Officially, October is National Cybersecurity Awareness Cybersecurity Month, but it has become clear that February is the preferred month for the White House to unveil cybersecurity initiatives.
A year ago at this time, the White House convened a Cybersecurity Summit at Stanford University, with President Obama traveling out for a public workshop and meetings with tech executives. It was just before Valentine’s Day 2014 that the director of the National Institute of Standards and Technology (NIST) came to Brookings to unveil NIST’s Cybersecurity Framework, a roadmap for organizations to review their cybersecurity risk and map cybersecurity preparedness to a variety of global standards. One year before that, the administration cybersecurity leaders gathered at the Department of Commerce to announce the executive order that directed and empowered NIST to develop its framework. (And, while only partially related to cybersecurity, the White House announced its Consumer Privacy Bill of Rights in February 2012).
This February’s announcement was an administration Cybersecurity National Action Plan, featuring $19 billion for new cybersecurity initiatives at federal agencies and the establishment of a chief information security officer (CISO) for the federal government.
Over the course of these events, I have seen the unfolding of the Obama administration’s cybersecurity policy. Cybersecurity has been a priority issue since early in the administration when—in February 2009—the president ordered a 60-day review of cybersecurity policies and programs. It has taken seven of the administration’s eight years to make palpable progress.
The NIST Framework has proved to be the signature initiative. Nominally, this framework was aimed at critical infrastructure but, in practice, it has provided a toolkit for institutions of all shapes and sizes. A lot has changed in the past two years since the framework came out (motivated as well by high-profile data breaches). In its 2013 annual survey of corporate boards of directors, the accounting firm BDO flagged cybersecurity as an issue getting increasing attention. In its 2014 survey, 59 percent of directors said they were more involved in cybersecurity than the year before, and a year later 69 percent said they were involved than in 2014. Of those, 33 percent are now meeting on the issue quarterly and 87 percent at least once a year. As more organizations become involved in promoting cybersecurity, the NIST framework is providing a benchmark they can use as a guide ‒ among other organizations, the British government, the Securities and Exchange Commission, and commercial insurers refer to the NIST framework in assessing cybersecurity preparedness.
For much of the life of the Obama administration, cybersecurity policy was focused on legislation enabling information sharing. Looking at the prospects for cybersecurity and privacy legislation on TechTank a year ago today, I commented that cybersecurity legislation was a fertile area for the White House and Congress to work together to show they can get results. Sure enough, 2015 saw the enactment of the Cybersecurity Information Sharing Act, facilitating sharing of threat information between companies and the federal government. This month, the Departments of Justice and Homeland Security issued guidelines for private sector information-sharing.
This year’s February White House initiative focuses on getting the federal house in order. These days, most private companies paying attention to cybersecurity have CISOs. It’s time for the federal government to do the same.
In turn, those CISOs have a hard time getting the job done until they can persuade their managements to commit resources. I recall sitting in Presidential Management Committee meetings reviewing agency scorecards on cybersecurity that were filled with red, reflecting critical deficiencies, and being told we had to finish the job with existing resources. The Cybersecurity Action Plan is overdue recognition that if the federal government is going to be serious about protecting its own cybersecurity, it needs to put additional resources into the task.
The executive order creating a Privacy Council and agency officers for privacy formalizes what Office of Management and Budget (OMB) Director Shaun Donovan announced last December and what OMB guidance has required under the 2002 Federal Information Security Management Act. In fact, even without OMB leadership, federal chief privacy officers met as a group. The National Science & Technology Council privacy subcommittee I co-chaired from 2009-2012 included a working group led by agency privacy officers who worked from the bottom up to implement fair information practices across federal agencies.
Rather than introducing new solutions, the Cybersecurity National Action Plan provides more resources, leadership, and focus to the challenges of government cybersecurity. In the end, the success of the NIST framework shows that a lot can be accomplished by encouraging thorough and continuous attention to good housekeeping and hygiene.