, Facebook, Microsoft, Visa and PayPal.
Daniel added that the federal government also needs to begin investigating how to “reduce reliance on Social Security numbers as an identifier of citizens.”
To help coordinate those wide-ranging cybersecurity reforms, Daniel said, the administration is creating a new position for a “federal chief information security officer,” who will be responsible for driving, planning and implementing cybersecurity across the federal government. The position, which opens on Tuesday, will be the first dedicated senior official focused solely on developing and managing cybersecurity policy at the federal level.
The announcement follows a year in which the federal government was ravaged by cyberattacks. In addition to successful attacks against servers in the White House, State Department, and Defense Department, more than 22 million individuals had their data stolen from the Office of Personnel Management.
Congress took several measures to try to combat the loss of data to hackers. That included, Daniel pointed out, cybersecurity legislation passed in the annual omnibus package in December; the creation of a Cyber Threat Intelligence Integration Center under the auspices of the Office of the Director of National Intelligence; and federal awareness campaigns seeking to increase good “cyber hygiene” practices among federal employees.
“Despite that track record, the cyberthreat continues to outpace our current efforts,” Daniel said. “Particularly as we continue to hook more and more of our critical infrastructure up to the Internet … cyberthreats only become more frequent and more serious.
Related Story: http://www.washingtonexaminer.com/article/2582721
“If we do not address the fundamental cybersecurity challenges we face effectively, we risk cybersecurity and the Internet becoming a strategic liability for the U.S.,” he added.
