Federal chief information officers were told to go all-in for cybersecurity when developing their fiscal 2017 budget plans last summer. The White House is holding up its end of the bargain by requesting a whopping 35 percent increase in governmentwide cybersecurity spending for 2017.
Michael Daniel, the White House cybersecurity coordinator, said President Barack Obama will request $19 billion for 2017, which is about $6.6 billion more than what Congress approved for 2016.
The administration is expected to send its fiscal 2017 budget request to Congress Tuesday.
The dramatic increase in cybersecurity spending is how the White House plans to support short and long-term initiatives under a new Cybersecurity National Action Plan (CNAP) that Daniel and federal Chief Information Officer Tony Scott are also rolling out as part of the budget plans.
“Clearly our current system for governing and managing how we do both IT and cybersecurity across the federal government is not as effective as it needs to be at getting the cybersecurity mission done,” Daniel said during a briefing with reporters Monday. “That’s why what you see in the CNAP is a combination of efforts to get agencies to invest more in their cybersecurity, but also to begin to move toward a model where we have much more shared and common services across the federal government, that will be implemented governmentwide, that will enable the government to operate much more like a unified enterprise much as the private sector has done over the last few years.
Daniel said the CNAP aims to raise all cyber boats — federal agency, private sector and research and development.
“These actions build on work that has been going on for some time, including most recently our cybersecurity strategy and implementation plan that we rolled out this last summer and fall,” Scott said. “The national action plan not only builds on those activities, but includes a number of new things that were not initially part of the CSIP.”
Scott said one of those new things is the plan to name a new federal chief information security officer (CISO), who would report to him as a second deputy CIO.
“The job announcement will go live tomorrow morning. We expect to fill the role in the next 60-to-90 days,” Scott said. “The role will be responsible for the policy, practice and coordination of information security across the civilian agencies in the federal government, and it will work closely with military and intelligence officials across the government. It’s a key role that many in the private sector have long implemented and it’s good practice for the federal government.”
Scott said the federal CISO also will work closely with the E-Government cyber team, the Homeland Security Department and other federal organizations.
While a new person to help oversee policy and coordination is helpful, the biggest cyber threat agencies are facing in many regards is the continued use of older technology.
So Scott also announced that the President is requesting $3.1 billion for a new IT modernization fund that will be run by the General Services Administration.
“First, we will prioritize applications in federal agencies that have a high cybersecurity challenge,” he said. “We are going to look for applications that can utilize shared services, the cloud and other more modern architectures. And we also are going to focus on those applications that are a high cost to operate. So a combination of factors will be the winning formula for projects to get funded by the IT modernization fund.”
Scott said the IT modernization fund would be a revolving fund where agencies would get small amounts of money to perform incremental development to update systems.
“They also will have to pay it back over time so this will encourage the engagement of senior executives in the agencies and is entirely consistent with [the] Federal IT Acquisition Reform Act (FITARA) in creating a better governance model in the agencies,” he said. “ It’s an exciting development for us, and one, we think, will affect anywhere from $12 billion-to-$15 billion of application development over a period of time, and it’s a big step.”
A fact sheet released by the White House says the fund will let agencies invest upfront and realize savings over the long run by turning off and modernizing legacy IT systems and infrastructures, which are expensive to maintain and difficult to secure.
Scott said another big challenge for agencies is around having employees with the right skill sets.
So the budget addresses that long-standing issue as well.
First, DHS will expand the number of federal civilian cyber defense teams to a total of 48, by recruiting the best cybersecurity talent from across the federal government and private sector.
“These standing teams will protect networks, systems, and data across the entire federal civilian government by conducting penetration testing and proactively hunting for intruders, as well as providing incident response and security engineering expertise,” the White House said in its fact sheet.
Second, the White House is requesting $62 million for the training and recruiting of cyber experts.
“We’ve all understood quite acutely that there is a shortage of people skills with the right cybersecurity education and skills across the federal government,” Scott said. “We will establish a cyber corps reserve program that will offer scholarships. We will work on a cybersecurity core curriculum that will ensure that cybersecurity graduates who want to join the federal government have the right knowledge, skills and abilities. Another component of this will be a loan forgiveness program for cybersecurity experts who join the federal government.”
A final piece to all of this is a new executive order Obama will sign Tuesday establishing a Privacy Council.
Scott said the council will be similar to ones for CIOs or CFOs where privacy officials from across the government will focus on governmentwide strategy, guidelines and the sharing of best practices. The council was part of a new plan to improve federal privacy efforts OMB announced in December.
Daniel said he knows Congress will play a key role in many of these initiatives, but not everything is dependent on lawmakers.
“What you see across this entire package is a combination of initiatives that, some of which like the IT modernization fund, requires congressional action to make it happen. That is why we will be working closely with our colleagues on the Hill to secure that support,” he said. “But much of this package we can do either under existing executive authorities or can get done by driving our existing authorities to the limit. I think that is the point we are making, this plan really is as aggressive as we can get under existing authorities. We can do quite a bit of it even without the additional resources, but that is going to be a key part of it and that is why we will be working very closely with Congress to get their full support and buy-in for the plan.”