Enable two-factor authentication. Update your systems. Maybe get someone who knows what they’re doing to handle your security needs. It’s all the standard advice you’d give a tech novice. It also happens to be the foundation of President Obama’s new Cybersecurity National Action Plan, a long-overdue, comprehensive approach to keeping our country’s digital corridors safe.
CNAP encompasses a number of measures, which vary by degrees in financial backing and plausibility. Even if all of the proposal’s planks come to pass---it is, after all, a proposal, not a law---it’s less an encouraging glimpse of our ironclad future than it is a reminder of just how insecure our government's information highways and byways are today. Still, at least the administration is addressing the basics.
One of the most expensive parts of the CNAP proposal may also prove to be the most effective. At the very least, it’s the most overdue: The administration wants to dedicate $3.1 billion to modernizing its legacy software and equipment. It will also create the role of Chief Information Security officer to oversee those changes. This person will report to Tony Scott, the government's appointed Chief Information Officer, and be responsible for "developing, managing, and coordinating cybersecurity strategy, policy, and operations across the entire Federal domain," according to a fact sheet sent out by the White House's Office of the Press Secretary.
“We have a broad surface area of old, outdated technology that’s hard to secure, expensive to operate, and on top of all that the skill sets needed to maintain those systems are disappearing rather rapidly,” says Scott.
Scott wasn’t specific on the exact types of legacy systems that will be upgraded, but it’s reasonable to assume that the program includes finally ditching Windows XP, a zombie operating system that Microsoft stopped officially supporting in April of 2014. The US Navy paid $9.1 million last year to continue to receive security patches from Microsoft, and it’s not the only arm of the government still dependent on an operating system that’s several generations out of date. (In this, the US government is no different from over 11 percent of total PC users who are stalled out on a very vulnerable Windows XP).
The fund will be meted out to agencies in increments, says Scott, to encourage incremental development. That’s to ensure that they continue to hit key milestones, rather than simply throwing a lump sum at their problems without knowing if and when they’ll see results.
Another common sense initiative? Two-factor authentication, both for government employees and for citizens. Scott says that over 80 percent of government employees currently use two-factor, and that the extra security layer will be extended to Americans who interact with the government’s digital services. Part of CNAP will also include a campaign to increase awareness of two-factor authentication in the private sector, whether it’s through your Google account or your Venmo payment.
In this, the government is essentially taking it upon itself to be the nation’s nagging, tech-savvy friend, beating the authentication drums as so many pundits and publications have before them. What’s less clear is why anyone would listen to Uncle Sam if they weren’t already listening to their actual uncle, but at the very least government involvement may normalize two-factor to the point that has a shot of becoming mainstream.
The last significant plank in the CNAP platform? To make sure cybersecurity is being handled by with competence at every level, in case you were under the assumption that it already is.
“Today our model is, every agency, and in fact in some cases, sub-agency, is building their cyber defenses pretty much on their own. What that really means is there’s varying levels of expertise, varying levels of capability,” says Scott. “A small agency with limited resources, frankly, has the same challenges as a very large agency that might have significantly more resources. That’s just a bad model for trying to defend against these critical adversaries.”
Friends don’t let friends set up their own firewalls, as true in the government as it is in everyday life. To that end, CNAP proposes not just to invest in scalable security architecture but to create a new generation of cybersecurity professionals. It’s going to put $62 million toward programs, grants, and scholarships to make sure that enough people have learned the requisite skills to become a cybersecurity expert. It would introduce a loan forgiveness program for students with the right abilities who join the federal workforce.
What’s striking about all of these measures is that they’re not much different than the advice you’d give your neighbor, or any acquaintance with a casual interest in keeping themselves just a little bit safer. That’s encouraging, in that we’re finally getting the basics right. It’s also a little bit sobering, because it---along with yesterday’s leak of nearly 30,000 FBI and DHS employees’ contact information---is a reminder that no matter how many systems are in place, the government, just like a company or a household, is never more than one poorly placed click from being compromised.
“We know that in many instances there are vulnerabilities that are inherent in our system,” says cybersecurity coordinator Michael Daniel. “There are also vulnerabilities due to the users of those systems and the way that they operate. Daniel also, though, sees CNAP as being able to at least mitigate the problem in critical ways--if not solve it.
“I think if you look, holistically, at what CNAP is trying to do, it’s trying to reduce the risk of all of those vectors across the board, and enable us to deploy better technologies to reduce the risk of spear-phishing, to better architect our systems so that the networks are more segmented, so that if somebody does get in they don’t get as far,” says Daniel. “It’s going to place better protections on our high-value assets, so that if they do get into something they can’t do as much with it.”
That sounds grand in theory, but until any of it gets put into practice it’s hard to get too enthusiastic. This is a president nearing the end of his second term, after all, with a Congress that delights in opposition. It’s an initiative that has noble ambitions but few details attached, especially when it comes to cyberattack response.
Maybe that, then, is why it’s not as discouraging as it should be just what kind of shape our cybersecurity is in. Hopefully it’s about to get better. It almost certainly can’t get any worse.
