President Obama has catapulted cybersecurity and privacy to the forefront of his agenda with the announcement on February 9th of his administration’s new initiative, the Cybersecurity National Action Plan (CNAP). While the plan may take years to implement in its entirety, the White House wasted no time in getting it started with the inclusion of a $19 billion request for cybersecurity funding in Obama’s 2017 budget proposal and the release of two executive orders that establish separate federal privacy and cybersecurity entities.
The $19 billion budget proposal represents a 35% increase in cybersecurity spending from the previous year. It includes a $3.1 billion IT Modernization Fund to replace insecure legacy IT infrastructure at federal agencies, improve shared services, and create the position of Federal Chief Information Security Officer to oversee these improvements. The biggest portion of the budget, $7 billion, is earmarked for the Department of Defense to assist its efforts in developing offensive cyber capabilities, strengthening defense capabilities, and improving cybersecurity training. Additionally, it calls for a $62 million investment in federal cybersecurity personnel.
However, the White House is not waiting for Congress’s approval of the budget proposal to start implementing other CNAP action items. On the same day that the plan was announced, the President issued two executive orders that establish new cybersecurity and privacy entities.
The first order establishes a Commission on Enhancing National Cybersecurity (the “Commission”), an entity comprised of twelve non-governmental (and non-lobbyist) experts in cybersecurity, IT, privacy, national security, internet governance, or similar fields. The Commission will be tasked with drafting a report that recommends steps for strengthening cybersecurity in the public and private sectors, improving national security, promoting the discovery and adoption of new technology, and bolstering public-private cybersecurity partnerships over the next decade.
The second order establishes a Federal Privacy Council, an interagency oversight body that will be responsible for recommending new cross-agency privacy policies and requirements, sharing best practices, and developing a strategy for hiring federal privacy officers. In the near-term, however, the Council has 120 days to issue a revised policy on the role of agencies’ senior privacy officials, a measure intended to address concerns about lax protections for personal information held by the federal government. The Council will be headed by the Office of Management and Budget’s Deputy Director for Management, and its members will include the senior privacy officer at each federal agency.
Notably, however, the private sector is not letting the government set the cybersecurity agenda alone. This week, a group leading cybersecurity companies launched the Coalition for Cybersecurity Policy and Law, an organization dedicated to serving as “the voice of the industry” to policymakers focused on this area. The Coalition’s first action was submitting a joint response to the National Institute of Standards and Technology’s (NIST) request for comments on updating its Cybersecurity Framework.
Taken together, the first CNAP initiatives show that the Obama administration recognizes the far-reaching effects of cybersecurity challenges and the role to be played by both the public and private sectors. Companies should keep a close eye on any recommendations generated from the new cybersecurity and privacy entities and the government’s priorities for internal improvements in order to benchmark their own practices in these areas. Industry members should also take advantage of opportunities to participate in the policymaking process, whether by submitting comments in response to the government entities’ proposals or by joining coalitions to lobby for their interests.
