iQoncept - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Can cybersecurity spending protect the U.S. government?

CNAP articulates the right things, as many U.S. government cyber initiatives do, but what has captured the attention of the Beltway is the billion-dollar budget proposals.

This article can also be found in the Premium Editorial Download: Information Security magazine: Cloud DLP rises to the challenge:

The White House published the Cybersecurity National Action Plan, or CNAP, in February to address what the president sees as weakness in cybersecurity preparedness across the country -- problems within the federal government, private sector business, even within citizens' private lives.

The cybersecurity plan is a continuation of the Obama administration's efforts to increase the federal government's role in cyber regulation and shore up its cyberdefenses, as well as companies and organizations that are considered critical infrastructure. The Executive Order 13636 "Improving Critical Infrastructure Cybersecurity" that was signed in February 2013, and the passage of the Cybersecurity Information Sharing Act of 2015 last October, has set the stage for CNAP and increases in cybersecurity spending.

CNAP articulates the right things, as many U.S. government cyber initiatives do, but what has captured the attention of the usual sharks swimming around the Beltway is the $19 billion budget proposal.

The CNAP is laid out in a few categories:

  1. Establish a Commission on Enhancing National Cybersecurity (an executive order was issued that same day) to be comprised of "top strategic, business, and technical thinkers from outside of government -- including members to be designated by the bi-partisan congressional leadership." Translation: Not the best, but the most connected get a seat.
  2. Spend $3.1 billion to modernize the federal government's IT and make it secure.
  3. Hire a Federal CISO to drive changes across the federal government. Time will tell if the position has any real authority. If the Executive Office of the President follows the standard U.S. government hiring process, they will get what they pay for in the $123,175 to $185,100 position.
  4. Empower Americans. This is to promote the use of two-factor authentication with a new National Cybersecurity Awareness campaign and to push the federal government toward not using our Social Security number to identify citizen accounts throughout the government.
  5. Increase cybersecurity spending to $19 billion in the president's fiscal year 2017.

More than money

So what does this all mean? The details that are in the language of the plan, which is not a law nor is the money approved by Congress, are really just getting the basics taken care of, and at what a cost! In the larger picture, the federal government cut its own IT budget by $2.4 billion, by asking for $79 billion in FY 2017, down from $81 billion spent in FY 2015. (The $19 billion increases the percentage of the IT budget allotted to cybersecurity spending in FY 2017.)

President Barack Obama
President Barack Obama tours the National Cybersecurity and Communications Integration Center in Arlington, Virginia, in January 2015.

Although $19 billion for cybersecurity is a shipload of money, it does not solve anything when the money is not well spent. Cybersecurity is a complex and specialized field within information technologies. The current state of affairs within the cybersecurity practice across the federal government can at best be described as uneven. The events leading up to the Office of Personnel Management (OPM) breach, in which millions of files on government employees and the database that contained the personally identifiable information (PII) from security clearances was lost to China, highlights some of the deep organizational dysfunction that parts of the government operate under.

So the question is, can more cybersecurity spending get us there from here? Spending monies is the government's answer to most problems because it is a shorter term fix then a much harder goal of steering the 2.79 million government employees, and the supporting services the government manages, toward a more secure IT environment. The government is, well, the government; it comes with all the overhead it has built up over the years. Cybersecurity is complicated, and in most places the government does not do "complicated" very well.

The federal government has a decentralized IT organization -- IT budgets and personnel are generally sorted out by departments and agencies. The department secretaries work with the president and the White House to drive the president's agenda, but they generally run the day-to-day administration of a department's offices and programs. While personnel matters, outside of the Department of Defense (DoD), are left to OPM, departments hire and manage their own IT organizations, including technology selection.

Many federal departments are comparable to Fortune 500 companies in terms of size and scale. They have thousands of employees and millions in their IT budgets. The DoD is bigger than almost any U.S. corporation, for example, so the scale of some of the IT organizations is huge.

Federal departments also run their own cybersecurity teams. The FBI and Department of Homeland Security (DHS) provide some support to other departments. The DHS has been pushing hard to become the managed security service provider to the entire federal government -- minus the DoD -- and to do so by rule, not by exception, as illustrated by their power play in 2014 during the "Heartbleed" OpenSSL vulnerability.

When it comes to cybersecurity, the government is big on rules, rules and more rules. It has spent millions on writing down, in painful details, exactly what needs to be done -- and what cannot be done. The Federal Information Security Management Act (FISMA) has created an environment that's all about compliance with the administration of systems, not securing them. It is true that you can be FISMA compliant and still have a network that the bad guys can infiltrate. To develop a cybersecurity plan by computer and manage the administrative burden does almost nothing to prevent an advanced persistent threat actor from running roughshod over a network, but that approach does create lots of work and budget for busy government contractors and employees.

Key points from Cybersecurity National Action Plan

Massive budget, government pay

So why is the president's cybersecurity plan going to make little difference in pushing the security ball forward? The federal government is a grinding bureaucracy run by political appointees and the Senior Executive Schedule (SES) staff who manage various departments. Many departments (not all) have a CISO role -- an SES position, which pays less than a cybersecurity engineer in the civilian work place.

Getting qualified people from outside the government to navigate the OPM hiring process, and then to be deemed worthy of an SES position is hard. Candidates hire consultants to write the narratives on core competencies that rely on form more than substance. In the end, they get what they pay for: a CISO who would never have the resume in the civilian world to manage cybersecurity in such large, complex organizations.

The security teams within these departments are typically a mix of government service employees and contractors. The sophistication of their cybersecurity practices varies. The CISOs are usually bound to a CIO, another SES position. The hack at the OPM demonstrates the quality of those employees. Outside of resignations, it is almost impossible to fire or change the job of a government employee. The departments will outsource non-core functions like IT or IT security, using contracts that are awarded to the lowest bidder. This creates an environment that is ill equipped to handle an issue like cybersecurity, regardless of the amount of funding. More money will benefit the bureaucracy with more of the same jobs and organizations, but unless there is a fundamental change in the way the business of cybersecurity is conducted in the government, the landscape will remain uneven.

The CNAP is not funded. The monies are in the budget proposal for FY 2016, so this is really just a framework for the White House's cybersecurity spending plan. The implementation of the cybersecurity plan will fall on the next president. If people with different interests are advising that individual, then who knows -- it all might change in a few months anyway.

The president's cybersecurity plan outlines a few big things that he thinks are needed to advance the cybersecurity issues within the U.S. government and to also help the average citizen understand how to keep their digital devices and activities safe. For the most part, the objectives of CNAP are modest; it's just the scale of the plan is huge, and the culture of federal government might not let it work.

Next Steps

More funding needed for the Cybersecurity National Action Plan, say experts

What enterprises need to know about Cybersecurity Information Sharing Act

All about cyber information sharing and collective defense

This was last published in April 2016

Dig Deeper on Government IT Security Management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What steps do you think the federal government should take to address cybersecurity?
Cancel
1. Executive Branch establishes the Office of Cyber Security (OCS) within the FCC's Public Safety and Homeland Security Bureau.

2. All Executive Branch CISOs, and their budgets (operating and capital), to be reassigned under the direct control of OCS Director.

3. Enterprise InfoSec technology spend strategies developed to support enterprise (enterprise importation across all executive branch secretariats, agencies, and departments).

4. Require all executive branch agencies to budget for expenses necessary to meet InfoSec requirements prerequisite to obtaining an authority to securely operate securely (ATSO) certificate from OCS, before entering into production phase, following an upgrade, or on a impact category driven periodic basis.

5. Fund DHS to be an authentic/effective MSSP, supporting all executive department agencies, by department/agency vertical.

6. Measure/Report - Measure/Report - Measure/Report
Cancel
Steps...? Only one. Invest the time and money to rethink and fix the problem. 

This is so massively huge that it can (and probably will) affect every single person with access to, to, oh hell, to electricity. It will cause untold harm and cost unimaginable fortunes unless we find a solution. We need to understand that the structure itself is fundamentally flawed and our current whack & patch approach will never touch the real problem. And I can not imagine what we're waiting for....
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close