Cybersecurity has a high profile in the president’s agenda for his final year in office, including a sizeable increase in proposed IT security spending for the coming fiscal year, the release of a national action plan and the creation of a commission to come up with recommendations.
Some proposals that could be beneficial: Money to fund federal IT modernization and recommendations for bringing industry best practices to government IT management. But there is also a lot of business as usual: Calls for better public-private sector cooperation, outreach to raise awareness, and advisory reports without authority to mandate change. Whether any of these initiatives result in improved cybersecurity will depend on the will of Congress and the next president, and those are very big question marks.
The most concrete of the initiatives are in the president’s budget proposal for fiscal 2017. This includes $19 billion for cybersecurity. Nineteen of 24 agencies would see an increase in their security budgets, and overall this would be a 35 percent increase over enacted budgets for 2016.
One of the most significant budget proposals is a $3.1 billion Information Technology Modernization Fund that would support retirement and replacement of legacy IT in government. It’s easy to get money to keep old stuff running, said Deputy Federal CTO Ed Felton; it’s harder to get money for new stuff. But new technology should be more secure, productive and cost less to operate in the long run. Savings from this operational economy would be returned to the revolving fund to enable more modernization.
If Congress has the good sense to fund this proposal it could help to improve government efficiency and cybersecurity—but only if agency planning and acquisition is managed properly. Fortunately, there might be help for this in the president’s Cybersecurity National Action Plan (CNAP).
Among other things, he plan will create a 12-person commission drawn from thought leaders in government, industry and law enforcement. The commission has a broad charter to provide recommendations ranging from strengthening cybersecurity in the public and private sectors to the development of new technical solutions and improving cooperation. And it all has to be done in about nine months; the commission’s final report is due Dec. 1 of this year.
The prospects of success for such a broad, rushed program might not be good. But if the commission accomplishes one part of it, it should be that part covering “governance, procurement and management processes for federal civilian IT systems . . . .” This includes recommendations for ensuring that cybersecurity is incorporated into IT procurement and modernization and that agencies are able to implement industry best practices for IT management.
If the commission accomplished nothing else, a practical set of guidelines for procurement, modernization and governance could help make the modernization fund successful.
Given that much of the president’s ambitious cybersecurity agenda depends on a hostile Congress and that most of it would not come to fruition until a new president takes office, the outcome remains in doubt. But at least the need to improve cybersecurity is receiving attention.