President's Cyber Action Plan Once Again Spotlights the Private Sector

This week, President Obama directed his administration to implement a Cybersecurity National Action Plan (CNAP) with near- and long-term steps to improve both public and private sector cybersecurity. The President's FY 2017 Budget proposes spending $19 billion on CNAP initiatives, a 35 percent increase in cybersecurity spending over his FY 2016 budget. The CNAP places significant focus on the private sector's role in securing the nation's cyber borders and, in many ways, draws heavily on the private sector's experience with cyber resilience and an enterprise-wide, multi-year approach to cybersecurity.

As with earlier public/private initiatives, the CNAP contemplates voluntary activities and does not impose cybersecurity obligations on the private sector. Relevant highlights from the CNAP include:

• Expanding support for critical infrastructure. The CNAP extends prior federal efforts to strengthen voluntary partnerships with private companies that own and operate key resources and assets and that provide products and services critical to the nation's day-to-day life. These efforts include
  (i) creating the National Center for Cybersecurity Resilience, where private companies can test their system security in a controlled environment before deploying to the real-world; (ii) doubling the number of advisors available to assist critical infrastructure with cybersecurity assessments and best practices; (iii) creating the Cybersecurity Assurance Program to test and certify connected devices within the Internet of Things (IoT) that meet threshold security standards; and (iv) urging healthcare stakeholders to develop and refine their data security practices. 
• 
  
• Improving cyber hygiene. The CNAP calls for Americans to move beyond basic passwords and instead take advantage of the increased protection provided by multi-factor authentication (MFA). The administration will kick off a public awareness campaign and work in coordination with technology and financial services companies to make MFA technology accessible and to help individual Americans understand their role in protecting the nation's cybersecurity. Separate efforts will be made to further the president's "BuySecure" initiative that focuses on Chip-and-PIN payment systems and to promote the Federal Trade Commission's IdentityTheft.Gov resource for victims of identity theft. The CNAP additionally calls on federal agencies to use MFA, adopt identity proofing practices, and further reduce their reliance on social security numbers.
• 
  
• Enhancing cyber incident response. Acknowledging the volume of U.S. cyber incidents experienced over the last year, the CNAP calls for maintaining resilience when incidents occur, in addition to focusing on prevention and deterrence. By this spring, the administration will release a policy for national cyber incident coordination. The policy will be accompanied by a methodology for evaluating the severity of cyber incidents to enable government agencies and the private sector to communicate effectively and provide an appropriate and consistent level of response when incidents occur.
• 
  
• Establishing the Commission on Enhancing National Cybersecurity. The Commission will consist of twelve cybersecurity experts – all from outside of the federal government – who will be charged with crafting recommendations for government activities over the next decade to improve public and private cybersecurity while protecting privacy.
• 
  
• Modernizing government IT and governance. The CNAP directs federal agencies to begin retiring, replacing, and modernizing outdated IT infrastructure, with the assistance of a $3.1 billion "IT Modernization Fund," which departs from the traditional federal model of year-end, lump-sum IT funding in favor of strategic and long-term agency investments in modernization. At the same time, agencies would transition to a shared-services, government-wide approach to IT that would permit agencies to benefit from each other's experiences and move toward standardized cybersecurity practices. The CNAP creates the position of Federal Chief Information Security Officer, who will report to the Federal Chief Information Officer and will be exclusively focused on developing, managing, and coordinating federal cyber strategy. 
• 
  
• Developing cybersecurity technology and workplace skills. The CNAP also incorporates the National Science and Technology Council's 2016 Federal Cybersecurity Research and Development Strategic Plan for evidence-based improvements in cybersecurity technology, and identifies a number of cybersecurity education and training initiatives to develop the cybersecurity expertise that federal agencies will need to follow through on improving their cybersecurity.

The CNAP builds on recent federal efforts to enhance the country's cybersecurity posture, including proposed guidance for implementing cyber protections in federal acquisitions, President Obama's Public-Private Sector Cybersecurity Information Sharing Executive Orders, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and a Cybersecurity Strategy and Implementation Plan for agencies to identify and address their cybersecurity gaps. Significantly, much of the CNAP as applied to federal agencies reflects lessons learned and best practices already in place in the private sector, and thus is an important step toward bringing federal cybersecurity practices more in line with their private sector counterparts.

As the end of the president's term approaches, the CNAP is an ambitious and consistent next step in this administration's series of cybersecurity initiatives, but it is by no means a quick or light undertaking. To succeed, the CNAP requires a long-term commitment from the next administration, federal agencies, and the Hill, not to mention a $19 billion infusion from the House of Representatives.