I’ve spent the last week reviewing the President’s Cybersecurity National Action Plan (CNAP) first released on February 9.
The President deserves a lot of credit for addressing some of the more esoteric details related to cybersecurity and national interest. I’ve seen two cybersecurity plans from the candidates so far, one from Governor Bush and the other from Dr. Carson (aside from John McAfee’s that is). The governor’s read more like a few statements rather than a real plan, while Dr. Carson’s was filled with a few high-level promises and some card deck shuffling. CNAP is far more detailed and inclusive than either of these two, demonstrating the administration’s cybersecurity depth and experience.
While laudable, the President’s plan has some fundamental flaws to it in my humble opinion. There’s a lot to cover but here are a few of my initial thoughts.
1. There is absolutely no need for yet another public/private commission. CNAP calls for the establishment of a “commission on enhancing national cybersecurity,” composed of top strategic, business, and technical thinkers from outside the government. CNAP tasks this commission with making “recommendations on actions that can be taken over the next decade to strengthen cybersecurity.” A commission? Really? This is typical Washington-speak for social events, PowerPoint presentations, glad-handing, and cocktail parties. Beside, comprehensive cybersecurity studies were already conducted by CSIS and Melissa Hathaway when the President took office and there’s no shortage of subsequent research or recommendations. We need action, not more talk amongst Washington insiders and business fat cats.
2. Modernizing IT is not a cybersecurity task. The President calls for a $3.1 billion Information Technology Modernization Fund which will enable the retirement, replacement, and modernization of legacy IT. No doubt that this was driven by the OPM breach but IT modernization is a CIO decision usually based upon business process needs and software development considerations, not security. CISOs may participate, but certainly won’t drive this effort.
3. A federal CISO is a great idea, but…Okay, my question here is will this person have any power or accountability? Will agency IGs, CIOs, and CISOs, take orders from this person or merely invite them to meetings. Anyone remember federal CIO Vivek Kundra? He pushed a cloud computing agenda and was great for federal IT PR, but he left town after a few years and burned bridges along the way. History really indicates that this position could be a waste of time.
4. It’s time to talk ROI on Einstein. The Einstein program has been around since 2004 and many of the details remain classified. CNAP is pushing for further Einstein investment but from what I know, it appears like a federal big budget boondoggle. Why? It hasn’t been especially effective at protecting federal agencies, it isn’t adopted across the government, and DHS hasn’t exactly proven its trustworthiness for protecting other civilian agencies. And based upon Einstein functionality, it seems to me that it could be easily replaced with far cheaper commercial alternatives (i.e. NGFWs, IPS, threat intelligence integration, etc.). Instead of investing more in Einstein, it’s time to let taxpayers know how much it costs, how effective it is, and whether further spending is worthwhile.
5. CNAP doesn’t go nearly far enough on cybersecurity training and education. CNAP proposes an additional $62 million for cybersecurity training and education programs such as the CyberCorps Reserve and the development of a cybersecurity core curriculum as well as some other recommendations for centers of excellence and computer science program. The problem here is that the feds need to do more – and fast. According to ESG research, 46% of organizations claim they have a “problematic shortage” of cybersecurity skills (note: I am an ESG employee). Since cybersecurity is an area that depends upon people and process, we’ve reached a crisis point where our digital assets are protected by cybersecurity teams that are chronically understaffed and lack the right skills. I can’t write this strongly enough – the cybersecurity skills shortage is a national security issue that demands a comprehensive strategy rather than a sprinkle of additional funding for disjointed agency programs.
There are a lot of good starting points within CNAP such as pushing for multi-factor authentication (MFA) and the need for a public awareness campaign. Unfortunately, CNAP looks at cybersecurity thought a lens of politics, existing federal programs, and Beltway business dynamics. We need a comprehensive cybersecurity Tabula Rasa that allows Washington to do what’s necessary to solve real problems rather than incremental changes to the slow-moving and unproductive federal status quo.