Government solutions to cybersecurity problems are notorious for landing wide of the mark. It’s not surprising. By nature, governments move slow while attackers evolve fast.
But that’s not the case with the Cybersecurity National Action Plan, which the White House released Tuesday. It’s designed to bolster the nation’s ability to prepare for and respond to cyber attacks. And it got it right.
As someone who has worked in the cybersecurity field for over 20 years, it was clear that the Obama administration spent a lot of time studying the issue. Perhaps the recent attacks on federal agencies, including the Office of Personnel Management and the Justice Department, provided clarity and a sense of focus. Whatever the reason, the progress is encouraging.
Past administration attempts to address the threat from cyber attacks are often too prescriptive, such as when it recommended expanding the homegrown intrusion detection system. Other times it is too broad, directing nebulous new “policies” that should be followed, but many times are quickly forgotten.
What excites me most about Obama’s plan is that this executive order represents the first act by the government that recognizes that an effective cybersecurity plan has to move from prevention to detection and response.
When there is a dollar to be spent on security, the first place most organizations spend it is on preventive measures. It makes sense. Given a choice, anyone would want to keep attackers out. But that is not the reality we live in today. It is simply not possible to prevent every attack. When organizations do not put an equal emphasis on detection and response, many have been burned. They’ve lost their sensitive data. Or, in the case of the Sony hack, they have been the victims of sabotage.
What excites me most about Obama’s plan is that this executive order represents the first act by the government that recognizes that an effective cybersecurity plan has to move from prevention to detection and response.
Think of how security works in the physical world. If your entire security strategy is to put a lock on your front door, what happens if an intruder gets past that door somehow? If there’s not an equal emphasis on detection, it would be as if there were no alarm company. Intruders could roam your house and steal whatever they wanted. If you had no ability to respond it would be as if there were no police force or medical responders to investigate and help you get back on your feet. While this isn’t a new concept to security practitioners, it’s exciting to see this coming from the White House.
The Cybersecurity National Action Plan, or CNAP, will fund several programs designed to raise the public’s cybersecurity awareness. One smart step in the plan is the focus on getting users to adopt multi-factor authentication, which requires users to use an alternate means to authentication to a service. The “alternate means” can be an application that generates a random code that someone must type in after their password, or perhaps a text message sent to the user with a special code that has to be entered in. There are various forms of multi-factor authentication and historically, usage has been limited to commercial organizations and governments.
Today, consumer-focused websites and services have been slowly migrating and allowing their customers to authenticate with these methods. It should be no wonder that the White House is pushing for private adoption of multi-factor authentication, considering their own staffers’ social media accounts were compromised by nation state actors in December. I predict that this could turn into a government mandate (i.e. legislation) if the government can resolve the issue of what a citizen’s “private data” is. CNAP includes a commission to research this as well.
While I’m on the subject of private and sensitive data, CNAP has included an executive order requiring federal agencies to conduct an assessment to identify and classify what their sensitive data and critical assets are. Again, this is a smart step. How can an organization possibly protect itself, if it doesn’t know what to protect?
In short, CNAP goes beyond a “step in the right direction.” This is a full-on leap forward. In fact, I could argue this leapfrogs what other nations are doing for cybersecurity with one exception: the European Union. The EU has gone one step further and defined what “private” data is and how it should be handled.
Attackers will always get in–regardless of which party is in power. What matters is how fast the U.S. government can detect, and respond to these cyberattacks.
However, as always, the devil is in the details. The Obama administration has ordered that a new Federal Chief Information Security Officer (CISO) be appointed whose duties will include developing, managing, and coordinating cybersecurity strategy, policy, and operations across the entire federal domain. In this example, the devil in the detail would be: How much authority to direct change would this CISO have across the federal agencies? Will this person be held singularly accountable for all cybersecurity in the federal government? On a snarky note, I hope this role doesn’t become known as the “cyber czar.” The CISO role has become the gold standard in our industry for the person “in charge” and responsible cybersecurity.
Given that we are in an election year, there will no doubt be opposing parties that feel obligated to take swipes at this plan. I hope not. I hope there is bipartisan support for this executive order. The issues it addresses are too important. The government programs outlined in CNAP like small business cybersecurity awareness and additional headcount for incident response in federal agencies will require initial and continued funds to be successful.
Attackers will always get in–regardless of which party is in power. What matters is how fast the U.S. government can detect, and respond to these cyberattacks. If more information is stolen, will the government retrace be able to retrace the attacker’s steps and determine exactly what was stolen or sabotaged? The White House has just thrown down the gauntlet and set the bar pretty high. Let’s make sure we have the fortitude to see this through or breaches like OPM will seem like child’s play.
Justin Harvey is chief security officer at Fidelis Cybersecurity. He was previously the vice president and chief technology officer of Global Solutions at FireEye, technical director at Mandiant and chief solutions strategist with HP Enterprise Security. Harvey provides commentary to several news outlets, including BBC News, Newsweek, the Guardian, Politico, eWeek, CSO, Financial Times, New York Times, U.S. News & World Report, Federal Computer Week, Reuters and the Associated Press. Follow him on Twitter @jbharvey.
Photo via U.S. Army/Flickr (CC by 2.0) | Remix by Max Fleishman