Obama’s cybersecurity agenda bold, but relies on untested funding, experts say
The IT Modernization Fund would require one-time funding and then be replenished down the road by agencies that have tapped it to pay for moving from old systems like mainframes to more modern, reliable and defensible machines.
“It’s not similar to anything that’s been done before,” says Ari Schwartz, former Special Assistant to the President and Senior Director for Cybersecurity for the White House, now managing director of cybersecurity services for Venable.
If the money is outlayed, agencies with aging networks and a plan to upgrade them can apply for funding right away. Federal CIO Tony Scott told reporters that he would prioritize the projects that get funding first based on which ones face the biggest security challenges.
Getting the money in the first place is nowhere near a done deal, says Mark Weatherford, former deputy undersecretary for cybersecurity at the Department of Homeland Security. If Obama hopes to get the funding before his term expires, he’ll have to push it through Congress in the next two months. “Any longer than that and they will lose the energy necessary to get this going,” he says. The government typically works slowly, he says, so Obama will be challenged to get action during an election year.
Under the fund, agencies would be encouraged to make use of shared services to make the money go farther, says Scott.
The proposed scheme would change the philosophy behind how to protect government networks, Schwartz says. Before, the departments of Justice, Homeland Security, and Defense were put in charge of defending old systems that were never going to be upgraded, he says.
+ BACKGROUND: Obama’s new cybersecurity agenda: What you need to know +
This new model would enable improvements that agencies say they need based on their own risk assessments and make them easier to defend because they would be more in line with current security technologies.
Obama’s plan calls for creating a federal Chief Information Security Officer, a post that could bring about uniform security policies across government agencies, Schwartz says. Setting overall policy has bounced from department to department and individual departmental CISOs have had their own ideas about how things should be done.
Weatherford says the CISO position should have authority over policy, but it also needs to include procurement and operational authority across agencies in order to speed the implementation of cybersecurity reforms. “The CISO needs to be both a leader and a recognized cybersecurity expert who can move the needle quickly and make decisions on behalf of the entire federal government,” he says. “Without this level of authority, there is no chance for any real success.”
Obama’s overall cybersecurity initiative includes creation of the Federal Privacy Council, which would help raise the profile of privacy as an important element of cybersecurity, says Schwartz. Currently individual agencies have Chief Privacy Officers working under agency CIOs, which tends to lower their profile and influence.
Having a separate, government-wide council will raise the standing of privacy as an issue. “It’s been minimized over the years,” he says.
Federal breaches, particularly the theft of extensive records on 22 million federal employees from the Office of Personnel Management, have undercut public confidence in the government’s commitment to protect personal data.
In addition, with the FBI and other law enforcement officials pushing for an encryption backdoor, and Edward Snowden’s revelations about the NSA gathering bulk data about electronic communications, public trust has been eroded. “It started with Snowden and continues today with the ongoing discussions about encryption and privacy,” Weatherford says, and mistrust is now a significant obstacle that this privacy council can’t fix overnight.
“It’s going to take long-term commitment on the part of the government to mend the fracture, and it probably can’t be overcome in the short time necessary to get this moving,” he says.