The Obama administration is creating a new high-level federal official to coordinate cybersecurity across civilian agencies and to work with military and intelligence counterparts, as part of its 2017 budget proposal announced Tuesday.
The $19-billion increase in cybersecurity funding across all government agencies -- up more than from 35 percent from last year -- is entitled the "Cybersecurity National Action Plan" and is an effort touted by the White House as the "capstone" of seven years of often faltering attempts to build a cohesive, broad federal cybersecurity response. Measures include more cybersecurity training for the private sector, emphasizing multi-factor authentication on tax data and government benefits and efforts to reduce the use of Social Security numbers as identifiers.
The tasking of a single high-level official with tracking down cyber intruders in federal government networks establishes a position long in place at companies in the private sector. The lack of such a government role has been especially notable after hackers stole the personal information of 21 million Americans, whose information was housed at the Office of Personnel Management. The U.S. believes the hack was a Chinese espionage operation.
"Today our model is every agency, and in fact, in some cases, sub-agency, is building their cyber defenses pretty much on their own," said Tony Scott, the U.S. Chief Information Officer, who would supervise the new cybersecurity official inside the Office of Management and Budget. He said every agency ends up with varying levels of expertise and capabilities, while small agencies with limited resources struggle with the same challenges a larger agency with more resources does. "That's just frankly a bad model of how to defend against these critical adversaries."
The chief information security officer position, which was posted Tuesday, is expected to be filled in 60 to 90 days, Scott said.
"The bottom line, it's great to have more senior executive-level attention on the issue but the challenge is whether that person will almost certainly be vested with any actual authorities and so it always kind of boils down to that," said Jacob Olcott, a former congressional legal advisor on cybersecurity.
The budget notes that U.S. Cyber Command is building a Cyber Mission Force of 133 teams assembled from 6,200 military, civilian and contractors from across military and defense agencies. The force will be fully operational in 2018 but has already been used for some cyber operations.
The president also proposed a $3.1 billion effort to modernize the often antiquated federal technical infrastructure and networks, replacing legacy systems that have frequently serve as critical gaps in cybersecurity. While many of the proposals such as the new cybersecurity official can be done through existing appropriations or executive authorities, the modernization effort will require congressional approval, said Michael Daniel, special assistant to the president and cybersecurity coordinator.
The White House expects broad support for what has not been a partisan issue.
The budget includes more cybersecurity advisors, a roughly fourfold increase in civilian cyber defense teams at the U.S. Department of Homeland Security, charged with security for the .gov domain, to 48.
The Department of Homeland Security plans to expand its EINSTEIN system, which was created to detect and block cyberattacks on federal agencies. The program received a scathing review last month by the Government Accountability Office, which said the system can only detect known threats but can't deal with more complex threats such as previously unknown "zero-day exploits" or problematic system behavior that could signify an attack.
The president signed an executive order Tuesday creating a permanent Federal Privacy Council, which will bring together privacy officials from across government to help with implementing comprehensive federal privacy guidelines. The president is also establishing a Commission on Enhancing National Cybersecurity that would involve congressional and private sector leaders who will be tasked with making recommendations in government cybersecurity for the next decade.
Rep. Jim Langevin, a Rhode Island Democrat who is co-chairman of the Congressional Cybersecurity Caucus, praised the administration's cybersecurity efforts in the 2017 budget proposal and for "laying the groundwork for his successor to continue to make needed policy reforms to protect federal infrastructure from the serious threats we face in cyberspace."