Nathaniel Gleicher is head of cybersecurity strategy at Illumio, and was formerly director for cybersecurity policy on the staff of the National Security Council.
President Obama’s Cybersecurity National Action Plan and accompanying budget proposal demonstrate a renewed administration focus on cybersecurity. The absence of cybersecurity from the 2016 State of the Union could have meant that the issue had been shunted to the back burner. The proposal makes clear that isn’t the case.
This is only the first step in the budget process, and there will be plenty of wrangling in Washington, DC before we see the final federal cyber budget. Although the plan’s proposed investments will improve federal cybersecurity when all is said and done, we should focus just as much on the conversation that implementing the action plan would require.
To highlight this point, I want to focus on the proposal to establish a $3.1 billion Information Technology Modernization Fund that President Obama describes as intended to “kick-start an overhaul of federal IT systems.”
Some commentators have already raised concerns that this proposal won’t improve cybersecurity if all it does is throw more money at the problem. There is no doubt that more resources are needed—but their deployment needs to be prioritized. The Obama administration will respond to this concern as it articulates how agencies should decide what needs to be replaced and upgraded. In fact, this presents an opportunity: a clear-eyed assessment of how to prioritize cybersecurity investment could have as big of an impact on the cybersecurity of the federal government and private industry as the funding itself. It’s an effort that would be worth starting on without delay—new systems will have to wait on the budget process, but articulating how to prioritize new cybersecurity investments could start today.
The action plan proposes creating a federal chief information security officer, and while having a single, authoritative voice to prioritize expenditure is important, the challenge is deeper than that. The action plan directs that agencies “identify and prioritize their highest value and most at-risk IT assets,” but what constitutes “high value” and “at risk”?
There has been no shortage of effort put into measuring cyber risk, but there is still little agreement on how to do this. Insuring against breaches has been notoriously difficult, and although the NIST cybersecurity framework provides a much-needed common starting point, there is still widespread disagreement over how to evaluate cyber risk. This lack of a common grammar to discuss risk means that experts disagree widely on how to secure systems, and cybersecurity investments don’t always increase security.
Against this backdrop, President Obama’s new budget and action plan offer an opportunity to build on the government and the private sector’s work to better prioritize cybersecurity spending. We shouldn’t miss this opportunity. There are three factors that could enhance this discussion about prioritized cybersecurity investment:
- Focus on reducing the time attackers can hide within networks, and shorten the response time to intrusions. The difficult lesson of recent years has been that no target is completely safe from a breach—often the most important question is how quickly and effectively defenders can identify intruders, isolate them from valuable systems, and expel them from their network.
- Invest to reduce the attack surface of systems. Segmenting interior networks and imposing additional controls forces attackers to spend more time searching through environments for high-value data, which gives defenders more opportunities to identify and expel them.
- Secure systems based on the value of the data they hold and how exposed they are to malicious actors. These factors could be combined into a complex risk calculation, but standing alone they are simpler and easier to quantify. Relying on value and exposure will reduce disagreement about prioritization, and make it easier to demonstrate links between IT modernization and increased security.
Increased funding for government cybersecurity is important, but the exercise of prioritizing these new investments could be as good for cybersecurity as the upgrades themselves. We’ll need to wait to see the ultimate funding level, but we shouldn’t miss the opportunity to enhance our understanding of prioritization and risk that this proposal offers.