Has the White House Been Caught Cybersecurity NAP-ping?

President Obama announced his “new” CNAP (Cybersecurity National Action Plan) to only moderate fanfare (certainly not nearly as much as the subject deserves), which included a lengthy Opinion piece, “Protecting U.S. Innovation From Cyberthreats,” in The Wall Street Journal of February 9, 2016.

Wired Magazine quickly published an article by Brian Barrett, “Obama’s New Cybersecurity Plan Sticks to the Most Basic Basics,” see http://www.wired.com/2016/02/obamas-new-cybersecurity-plan-sticks-to-the-most-basic-basics/ Barrett concludes with:

“…It’s an initiative that has noble ambitions but few details attached, especially when it comes to cyberattack response.

Maybe that, then, is why it’s not as discouraging as it should be [given] just what kind of shape our cybersecurity is in. Hopefully it’s about to get better. It almost certainly can’t get any worse.”

I have news for Barrett … it could get much worse and will do so as long as political proposals are so nebulous in their goals and timeframes. As discussed below, earlier attempts to shore up the nation’s security were much more assertive, yet they failed to get done.

Teri Robinson of SC Magazine wrote a piece the same day with the title “Obama goes hard on cybersecurity, new CNAP commits funds, resources” at http://www.scmagazine.com/obama-goes-hard-on-cybersecurity-new-cnap-commits-funds-resources/article/473066/  Robinson interviews Mark Weatherford. Mark is generally positive about the CNAP proposal but cautions that the remaining ten months of the current Administration leaves no time for delay in pursuing the stated initiatives. He also notes that there is a lot of fence-mending to do to build up private sector trust, and that such an effort needs a long-term commitment.

The WSJ followed up the president’s Opinion piece with an article by Damien Paletta, “White House proposes new cybersecurity plan,” with an interview of Michael Daniel, the White House’s cybersecurity coordinator who revealed that, even when (or if?) implemented, the CNAP would not prevent all future attacks but reduce the number of successful attacks and improve government response. Such half-hearted ambition for the plan does not bode well. Something more definitive, with greater expectations of success, is needed in a world where attacks are increasing exponentially in number and sophistication. We are essentially being told to live with a situation that might become better than it would have been, but could well be much worse than it is now. What good is that? We need absolute, not relative, improvements.

Unfortunately, history suggests that this type of proposal has been offered by the White House and the legislature for decades with decidedly little progress having been made over the years.

Contrary to the president’s assertion that recent cyberthreats “… are a national security risk few of my predecessors faced …,” we have been aware of the dangers of cyberattacks at least since the 1990s. In February 1996, the Critical Infrastructure Working Group suggested establishing the President’s Commission on Critical Infrastructure Protection (PCCIP) and the Infrastructure Protection Task Force (ITPF) to provide a comprehensive assessment of the nation’s vulnerabilities, and to recommend actions. In July 1996, Executive Order 13010 created the PCCIP, ITPF and the Critical Infrastructure Assurance Office (CIAO). In October 1997, the PCCIP issued a report “Critical Foundations Protecting America’s Infrastructures” that suggested a strategy incorporating research and development, information sharing, education and awareness, which coincidentally are the main themes of CNAP.  In May 1998, President Clinton issued Presidential Decision Directive (PDD) No. 63 on protecting America’s critical infrastructures. PDD-63 set a five year goal to secure the nation’s critical sectors against outside attacks by May 2003. With the change in Administration, that didn’t happen.

Of all the requirements in PDD-63, only one, namely, the formation of the Financial Services Information Sharing and Analysis Center (FS-ISAC) actually came to fruition and was officially launched by Treasury Secretary Lawrence P. Summers in October 1999. The FS-ISAC, of which I was a co-founder, is still today the preeminent example of information sharing as prescribed in PDD-63.

As mentioned above, with the change of administration in 2001, most of the goals of PDD-63, which were targeted for May 2003 completion, were never realized. If they had been, we might well have avoided the hundreds of billions (even trillions) of dollars in losses due to data breaches and stolen private information and company and government secrets that occurred in the intervening years.

Post a Comment

Your email is never published nor shared. Required fields are marked *