Obama’s new cybersecurity agenda: What you need to know

In response to mounting cyber attacks on federal networks, President Barack Obama is seeking $19 billion for cybersecurity, more than a 35% increase over last year’s spending, and calling for a federal CISO to oversee all the upgrade of outdated and insecure cyber infrastructure.

The number of information security incidents grew more than 11-fold between 2006 and 2014 to 67,168, and attacks from other countries have been on the rise.

+More on Network World: Feds’ primary network security weapon needs more bang+

Notably China has acknowledged that hackers there were connected to the breach of the Office of Personnel Management which lost comprehensive records of 22 million federal employees, contractors and job applicants.

Public-facing federal Web sites have been abused, most notoriously the Internal Revenue Service’s online services which coughed up detailed tax records of more than 334,000 taxpayers to hackers scamming the system.

To help stem the tide, Obama has announced the Cybersecurity National Action Plan, which lays down a series of specifics to stem the tide and modernize the government’s digital networks. It would strengthen security but also provide for the education of experts needed to ensure ongoing improvements.

Here are the essentials of the plan:

• Allocate $3.1 billion for upgrading outdated and hard to secure cyber infrastructure.
• Appoint a federal CISO to oversee the upgrade. The job will be to develop, manage and coordinate cybersecurity strategy, policy, and operations across the federal government.
• Establish the Commission on Enhancing National Cybersecurity – This group of business and tech leaders, some of whom to be appointed by Congress, will draw a 10-year cybersecurity roadmap to promote best practices. The plan will include enhancing cybersecurity awareness, protecting privacy, maintaining public safety and economic and national security, and empowering Americans to take better control of their digital security. The group will be backed by the National Institute of Standards and Technology (NIST).
• Up total spending on cybersecurity to $19 billion, a boost of more than 35% over last year.
• Create the Federal Privacy Council to create strategic and comprehensive federal privacy policy across agencies.
• Educate consumers about cybersecurity via the National Cyber Security Alliance, an existing non-profit that includes the Department of Homeland Security (DHS) as well as private businesses such as Symantec, Cisco, Microsoft, SAIC and EMC. It calls for encouraging use of multi-factor authentication as well as implementing an unnamed means of adoption of “effective identity proofing.”
• Require agencies to do a risk assessment of the date they are in charge of, and then implement a plan to protect it better.
• Push for shared IT services – such as cloud – to improve efficiency and lift the burden of individual agencies having to create their own secure infrastructure.
• Expand Einstein, the DHS program that records and analyzes netflow records and runs an IDS on government network traffic. The expansion would include running all government Internet traffic through a few central locations and running it through an IPS. Expand the DHS Continuous Diagnostics and Mitigation program for automating network risk assessment.
• Increase DHS cyber-defense teams to 48 to conduct penetration tests, search for intrusions, provide security expertise and incident response.
• Expand the number of colleges and universities that are part of the National Centers for Academic Excellence in Cybersecurity program, and fund scholarships for cybersecurity degrees that incorporate a federal core cybersecurity curriculum. In return, recipients agree to work for the government in cybersecurity programs, with the possibility of student-loan forgiveness. That would be funded at $62 million.
• Identity proof public-facing federal Web sites to prevent fraud, such as filing phony tax returns for the refunds.
• Reducing federal use of Social Security numbers as a means of ID to help prevent identity theft.
• Support regional cybersecurity training for small businesses through the Small Business Administration, the Federal Trade Commission and NIST.
• Create a testbed to test defenses for critical infrastructure such as the electric grid. This is run by DHS, Department of Commerce and Department of Energy.
• Develop a program to certify that Internet of Things devices are secure.
• Lay out strategic R&D goals for cybersecurity technology.
• Work with and help fund open source technologies to ensure their security.