WASHINGTON — The Obama administration is creating a new high-level federal official to coordinate cybersecurity across civilian agencies and to work with military and intelligence counterparts, as part of its 2017 budget proposal announced Tuesday.
The $19-billion increase in cybersecurity funding across all government agencies — up more than from 35 percent from last year — is entitled the “Cybersecurity National Action Plan" and is an effort touted by the White House as the "capstone" of seven years of often faltering attempts to build a cohesive, broad federal cybersecurity response. Measures include more training for the private sector, emphasizing measures such as password and pin authentication to sign onto tax data and government benefits. The budget also proposes that the government reduce the use of Social Security numbers for identification.
The tasking of a single high-level official with tracking down cyber intruders in federal government networks establishes a position long in place at companies in the private sector. The lack of such a government role has been especially notable after hackers stole the personal information of 21 million Americans, whose information was housed at the Office of Personnel Management. The U.S. believes the hack was a Chinese espionage operation.
The announcement came as Director of National Intelligence James Clapper testified before lawmakers Tuesday, warning that U.S. information systems are vulnerable to cyberattacks by foreign powers — specifically calling out Russia, China, Iran and North Korea as the most potent threats — during his annual assessment of top dangers facing the country.
"Today our model is every agency, and in fact, in some cases, sub-agency, is building their cyber defenses pretty much on their own," said Tony Scott, the U.S. Chief Information Officer, who would supervise the new cybersecurity official inside the Office of Management and Budget. He said every agency ends up with varying levels of expertise and capabilities, while small agencies with limited resources struggle with the same challenges a larger agency with more resources does. "That's just frankly a bad model of how to defend against these critical adversaries."
The chief information security officer position, which was posted Tuesday, is expected to be filled in 60 to 90 days, Scott said. The White House said that person will "drive cybersecurity policy, planning, and implementation for IT systems across" the federal government and set and monitor performance goals for agencies.
"The bottom line, it's great to have more senior executive-level attention on the issue but the challenge is whether that person will almost certainly be vested with any actual authorities and so it always kind of boils down to that," said Jacob Olcott, a former congressional legal adviser on cybersecurity.
The budget notes that U.S. Cyber Command is building a Cyber Mission Force of 133 teams assembled from 6,200 military, civilian and contractors from across military and defense agencies. The force will be fully operational in 2018 but has already been used for some cyber operations.
The president also proposed a $3.1 billion effort to modernize the often antiquated federal technical infrastructure and networks, replacing legacy systems that have frequently serve as critical gaps in cybersecurity. While many of the proposals such as the new cybersecurity official can be done through existing appropriations or executive authorities, the modernization effort will require congressional approval, said Michael Daniel, special assistant to the president and cybersecurity coordinator.
The White House expects broad support for what has not been a partisan issue.
The budget includes more cybersecurity advisers, a roughly fourfold increase in civilian cyber defense teams at the U.S. Department of Homeland Security, charged with security for the .gov domain, to 48.
The Department of Homeland Security plans to expand its EINSTEIN system, which was created to detect and block cyberattacks on federal agencies. The program received a scathing review last month by the Government Accountability Office, which said the system can only detect known threats but can't deal with more complex threats such as previously unknown "zero-day exploits" or problematic system behavior that could signify an attack.
The president signed an executive order Tuesday creating a permanent Federal Privacy Council, which will bring together privacy officials from across government to help with implementing comprehensive federal privacy guidelines. The president is also establishing a Commission on Enhancing National Cybersecurity that would involve congressional and private sector leaders who will be tasked with making recommendations in government cybersecurity for the next decade.
Rep. Jim Langevin, a Rhode Island Democrat who is co-chairman of the Congressional Cybersecurity Caucus, praised the administration's cybersecurity efforts in the 2017 budget proposal and for "laying the groundwork for his successor to continue to make needed policy reforms to protect federal infrastructure from the serious threats we face in cyberspace."