President Barack Obama is going all-in on cementing his cyber legacy this week with his budget proposal for fiscal...
year 2017, which he proposed "to increase federal cybersecurity funding by more than a third, to over $19 billion," up from $14 billion last year.
Writing in an op-ed piece in the Wall Street Journal, President Obama described his cyber budget plan, which includes a $3 billion fund to "kick-start" a badly needed overhaul of government computer systems. The president noted "government IT is like an Atari game in an Xbox world," and the "Social Security Administration uses systems and code from the 1960s."
The president announced the implementation of a Cybersecurity National Action Plan (CNAP), which includes the creation of a commission to be comprised of members from outside government to make recommendations on cybersecurity in the public and private sectors. Included in the CNAP is the establishment of a federal CISO and various measures to "expand the cybersecurity workforce."
The president said it was important "to build a corps of cyberprofessionals," and promised to offer scholarships and forgive student loans in the effort to recruit the best talent from Silicon Valley and the private sector. "We'll even let them wear jeans to the office," he added.
In addition to measures to improve recruitment of cyberprofessionals, the plan aims to strengthen partnerships with the private sector to "deter, detect and disrupt threats," and to help "empower Americans to protect themselves online," including urging citizens to use multifactor authentication.
According to the White House fact sheet, CNAP "takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety, as well as economic and national security, and empower Americans to take better control of their digital security."
However, Republican members of the Senate and U.S. House budget committees are taking a hard line on the proposed budget, and both committees announced jointly that they would not meet with the director of the Office of Management and Budget to review the president's budget, according to a press release.
"It appears the president's final budget will continue to focus on new spending proposals instead of confronting our government's massive overspending and debt," said Senate Budget Committee Chairman Mike Enzi (R-Wyo.).
Senate Democrats lashed back: "This year, with no unusual circumstances to prevent us from doing our work, we have been provided with no reasonable explanation for the decision not to hold a hearing," they wrote in a letter to Enzi. The senators noted it would be "the first time in the budget committee's history that no such hearing has taken place," and budget hearings were even held in February 2004, when all Senate buildings had been closed due to "the presence of the toxin ricin in a Senate office."
White House press secretary Josh Earnest shot back at the budget committee Republicans, noting the inevitability of another major cyberintrusion before the end of President Obama's term in office.
"There is a robust proposal in here that many of you have already reported on that includes a stepped-up investment in protecting the country, protecting government systems from cyberattacks and cyberintrusions," Earnest said. "That's an important piece of business that's critical to our national security; it's certainly critical to our economy. That's all the more reason it's unfortunate that Republicans on the budget committee won't even have a conversation with us about it."
Reception of the cyber budget proposals was mixed, though security experts agreed that the focus on cybersecurity is a positive development.
"I am encouraged that the administration drew heavily on recommendations and best practices from private industry," said Ryan Gillis, vice president of cybersecurity strategy and global policy at Palo Alto Networks, based in Santa Clara, Calif. "However, the ultimate significance of today's announcements depends heavily upon Congress and the next administration to implement."
Ray Rothrock, CEO of cybersecurity analytics firm RedSeal Inc., based in Sunnyvale, Calif., said the budget announced today indicates "an important recognition and investment in the defense of the critical information infrastructure of the United States."
"The federal government is finally taking bold steps to fulfill what the Constitution says in its preamble -- 'to provide for the common defense;' in this case, the common cyberdefense," Rothrock said. "The proposal by the president can be an excellent step in leading the world to a more cyber resilient future."
Chase Cunningham, director cyberthreat research for security firm Armor Defense Inc., based in Richardson, Texas, said the amount allocated in the cyber budget "is more than enough," but the government shouldn't think it can simply throw money at the problem.
"We could spend a trillion dollars and it would not be enough to push our country ahead of the oncoming attacks that will be prevalent for the next five years. We aren't leveraging technology, we are simply using it -- and that's a formula for failure," Cunningham said. "We need to be leveraging new and innovative approaches to the underlying technical issues that are focused on the disease, not treating the symptoms with tons of cash."
According to Phil Dunkelberger, CEO of authentication security firm Nok Nok Labs Inc., based in Palo Alto, Calif., support for a move away from passwords in President Obama's cyber proposal was also noteworthy.
"The No. 1 reason for a data breach is compromised login credentials, and the White House advocating for moving beyond usernames and passwords is a positive step forward," Dunkelberger said. "It is a good move to shine the light on multifactor authentication, as that addresses the festering data breach problem."
However, some experts, including Mark Weatherford, chief cybersecurity strategist for data center security firm vArmour, based in Mountain View, Calif., had concerns about the new federal CISO position for which the government is now recruiting.
"Creating a federal government CISO is an important step, but will not be successful without true policy, procurement and operational authority over federal agencies," Weatherford said. "The CISO needs to be both a leader and a recognized cybersecurity expert who can move the needle quickly and make decisions on behalf of the entire federal government. Without this level of authority, there is no chance for any real success."
Weatherford noted the high cost of living in the Washington, D.C., area and suggested that efforts to recruit cybersecurity workers might be hampered until government agencies "begin actively establishing operational cybersecurity facilities outside of the D.C. Metro area."
Pay for the federal CISO -- the position is posted with a salary range of $123,175 to $185,100 -- may also be an issue. "Anyone well-qualified to take the proposed Federal Chief Information Security Officer position will obviously think long and hard about how successful they could actually be in such a position," said Tim Layton, chief intelligence officer for cyber-threat intelligence firm SurfWatch Labs Inc., based in Sterling, Va. "In the booming market, where top organizations are vying for cybersecurity talent, our government must rethink their approach."
Learn more about multifactor authentication use cases for business.
Find out more about the cybersecurity labor shortage.