Obama’s cybersecurity agenda bold, but relies on untested funding, experts say

The IT Modernization fund has important goals that won’t be reached until well after the current administration expires.

President Obama is floating a $3.1 billion plan to upgrade drastically outdated federal cyber infrastructure, but it depends on uncertain initial outlay from Congress and an untried funding mechanism, experts say.

The IT Modernization Fund would require one-time funding and then be replenished down the road by agencies that have tapped it to pay for moving from old systems like mainframes to more modern, reliable and defensible machines.

Ari Schwartz

Ari Schwartz

“It’s not similar to anything that’s been done before,” says Ari Schwartz, former Special Assistant to the President and Senior Director for Cybersecurity for the White House, now managing director of cybersecurity services for Venable.

If the money is outlayed, agencies with aging networks and a plan to upgrade them can apply for funding right away. Federal CIO Tony Scott told reporters that he would prioritize the projects that get funding first based on which ones face the biggest security challenges.

Mark Weatherford

Mark Weatherford

Getting the money in the first place is nowhere near a done deal, says Mark Weatherford, former deputy undersecretary for cybersecurity at the Department of Homeland Security. If Obama hopes to get the funding before his term expires, he’ll have to push it through Congress in the next two months. “Any longer than that and they will lose the energy necessary to get this going,” he says. The government typically works slowly, he says, so Obama will be challenged to get action during an election year.

Under the fund, agencies would be encouraged to make use of shared services to make the money go farther, says Scott.

The proposed scheme would change the philosophy behind how to protect government networks, Schwartz says. Before, the departments of Justice, Homeland Security, and Defense were put in charge of defending old systems that were never going to be upgraded, he says.

+ BACKGROUND: Obama’s new cybersecurity agenda: What you need to know +

This new model would enable improvements that agencies say they need based on their own risk assessments and make them easier to defend because they would be more in line with current security technologies.

Obama’s plan calls for creating a federal Chief Information Security Officer, a post that could bring about uniform security policies across government agencies, Schwartz says. Setting overall policy has bounced from department to department and individual departmental CISOs have had their own ideas about how things should be done.

Weatherford says the CISO position should have authority over policy, but it also needs to include procurement and operational authority across agencies in order to speed the implementation of cybersecurity reforms. “The CISO needs to be both a leader and a recognized cybersecurity expert who can move the needle quickly and make decisions on behalf of the entire federal government,” he says. “Without this level of authority, there is no chance for any real success.”

Obama’s overall cybersecurity initiative includes creation of the Federal Privacy Council, which would help raise the profile of privacy as an important element of cybersecurity, says Schwartz. Currently individual agencies have Chief Privacy Officers working under agency CIOs, which tends to lower their profile and influence.

Having a separate, government-wide council will raise the standing of privacy as an issue. “It’s been minimized over the years,” he says.

Federal breaches, particularly the theft of extensive records on 22 million federal employees from the Office of Personnel Management, have undercut public confidence in the government’s commitment to protect personal data.

In addition, with the FBI and other law enforcement officials pushing for an encryption backdoor, and Edward Snowden’s revelations about the NSA gathering bulk data about electronic communications, public trust has been eroded. “It started with Snowden and continues today with the ongoing discussions about encryption and privacy,” Weatherford says, and mistrust is now a significant obstacle that this privacy council can’t fix overnight.

“It’s going to take long-term commitment on the part of the government to mend the fracture, and it probably can’t be overcome in the short time necessary to get this moving,” he says.

Join the CSO newsletter!

Error: Please check your email address.

More about FBINSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts