Much Still To Do on Obama's Cybersecurity Plan...
Brushing up on some notes before a cybersecurity-related meeting today, I thought it would be useful to go back and review President Obama's original plan to protect the nation's critical cyber-assets. As "Layer 8" reports, 22 out of the 24 proposals have yet to be implemented.
To be clear, this is the policy that is supposed to protect us from cyberattacks by Iran, China, Al-Qaeda, etc. Shortly after coming to office, President Obama released his Cyber Policy Review which was his intended plan to enhance the nation's cybersecurity infrastructure. It sought to extend the policies created in the Bush-era National Strategy to Secure Cyberspace by, for example, requiring the US to build a cybersecurity-based identity management plan and strategy that addresses privacy and civil liberties, leveraging privacy-enhancing technologies while maintaining net neutrality principles.
However, it's quite striking how nearly all of the 24 proposals are only bureaucratic in nature, hardly addressing technical challenges at all. As Layer 8 scathingly points out, "the overarching strategy to protect US assets from cyber attack remains pretty much just a paper plan".
So to refresh everyone in the Administration's memory, here is the list of all 24 proposals that the President put forth last year...
- Appoint a cybersecurity policy official responsible for coordinating the Nation's cybersecurity policies and activities;
- Establish a strong National Security Council directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the National Economic Council to coordinate interagency development of cybersecurity-related strategy and policy.
- Update the 2003 National Strategy to Secure Cyberspace to secure the information and communications infrastructure. This strategy should include continued evaluation of Comprehensive National Cybersecurity Initiative activities and, where appropriate, build on its successes.
- Designate cybersecurity as one of the President's key management priorities and establish performance metrics.
- Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
- Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the federal government.
- Initiate a national public awareness and education campaign to promote cybersecurity.
- Develop US government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
- Prepare a cybersecurity incident response plan; initiate a dialog to enhance public- private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
- In collaboration with other Executive Office of the President entities, develop a framework for research and development strategies that focuses on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
- Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
- Improve the process for resolution of interagency disagreements regarding interpretations of law and application of policy and authorities for cyber operations.
- Use the OMB program assessment framework to ensure departments and agencies use performance-based budgeting in pursuing cybersecurity goals.
- Expand support for key education programs and research and development to ensure the Nation's continued ability to compete in the information age economy.
- Develop a strategy to expand and train the workforce, including attracting and retaining cybersecurity expertise in the federal government.
- Determine the most efficient and effective mechanism to obtain strategic warning, maintain situational awareness, and inform incident response capabilities.
- Develop a set of threat scenarios and metrics that can be used for risk management decisions, recovery planning, and prioritization of research and development.
- Develop a process between the government and the private sector to assist in preventing, detecting, and responding to cyber incidents.
- Develop mechanisms for cybersecurity-related information sharing that address concerns about privacy and proprietary information and make information sharing mutually beneficial.
- Develop solutions for emergency communications capabilities during a time of natural disaster, crisis, or conflict while ensuring network neutrality.
- Expand sharing of information about network incidents and vulnerabilities with key allies and seek bilateral and multilateral arrangements that will improve economic and security interests while protecting civil liberties and privacy rights.
- Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology development innovations.
- Use the infrastructure objectives and the research and development framework to define goals for national and international standards bodies. Implement, for high-value activities (like the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.
- Refine government procurement strategies and improve the market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services.