White House reveals plan to bolster American cybersecurity

The Cybersecurity National Action Plan, which will be announced Tuesday, comes as the government scrambles to improve its own cybersecurity in the wake of the massive breach on the Office of Personnel Management.

The White House is rolling out a major initiative to fortify the government's digital defenses and educate Americans about ways they can improve their own digital security.

The Cybersecurity National Action Plan (CNAP), which will be announced Tuesday, comes as the government is scrambling to improve its own cybersecurity after the Office of Personnel Management breach that exposed intimate details on some 22 million people.

The government's plan is also meant to help businesses better protect networks and sensitive information from hackers who have successfully infiltrated major American banks, healthcare companies, and retailers over the past year.

If Washington doesn't take action to bolster the nation's digital security, said President Obama's Cybersecurity Coordinator Michael Daniel, "we risk cybersecurity and the Internet becoming a strategic liability for the US."

Obama’s budget request to Congress Tuesday would boost cybersecurity spending to $19 billion for fiscal year 2017, a 35 percent increase over the resources he allocated for cybersecurity this fiscal year.

Mr. Daniel and other officials offered more details on how that money would be spent under the CNAP. The White House wants $3.1 billion for a special Information Technology Modernization Fund to retire and replace aging systems in the federal government.

"Over the last year, I’ve become acutely aware of the challenges agencies face in trying to upgrade and modernize the systems," said Tony Scott, the federal chief information officer. "We’re going to prioritize applications in federal agencies that have a high cybersecurity challenge."

To oversee this effort, the White House plans to create a new job: A federal chief information security officer, who would coordinate information security practices across the civilian agencies. "That’s a key role that many private sector companies have long implemented, and is good practice for the federal government," said Mr. Scott, who hopes the post will be filled within 90 days.

The White House is also announcing a $62 million investment in programs, grants, and scholarships designed to enhance the "quality of people, and quality of skills, in the cybersecurity workforce available to the government," Scott said. "We’ve all understood quite acutely there’s a shortage of people skills with the right cybersecurity education and skills across the federal government."

Symantec, a security software vendor, has projected the demand for skilled cybersecurity workers will rise to 6 million by 2019 – but fall short by 1.5 million people. Meanwhile, the US government and private companies are competing over available talent.

A new CyberCorps Reserve program will offer scholarships for Americans to get cybersecurity education and serve in the civilian federal government. The government will also work on a curriculum to ensure the graduates will be well-trained, Scott said. It will also implement a loan forgiveness program for cybersecurity experts who join the federal workforce.

The Obama administration’s plan extends also to the public, with a focus on encouraging Americans to move beyond passwords and use multiple factors of authentication to log in to their online accounts, such as via fingerprints or codes sent to mobile devices. The nonprofit National Cyber Security Alliance will partner with tech companies such as Google, Facebook, and Microsoft to make it easier for users secure their accounts online.

And the White House wants to strengthen core Internet technologies, said Ed Felten, deputy US chief technology officer. "Just as the roads and bridges and physical infrastructure need repair and upkeep… the same is true for Internet infrastructure," he said.

The Homeland Security, Commerce, and Energy departments are contributing resources and capabilities to establish a National Center for Cybersecurity Resilience, according to a White House factsheet. The cybersecurity center is designed so companies and organizations can test security of systems in a controlled environment – "such as by subjecting a replica electric grid to cyberattack," according to the factsheet.

And a new Cybersecurity Assurance Program will test and certify connected devices, from refrigerators to medical infusion pumps, "so that when you buy a new product, you can be sure that it has been certified to meet security standards."

On the privacy front, Obama signed an executive order to create a permanent Federal Privacy Council, uniting privacy officials from across the government to implement more strategic and comprehensive federal privacy guidelines, the factsheet said. "Like cybersecurity, privacy must be effectively and continuously addressed as our nation embraces new technologies, promotes innovation, reaps the benefits of big data and defends against evolving threats."

While the budget – and the modernization fund – will require congressional approval, Scott expects broad support from Congress for the plan. "Cyber, thus far, has not been a partisan issue," he said.

But much of the CNAP, officials said, the White House can carry out on its own.

"Much of this package we can do either under existing executive authorities, or can get done by driving our existing authorities to the limit,” said Daniel, the White House cybersecurity coordinator. "This plan is as aggressive as we can get under existing authorities and we can do quite a bit of it without additional resources."