White House Cybersecurity National Action Plan Seen Capping Administration Actions

The administration also is creating a privacy group of agency officials. The White House released the plans in conjunction with its $4.1 trillion FY 2017 federal budget proposal (see 1602090067), which includes more than $19 billion in funding for cybersecurity and a small increase in FCC funding.

CENC recommendations will be aimed at actions that the private and public sectors can take over the next decade to improve their cyberdefenses and “enhance cybersecurity awareness,” the White House said. The CENC will be required to provide detailed recommendations to the White House by the end of the year. The National Institute of Standards and Technology will support the commission, meaning its 2014 Cybersecurity Framework is likely to have some influence for the commission’s work. But the NIST framework certainly won’t be the only resource the CENC uses to develop its recommendations, said Norma Krayem, Holland & Knight cybersecurity expert, in an interview. The White House said it plans to include “strategic, business and technical thinkers” from the private sector in the commission, plus members nominated by congressional leaders.

President Barack Obama also signed an executive order creating the Federal Privacy Council (FPC), which the White House highlighted as key to its cybersecurity plan. The FPC will coordinate and “improve” all federal agencies’ privacy practices and the privacy practices of federal contractors, Obama said in his executive order. FPC members will include senior privacy officials from all federal departments, along with the Office of the Director of National Intelligence, Office of Personnel Management and other appropriate federal agencies. The FPC will also make recommendations on how to address the federal government’s hiring and training needs related to privacy issues.

The new federal CISO will help oversee modernization of federal agencies’ IT systems and cybersecurity management via the proposed $3.1 billion Information Technology Modernization Fund (ITMF), the White House said. The proposed ITMF funding will allow federal agencies to improve parts of their IT infrastructure that are housed at other agencies and that therefore can’t be improved using an agency’s individual cybersecurity budget, the White House said. The federal CISO will be the first “dedicated senior official who is solely focused on developing, managing, and coordinating cybersecurity strategy, policy and operations across the entire federal domain,” the White House said in a fact sheet. The federal CISO will be part of the Office of Management and Budget and will be subordinate to federal Chief Information Officer Tony Scott, the White House said. The CISO will also be in charge of monitoring federal cybersecurity spending.

The White House said the National Cyber Security Alliance’s (NCSA) new national cybersecurity awareness campaign to increase public awareness of multifactor authentication methods is another major component of the White House’s cybersecurity plan. The NCSA is partnering with Facebook, Google and other major tech firms to ease users’ ability to secure their online accounts. NCSA is also working with PayPal, Venmo and financial services companies to improve the security of online transactions, the White House said. The federal government is developing its own action plan to improve government adoption of multifactor authentication methods, including reducing reliance on Social Security numbers as a primary identifier, the White House said.

The White House cybersecurity plan incorporates agency-level initiatives aimed at improving critical infrastructure cybersecurity. The departments of Commerce, Energy and Homeland Security are jointly creating the National Center for Cybersecurity Resilience (NCCR) that will allow individual companies and sectorwide organizations to test the cybersecurity of their systems in a controlled environment. DHS is separately working with Underwriters Laboratories and other private sector entities to develop the Cybersecurity Assurance Program for testing the cybersecurity of software-embedded devices within the IoT. DHS is also increasing the number of cybersecurity advisers for doing cybersecurity assessments as part of its Critical Infrastructure Cyber Community program for encouraging voluntary industry use of the NIST Cybersecurity Framework.

The $19 billion in cybersecurity funding included in the White House’s FY 2017 budget proposal -- a 35 percent increase over the cybersecurity spending included in the FY 2016 omnibus federal spending bill enacted in December -- is important to the White House cybersecurity plan’s success, federal officials said during a conference call Tuesday with reporters. Although every agency’s cybersecurity budget differs based on its specific mission, increases in each agency’s cybersecurity budget are based on “significant efforts to upgrade and enhance their cybersecurity posture,” U.S. CIO Scott said. White House Cybersecurity Coordinator Michael Daniel noted the importance of the $3.1 billion ITMF, saying it’s “critically important that we begin to address the underlying structural weaknesses” in the federal government’s cybersecurity.

The cybersecurity plan is overall a “very good proposal” because it's a way to expand on administration existing cybersecurity efforts, including those outlined in Obama’s 2013 and 2015 cybersecurity executive orders, Krayem told us. The most potentially effective portions of the plan are likely to be the CENC and other aspects that don’t require congressional approval to implement, she said. CENC is designed to “live beyond” the administration’s planned close in January, but the effectiveness of its shorter-term goal of providing recommendations to the White House by the end of 2016 will depend on how quickly the CENC’s members can be selected and convene, Krayem said. Questions remain about how effective CENC will be in the short term given the short amount of time before its recommendations are due, said Monument Policy Group lobbyist Andrew Howell in an interview. “I think we need more information on what [the White House] thinks is reasonable in such a short timeframe,” he said.

It's less clear whether the White House will get Congress to sign off on all aspects of its cybersecurity budget, particularly any new programs like the ITMF, Krayem and others said. House Budget Committee Chairman Tom Price, R-Ga., and Senate Budget Committee Chairman Mike Enzi, R-Wyo., said in a joint statement last week that they wouldn’t hold a hearing on the White House’s full budget this year as has previously been the case. “Congress should continue our work on building a budget that balances and that will foster a healthy economy,” Price said in the statement. White House Press Secretary Josh Earnest pressed congressional Republicans Tuesday to hear out the Obama administration’s cybersecurity funding proposal. If a major cyber attack occurs this year, “I will point out that when we put forward this proposal, Republicans on the Budget Committee refused to even discuss it,” Earnest said during a news conference.

Despite the statements Enzi and Price made last week, Congress “will be very willing to listen” to the White House’s proposals on cybersecurity funding, Howell said. The White House will need to provide “strong justification” for proposals to increase agencies’ cybersecurity funding based on specific capabilities, he said. The White House’s overall cybersecurity budget proposal “is a recognition that the federal government’s IT systems are a conglomeration of systems and software acquired over years and decades, supplied by the lowest bidder, and knit and patched together by dedicated professionals doing the best that they can,” said Venable cybersecurity and telecom lawyer Jamie Barnett. Congress will certainly “want to have a discussion” about how the ITMF would work, particularly given the federal IT infrastructure issues exposed in the 2015 OPM data breaches, Krayem said. But Congress may also be wary of the White House’s initial estimates for the cost of addressing legacy IT systems since such costs “tend to be much larger up front” than originally anticipated, she said.