White House Wants to Revamp Cybersecurity In New $19B Plan

A Capitol Hill staff member holds a copy of President Barack Obama's fiscal 2017 federal budget after it is delivered to the House Budget Committee Room on Capitol Hill in Washington, Tuesday, Feb. 9, 2016.

Andrew Harnik/AP

AA Font size + Print

A Capitol Hill staff member holds a copy of President Barack Obama's fiscal 2017 federal budget after it is delivered to the House Budget Committee Room on Capitol Hill in Washington, Tuesday, Feb. 9, 2016.

President Obama's last budget also calls for a new chief information security officer and $62 million to help hire 10,000 new workers.

The White House today proposed spending 35 percent more on IT security efforts in 2017 and announce an immediate opening for a U.S. chief information security officer.

The funding and personnel adjustments come after a year of constant disclosures about agency hacks that, in the most egregious case, compromised 21.5 million background check records maintained by the Office of Personnel Management. Most recently, a Justice Department computer breach allegedly led to a leak on Monday of professional contact information for tens of thousands of FBI and Department of Homeland Security personnel.

A broad Cybersecurity National Action Plan accompanying the budget will detail the new federal crackdown on lax security, as well as consumer-oriented and industry data protection initiatives.

It is intended to go after the underlying causes of our cybersecurity challenges, not just the symptoms,” Michael Daniel, U.S. cybersecurity coordinator, said Monday evening, in advance of the budget’s release on Tuesday. “Ultimately, we want to enhance cybersecurity awareness and protections, protect privacy, ensure public safety and economic and national security, and empower Americans to take better control of their digital security.” 

See also: US Homeland Security’s $6B Firewall Has More Than a Few Frightening Blind Spots

President Barack Obama will propose spending $19 billion on information security programs, up $5 billion from last year’s cyber-funding request.

The new U.S. CISO, which the administration hopes to hire within the next 60 to 90 days, will be perched inside the Office of Management and Budget within 60 to 90 days and report to U.S. Chief Information Officer Tony Scott.

The addition of a federal chief information security officer throws into question the role of the Department of Homeland Security in cyberspace. 

A job posting for the U.S. CISO is scheduled to be published today. The new official will “work closely with military and intelligence officials across the government,” Scott said. “That’s a key role that many private sector companies have long implemented and is good practice for the federal government.”

The addition of a federal CISO throws into question the role of the Department of Homeland Security in cyberspace. Congress in late 2014 assigned DHS the permanent task of overseeing civilian cybersecurity operations, including federal network protection.  Scott said the CISO’s responsibility differs from DHS’ duty in that the chief must exercise power of the purse. 

One of the things that’s unique about OMB,” he said, “is that, even just given its name, it has both management and budget responsibilities. And those are both two powerful things that can help shape and influence practice in each agency.”

Along with the new hire comes a request for $62 million to support federal cybersecurity hires across the board. Scott has previously said the government will need to fill about 10,000 openings for cyber professionals in 2016. 

We’ve all understood quite acutely that there’s a shortage of people skills with the right cybersecurity education and skills across the federal government,” Scott said Monday. The money would go toward programs, grants and scholarships “designed to enhance the quality of people and the quality of the skills in the cybersecurity workforce that are available to the government.”

The White House expects to publish a policy for national cyberincident coordination, with a companion ‘severity methodology,’ later in the spring. 

The government will work on a cybersecurity core curriculum to make sure graduates entering the federal government have the proper knowledge and capabilities. Also, an existing Scholarship for Service program that provides financial aid to students who commit to joining the federal workforce will be expanded to include a civilian agency “CyberCorps Reserve” scholarship program. In addition, certain student loans will be forgiven for cybersecurity professionals who join the federal workforce. 

The Cybersecurity National Action Plan builds upon a Cybersecurity Strategy and Implementation Plan issued to civilian agencies last October as a response to the OPM hack, officials said. 

This plan really is as aggressive as we can get under existing authorities, and we can do quite a bit of it even without the additional resources,” Daniel said. “But that is going to be a key part of it. And that’s why we’re going to be working very closely with Congress to get their full support and buy-in for this plan.”

As for the most recently reported agency hack of DHS phone numbers, U.S. officials are still sorting through what happened, said Daniel, who called the incident a “breach.” 

Read more: 5 Ways to Clarify and Strengthen US Cybersecurity Law

The truth is that no matter how good that we get, we will never stop 100 percent of all intrusions,” so the plan also includes incident response elements, he added.

The White House, by this spring, expects to publish a policy for national cyberincident coordination across the public and private sectors, with a companion “severity methodology.” The hack scale is intended to help the government and industry describe the impact of situations in a way that will prompt a consistent level of response. 

In a related move, Obama is anticipated to sign an executive order Tuesday to create a federal privacy council, akin to the Federal CIO Council formed in 2002. 

We’ll bring together privacy officials across the government to ensure a more strategic and comprehensive federal privacy set of guidelines and enhance our ability to responsibly collect and store data in our rapidly evolving digital economy,” Daniel said. The personal information of citizens outside the federal government has been exposed in recent years by the Internal Revenue Service and U.S. Postal Service, among other agencies.

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • GBC Issue Brief: Supply Chain Insecurity

    Federal organizations rely on state-of-the-art IT tools and systems to deliver services efficiently and effectively, and it takes a vast ecosystem of organizations, individuals, information, and resources to successfully deliver these products. This issue brief discusses the current threats to the vulnerable supply chain - and how agencies can prevent these threats to produce a more secure IT supply chain process.

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.

    Download

When you download a report, your information may be shared with the underwriters of that document.