New Federal Cybersecurity Plan Calls for Modern IT & Two-Factor Authentication
Today, the Obama Administration announced a number of cybersecurity initiatives, the Cybersecurity National Action Plan (CNAP), to address the increasing number of attacks against organizations and individuals. They include:
Establishing a Federal CISO Position
The Administration is also adding a Chief Information Security Officer (CISO) position to their ranks in the next 60 to 90 days, with intentions to “recruit the best talent from Silicon Valley” for other information security positions. The CISO will oversee cybersecurity policies within federal civilian agencies, working with Defense Dept. and intelligence agencies.
Increased Federal Cybersecurity Funding
In addition, Obama is proposing a plan to increase federal cybersecurity funding more than a third (from $14 million in 2016) to over $19 billion in 2017 in order to support efforts to protect against external attackers - including new botnets, spyware, malware and ransomware.
In an op-ed published in The Wall Street Journal today, he references the massive Office of Personnel Management (OPM) breach last year that affected 21 million people, as well as the attack on Sony and U.S. defense contractors as indicators of critical threats to America’s economic and national security.
A Plan to Modernize Legacy Infrastructure
President Obama also announced a $3 billion plan to overhaul federal computer systems, pointing out that the Social Security Administration uses systems and code from the 1960s.
According to WIRED, the U.S. Navy also paid $9.1 million to continue receiving security patches from Microsoft to support outdated Windows operating systems. Running outdated operating systems makes any organization more vulnerable to known exploits - over 700 Windows XP vulnerabilities are currently reported in the Common Vulnerabilities and Exposures (CVE) database.
The fund will encourage agencies to replace and modernize outdated infrastructure, networks and systems that are expensive to maintain, provide poor functionality and are difficult to secure. Detecting outdated OS, browsers and plugins is easier with endpoint visibility tools that identify vulnerable devices connecting to your network, allowing you to create granular security policies and controls that block access from these vulnerable devices.
A Federal Cybersecurity R&D Plan
The 2016 Federal Cybersecurity Research and Development Strategic Plan (PDF) will focus on research and development to provide effective tools for protecting against malicious attacks. The plan will help organizations better understand the range of vulnerabilities and threats they face, as well as allow them to practice evidence-based risk management.
A White House blog acknowledges that software defects allow for vulnerabilities, and that breaches are often caused by users. One part of the plan on the Human Aspect acknowledges that “80-90 percent of current cybersecurity failures are due to human and organizational shortcomings.”
However, the White House blog also states that organizations must improve their defenses without burdening users, urging a need for R&D to create effective and usability-friendly security tools.
Industry & Government R&D and Simulated Attack Centers
Other infosec initiatives include a new cybersecurity Center of Excellence for an industry/government research and development hub, as well as a national testing lab for companies to test systems under simulated attacks.
Cybersecurity for the Long Haul
Top business and strategic thinkers will also join a bipartisan Commission on Enhancing National Cybersecurity to work on creating long-term security solutions for the next decade.
Two-Factor Authentication Awareness
The Administration is also launching a new national awareness campaign to encourage Americans to move beyond passwords and use an extra layer of security, such as mobile-based authentication.
With two-factor authentication (aka multi-factor authentication), you can pair something you have (a smartphone) with something you know (a password) to protect access to your online accounts. An authentication mobile app will prompt you to approve a push notification as you login, verifying your identity with your device, protecting against the exploitation of stolen passwords.
The National Cyber Security Alliance (NCSA) will team up with leading tech firms like Google, Facebook, Dropbox and Microsoft to launch a National Cybersecurity Awareness Campaign to urge two-factor authentication adoption among organizations and individuals alike, according to a White House fact sheet.
The NCSA will tour cities nationwide to provide interactive sessions to teach local communities about turning on multi-factor authentication, and why it’s an essential online safety tool for every American, according to a news release from StaySafeOnline.org.
They’ll also team up with financial services companies like MasterCard, Visa, PayPal and Venmo to make transactions more secure with two-factor authentication. And the federal government will also ensure strong multi-factor authentication is used within agencies to protect personal data in online transactions between citizens and the government.