Fresh from December’s passage of the Cyber Security Act of 2015, the White House and President Barack Obama double down on cyber security policy with the announcement of the Cyber Security National Action Plan (CNAP), which calls for an increase in federal funding to more than $19 billion.
The proposed plan (full details below) emphasizes the long overdue need to properly defend our nation’s critical infrastructure, highly targeted government organizations and America’s corporations.
“More than any other nation, America is defined by the spirit of innovation, and our dominance in the digital world gives us a competitive advantage in the global economy,” President Obama wrote in The Wall Street Journal. “However, our advantage is threatened by foreign governments, criminals and lone actors who are targeting our computer networks, stealing trade secrets from American companies and violating the privacy of the American people.”
The task at hand is monumental. Each and every future president will have a role in this cyber war. So, where should the country begin?
There has been some disconnect between private organizations and the federal government about who should take the first step in elevating the nation’s cyber security posture. Given their advanced technology and collaboration, the private sector should lead the public sector.
The following are priorities that should be top of mind for the private sector as we re-commit to this new endeavor.
Leverage Process, Talent
Unlike much of the public sector, the private sector has had the means to deploy the technology needed to defend critical data, workloads, information and infrastructure. While the private sector is using the technology, most aren’t properly leveraging it.
Corporations can’t expect to simply buy security tools and believe they’re automatically protected. They need to be properly integrated, managed and optimized by trained and certified cyber security professionals, then aligned against proven processes than can no only identify attacks but systemically mitigate threats.
Stop Defending Endpoints
The sooner organizations realize that endpoints are contested space — and quit investing millions of dollars into them — the safer we will be. While this may be unsettling, it’s better to assume endpoints are compromised, start narrowing our focus and securing what cybercriminals and nation states systemically target: protected critical data.
Prepare the Cyber Workforce
Even if the ideal cyber security policies and technologies are put into place, we can’t overlook the lack of properly trained cyber security professionals. As this $19 billion is allocated, the up-and-coming workforce that will be tasked with defending data will be doing so with a very whimsical view of the Internet and its dark and nefarious places.
Younger generations have grown up thinking the Internet, its forums and all related information are a fun, safe pastime. In reality, it’s a cesspool for cybercriminals, nation states and even terrorist organizations to profit, plan and purchase the tools they need for counter operations.
We need to change this mindset. And from there, as Armor CSO Jeff Schilling has said many times, we need drastic modifications to university computer science and IT curriculums and degree paths.
The CNAP has many initiatives that attempt to address these concerns, plus a strategic list of many others. Below are the details of what is proposed within the Cyber Security National Action Plan (CNAP).
- Establish the Commission on Enhancing National Cyber Security to serve as a board of top of consultants, innovators and experts to guide the initiative
- Release of the 2016 Federal Cyber Security Research and Development Strategic Plan to serve as guidelines to defend America’s national security in cyberspace
- Presidential signing of Executive Order to create Federal Privacy Council
- Increase the cyber security budget by 35 percent to more than $19 billion
- Allocate $3.1 billion for the Information Technology Modernization Fund to retire legacy technology
- Create Federal Chief Information Officer position to oversee the changes across various government agencies
- Push for elimination of single-factor, password-only authentication for citizen services, applications and accounts; accelerate use of strong multifactor authentication
- Require all agencies to properly classify and protect sensitive data and assets
- Encourage government-wide sharing of IT and cyber security services
- Evaluate use of Social Security Numbers (SSN) for citizen verification
- Provide cyber security training for small- and medium-sized businesses (SMB)
- Establish a National Center for Cyber Security Resilience to help businesses and organizations test security systems
- Require stronger certification for Internet of Things (IOT) devices and machines
- Establish Cyber Mission Force under the U.S. Cyber Command; includes 133 teams from more than 6,200 military and civilian experts