The Real Reason to Like the President’s Cybersecurity Plan

Nathaniel Gleicher is head of cybersecurity strategy at Illumio, and was formerly director for cybersecurity policy on the staff of the National Security Council.

President Obama’s Cybersecurity National Action Plan and accompanying budget proposal demonstrate a renewed administration focus on cybersecurity. The absence of cybersecurity from the 2016 State of the Union could have meant that the issue had been shunted to the back burner. The proposal makes clear that isn’t the case.

This is only the first step in the budget process, and there will be plenty of wrangling in Washington, DC before we see the final federal cyber budget. Although the plan’s proposed investments will improve federal cybersecurity when all is said and done, we should focus just as much on the conversation that implementing the action plan would require.

To highlight this point, I want to focus on the proposal to establish a $3.1 billion Information Technology Modernization Fund that President Obama describes as intended to “kick-start an overhaul of federal IT systems.”

Some commentators have already raised concerns that this proposal won’t improve cybersecurity if all it does is throw more money at the problem. There is no doubt that more resources are needed—but their deployment needs to be prioritized. The Obama administration will respond to this concern as it articulates how agencies should decide what needs to be replaced and upgraded. In fact, this presents an opportunity: a clear-eyed assessment of how to prioritize cybersecurity investment could have as big of an impact on the cybersecurity of the federal government and private industry as the funding itself. It’s an effort that would be worth starting on without delay—new systems will have to wait on the budget process, but articulating how to prioritize new cybersecurity investments could start today.

The action plan proposes creating a federal chief information security officer, and while having a single, authoritative voice to prioritize expenditure is important, the challenge is deeper than that. The action plan directs that agencies “identify and prioritize their highest value and most at-risk IT assets,” but what constitutes “high value” and “at risk”?

There has been no shortage of effort put into measuring cyber risk, but there is still little agreement on how to do this. Insuring against breaches has been notoriously difficult, and although the NIST cybersecurity framework provides a much-needed common starting point, there is still widespread disagreement over how to evaluate cyber risk. This lack of a common grammar to discuss risk means that experts disagree widely on how to secure systems, and cybersecurity investments don’t always increase security.

Against this backdrop, President Obama’s new budget and action plan offer an opportunity to build on the government and the private sector’s work to better prioritize cybersecurity spending. We shouldn’t miss this opportunity. There are three factors that could enhance this discussion about prioritized cybersecurity investment:

Increased funding for government cybersecurity is important, but the exercise of prioritizing these new investments could be as good for cybersecurity as the upgrades themselves. We’ll need to wait to see the ultimate funding level, but we shouldn’t miss the opportunity to enhance our understanding of prioritization and risk that this proposal offers.