The White House published the Cybersecurity National Action Plan, or CNAP, in February to address what the president sees as weakness in cybersecurity preparedness across the country — problems within the federal government, private sector business, even within citizens’ private lives.
The cybersecurity plan is a continuation of the Obama administration’s efforts to increase the federal government’s role in cyber regulation and shore up its cyberdefenses, as well as companies and organizations that are considered critical infrastructure. The Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” that was signed in February 2013, and the passage of the Cybersecurity Information Sharing Act of 2015 last October, has set the stage for CNAP and increases in cybersecurity spending.
CNAP articulates the right things, as many U.S. government cyber initiatives do, but what has captured the attention of the usual sharks swimming around the Beltway is the $19 billion budget proposal.
The CNAP is laid out in a few categories:
- Establish a Commission on Enhancing National Cybersecurity (an executive order was issued that same day) to be comprised of “top strategic, business, and technical thinkers from outside of government — including members to be designated by the bi-partisan congressional leadership.” Translation: Not the best, but the most connected get a seat.
- Spend $3.1 billion to modernize the federal government’s IT and make it secure.
- Hire a Federal CISO to drive changes across the federal government. Time will tell if the position has any real authority. If the Executive Office of the President follows the standard U.S. government hiring process, they will get what they pay for in the $123,175 to $185,100 position.
- Empower Americans. This is to promote the use of two-factor authentication with a new National Cybersecurity Awareness campaign and to push the federal government toward not using our Social Security number to identify citizen accounts throughout the government.
- Increase cybersecurity spending to $19 billion in the president’s fiscal year 2017.
More than money
So what does this all mean? The details that are in the language of the plan, which is not a law nor is the money approved by Congress, are really just getting the basics taken care of, and at what a cost! In the larger picture, the federal government cut its own IT budget by $2.4 billion, by asking for $79 billion in FY 2017, down from $81 billion spent in FY 2015. (The $19 billion increases the percentage of the IT budget allotted to cybersecurity spending in FY 2017.)
Although $19 billion for cybersecurity is a shipload of money, it does not solve anything when the money is not well spent. Cybersecurity is a complex and specialized field within information technologies. The current state of affairs within the cybersecurity practice across the federal government can at best be described as uneven. The events leading up to the Office of Personnel Management (OPM) breach, in which millions of files on government employees and the database that contained the personally identifiable information (PII) from security clearances was lost to China, highlights some of the deep organizational dysfunction that parts of the government operate under.
So the question is, can more cybersecurity spending get us there from here? Spending monies is the government’s answer to most problems because it is a shorter term fix then a much harder goal of steering the 2.79 million government employees, and the supporting services the government manages, toward a more secure IT environment. The government is, well, the government; it comes with all the overhead it has built up over the years. Cybersecurity is complicated, and in most places the government does not do “complicated” very well.
The federal government has a decentralized IT organization — IT budgets and personnel are generally sorted out by departments and agencies. The department secretaries work with the president and the White House to drive the president’s agenda, but they generally run the day-to-day administration of a department’s offices and programs. While personnel matters, outside of the Department of Defense (DoD), are left to OPM, departments hire and manage their own IT organizations, including technology selection.
Many federal departments are comparable to Fortune 500 companies in terms of size and scale. They have thousands of employees and millions in their IT budgets. The DoD is bigger than almost any U.S. corporation, for example, so the scale of some of the IT organizations is huge.
Federal departments also run their own cybersecurity teams. The FBI and Department of Homeland Security (DHS) provide some support to other departments. The DHS has been pushing hard to become the managed security service provider to the entire federal government — minus the DoD — and to do so by rule, not by exception, as illustrated by their power play in 2014 during the “Heartbleed” OpenSSL vulnerability.
When it comes to cybersecurity, the government is big on rules, rules and more rules. It has spent millions on writing down, in painful details, exactly what needs to be done — and what cannot be done. The Federal Information Security Management Act (FISMA) has created an environment that’s all about compliance with the administration of systems, not securing them. It is true that you can be FISMA compliant and still have a network that the bad guys can infiltrate. To develop a cybersecurity plan by computer and manage the administrative burden does almost nothing to prevent an advanced persistent threat actor from running roughshod over a network, but that approach does create lots of work and budget for busy government contractors and employees.
Massive budget, government pay
So why is the president’s cybersecurity plan going to make little difference in pushing the security ball forward? The federal government is a grinding bureaucracy run by political appointees and the Senior Executive Schedule (SES) staff who manage various departments. Many departments (not all) have a CISO role — an SES position, which pays less than a cybersecurity engineer in the civilian work place.
Getting qualified people from outside the government to navigate the OPM hiring process, and then to be deemed worthy of an SES position is hard. Candidates hire consultants to write the narratives on core competencies that rely on form more than substance. In the end, they get what they pay for: a CISO who would never have the resume in the civilian world to manage cybersecurity in such large, complex organizations.
The security teams within these departments are typically a mix of government service employees and contractors. The sophistication of their cybersecurity practices varies. The CISOs are usually bound to a CIO, another SES position. The hack at the OPM demonstrates the quality of those employees. Outside of resignations, it is almost impossible to fire or change the job of a government employee. The departments will outsource non-core functions like IT or IT security, using contracts that are awarded to the lowest bidder. This creates an environment that is ill equipped to handle an issue like cybersecurity, regardless of the amount of funding. More money will benefit the bureaucracy with more of the same jobs and organizations, but unless there is a fundamental change in the way the business of cybersecurity is conducted in the government, the landscape will remain uneven.
The CNAP is not funded. The monies are in the budget proposal for FY 2016, so this is really just a framework for the White House’s cybersecurity spending plan. The implementation of the cybersecurity plan will fall on the next president. If people with different interests are advising that individual, then who knows — it all might change in a few months anyway.
The president’s cybersecurity plan outlines a few big things that he thinks are needed to advance the cybersecurity issues within the U.S. government and to also help the average citizen understand how to keep their digital devices and activities safe. For the most part, the objectives of CNAP are modest; it’s just the scale of the plan is huge, and the culture of federal government might not let it work.