For the first time since 2012, President Barack Obama didn’t discuss cyber security during this year’s State of the Union Address. However, less than a month after his final address, he proposed the Cyber security National Action Plan (CNAP), a sweeping proposal aimed at overhauling the US’s antiquated and vulnerable cyber defense systems – both public and private.
The robust plan calls for investing more than $19 billion in cyber security efforts, representing a 35% increase in federal cyber security spending from fiscal year 2016.
The measures range from establishing a commission of private sector thought leaders to modernising federal government IT systems to encouraging private enterprise to make use of advanced security features.
It shouldn’t be a tough sell. Headline-making data breaches – including those at Target, Dropbox.com and the Office of Personnel Management – highlight the need for dramatic cyber security enhancements in both the public and private sectors.
Given this state of affairs, CNAP will likely be embraced and passed as a bipartisan, positive step forward in the nation’s cyber security strategy. Even with its considerable scale and potential impact, however, it’s only a start – one piece of a sprawling puzzle.
Cyber security is a complicated latticework of disparate yet interconnected elements: public and private entities, domestic and foreign agencies and overlapping legal frameworks.
Take the Judicial Redress Act, which President Obama signed into law on February 24. In addition to providing limited access to US courts for citizens of certain countries – court access would be conditioned on covered countries permitting the transfer of personal data – the Judicial Redress Act has other international implications, specifically in the context of US-EU negotiations.
The finalisation of the Judicial Redress Act was considered by the European Union as a prerequisite to an umbrella agreement, initialed by US and EU officials last September, governing the transatlantic transfer of personal data for law enforcement purposes.
Although the Judicial Redress Act wasn’t a prerequisite for replacing the invalidated US-EU Safe Harbour framework, providing access to proper judicial redress in the US for EU citizens – a hot topic since former National Security Agency contractor Edward Snowden’s revelations about US surveillance practices – was an issue that needed to be addressed.
The European Court of Justice in October invalidated the 15-year old Safe Harbour framework over concerns about US government access to data transferred to the US by US-based companies, and for failing to offer redress safeguards to EU citizens over allegations of misuse of their data.
Luckily for thousands of companies that previously relied on the Safe Harbour, negotiators in early February announced a replacement deal: the EU-US Privacy Shield.
Another element in the cyber security ecosystem is the Coalition for Cyber security Policy and Law, a new group led by Ari Schwartz, who served on the National Security Council as special assistant to the President and senior director for cyber security.
Comprising tech heavyweights including Cisco, Microsoft and Symantec, the group aims to educate the government on topics including responsible vulnerability research and disclosure, and determining proper requirements for governmental systems.
None of this is meant to suggest that CNAP isn’t a valuable plan – only that it doesn’t exist in a vacuum. That said, the timing appears right for CNAP to marry-up some disparate pieces of the nation’s cyber security quilt.
This starts with the $3.1 billion ‘Information Technology Modernization Fund’, which will create state-of-the-art cyber terrorism deterrents, retire legacy IT systems, and establish a federal CISO to oversee the project.
Then there is the Commission on Enhancing National Cyber security, a think tank of private sector luminaries across the public and private sectors. Their charge is to facilitate cyber security advancements while protecting privacy and national security.
Other CNAP components focus on providing American citizens greater security for their online data. These encourage the use of new and secondary protocol, such as digital fingerprint scans, to protect consumer data.
Additionally, scholarships and other financial incentives will be directed toward creating a core of skilled cyber security professionals to protect the US’s future in this vital area.
While CNAP isn’t a self-sufficient solution to the its cyber security challenges, it casts a wider net than any previous US cyber security initiative. And the work has already begun. President Obama has named former National Security Advisor Tom Donilon to head the Commission on Enhancing National Cyber security, and also appointing former IBM CEO Sam Palmisano to the group.
The taskforce now faces a December 1 deadline for submitting its full recommendations on securing the US’s federal IT infrastructure, as well as optimising communication among government agencies and bridging gaps between the government and private enterprise.
Informed observers believe that the administration’s work on revamping cyber security measures began some time ago – as far back as September of 2015, when the President sealed an agreement with Chinese President Xi Jinping to stop engaging in cyber-economic espionage.
But for those who took its absence from the State of the Union as a signal of a lack of interest by the Obama administration, the scope and pace at which CNAP is now proceeding has undoubtedly proved a surprise.
Of course, cyber attacks themselves arrive quicker still, and with even less warning signs. The extent to which the various provisions of CNAP effectively thwart them remains to be seen. As a first and important piece of the overall cyber security puzzle, it shows promise.