On February 9th President Obama announced the Cybersecurity National Action Plan, including steps such as establishing a cybersecurity commission, introducing new safeguarding measures and supporting both companies and consumers in strengthening their own security. He’s also put the money where his mouth is and backed this up by reserving $19billion of spending to implement the plan. In his accompanying statement, he said that this new plan was critical to national security and that “criminals, terrorists, and countries that wish to do us harm” are becoming more sophisticated and more frequent in their attacks.
So what’s actually in the plan?
A significant element of the plan is the setting up of what’s being called the ‘Commission on Enhancing National Security’ which is due to be established this year. It’s intended to include top strategic, business and technical members in order to advise government administration on how to improve cybersecurity practices in the interest of ‘public safety’.
Upgrades to infrastructure
Obama hopes to use $3.9 billion of the fund to hire a new federal CISO and make significant upgrades to government IT networks and hardware. This will also include purchasing software and other platforms which can help to strengthen the government’s security, such as defence mechanisms and testing tools.
As could have been anticipated from previous proposed measures such as CISA, there’s also mention of collaborating with the private sector and the major IT companies such as Google, Microsoft, Apple and Facebook.
Encouraging Better Authentication
While there’s no suggestion of any legal requirements being put in place, the plan does refer to using educational means to encourage stronger security measures such as two factor authentication. This would apply to consumers and organisations alike. A wise move, as we’ve seen that customers can be greatly influential when it comes to encouraging change.
A Federal Privacy Council
There are also plans to set up a Federal Privacy Council, whose responsibility it would be to ensure the security of government citizen data. The US doesn’t have the same stringent data protection laws as European countries so this sort of measure is likely designed to reassure American citizens in the wake of some notable government breaches last year, such as the issue uncovered at Inland Revenue and the hacking of some high profile email accounts.
A testing centre
Intended mainly to address concerns about attacks on infrastructure, a ‘National Center for Cybersecurity Resilience’ will also be set up, allowing companies to test the integrity of their networks in a secure environment. No details are given about what this testing might entail but presumably this would include an arsenal of testing tools and fictitious attacks aimed to locate any weaknesses. It might basically be a huge pen testing playground.
Cracking down on criminals
In addition to increasing cyber law enforcement budgets by 23 percent, the White House also intends to set up a new Cyber Mission Force of 6,200 individuals by 2018. These would represent a large increase in the manpower devoted to tackling cybercrime and the plan also mentions working more closely with allied nations to tackle those ‘bad actors’ situated overseas.
Improvements already alluded to in earlier addresses by the President are those to incident response. The intention is to improve communication between companies and the government when attacks take place.
Details are thin for now but since the plan has been released and $19 billion already earmarked for its implementation, no doubt we can expect further details to follow. Naturally, the outcome of this year’s election might alter any plans considerably.