Less than a year removed from the unsettling news of massive hacks at the Office of Personnel Management, the Obama administration made concerted efforts in early 2016 to shore up agencies’ cybersecurity governmentwide with new policies and funding proposals.
With the release of the president’s fiscal 2017 budget request in February, the administration launched the Cybersecurity National Action Plan.
That policy builds, in large part, from 2015’s Cybersecurity Strategy and Implementation Plan to modernize federal IT systems and the corresponding sprint to improve agencies’ basic cybersecurity posture. It requires multifactor authentication for access, reducing privileged users and patching critical vulnerabilities — the types of deficiencies blamed for the 2015 OPM breaches.
“The cyberthreat continues to outpace our current efforts,” Michael Daniel, White House cybersecurity coordinator, said in February. “As we continue to hook more and more of our critical infrastructure up to the internet and as we build out the Internet of Things, cyberthreats only become more frequent and more serious. If we do not begin to address the fundamental cybersecurity challenges we face effectively, we risk cybersecurity and the internet becoming a strategic liability for the U.S.”
The Obama administration requested a 35 percent increase in federal cybersecurity funding — up from $15 billion in fiscal 2016 to $19 billion for fiscal 2017 — but the proposal was not addressed in the continuing resolution that funds the government through April 28.
Related to CNAP and also part of that budget request was a revolving $3.1 billion IT modernization fund, which was included in various forms of legislation in 2016 — most recently the Modernizing Government Technology Act — but never solidified. Legislators are hoping to try again at passing the measure when the 115th Congress meets next year.
“Over the last year, I have directly observed the need to modernize our information systems across the federal government,” said Tony Scott, federal chief information officer. “We have a broad surface area of old, outdated technology that’s hard to secure, expensive to operate and on top of all of that, the skill sets need to maintain those systems are disappearing rather rapidly.”
Much more of the plan came to fruition later in the year, such as the introduction in September of the first federal chief information security officer, retired Brig. Gen. Greg Touhill, who served previously as deputy assistant secretary for cybersecurity and communications in the Department of Homeland Security’s Office of Cybersecurity and Communications. In that role, Touhill serves as a central figure to ensure best practices across federal agencies.
It also created the Commission on Enhancing National Cybersecurity tasked with developing recommendations for ways the federal government and private sector can strengthen cybersecurity. The commission delivered its findings in early December, recommending, among other things, that the incoming Trump administration should in its first 100 days launch programs to train 150,000 cyber-professionals during the next four years.
“The Commission’s recommendations affirm the course that this administration has laid out, but make clear that there is much more to do and the next administration, Congress, the private sector, and the general public need to build on this progress,” President Barack Obama said in a statement. Calling the recommendations “thoughtful and pragmatic,” he said he had urged the commissioners to brief the Trump transition team “at their earliest opportunity.”
A huge part of the policy still in development, however, is recruiting and retaining a world-class cybersecurity workforce in the federal government.
The White House introduced in July the first Federal Cybersecurity Workforce Strategy, a four-part cyber workforce strategy aims to create a path for cybersecurity professionals to take a “tour of duty” in the public sector over their career.
“We must recognize that these changes will take time to implement, and the workforce strategy’s long-term success will depend on the attention, innovation, and resources from all levels of government,” a White House blog post from July reads. “The initiatives discussed in this Strategy represent a meaningful first step toward engaging Federal and non-Federal stakeholders and provide the resources necessary to establish, strengthen, and grow a pipeline of cybersecurity talent well into the future.”
OPM has also since created new hiring tools to make it easier for federal agencies to hire cybersecurity workers.