The Federal Cybersecurity Strategy and Implementation Plan (CSIP), announced at the end of October, is an ambitious initiative aimed at keeping cybersecurity a high national priority. But will it work? And will it succeed in helping us to finally get ahead of attackers?
With several high profile cyber-attacks and breaches in the past year, the CSIP responds by focusing on multiple efforts with the goal of reducing full scale cyber penetrations. The plan highlights the necessities to create critical processes in order to establish best practices and recruiting and retaining a top cyber workforce. It will also forge a partnership between government and industry to leverage the best of existing, new, and emerging technology.
The CSIP is the sequel to the White House’s summer "Sprint," a 30 day assessment of federal assets and networks. Agencies were to provide additional information protection, improve resiliency, and report on their progress. Organizations were also charged with patching vulnerabilities, reviewing access to networks, and implementing stronger authentications.
So with a 1,100% uptick in federal cyber incidents since 2006, according to US-CERT, and the exposure of millions of personnel records and security-clearance files, even the Government Accountability Office has acknowledged the government is often ill-equipped to prevent and defend against threats. So why should the Sprint successes and this new federal Implementation Plan offer hope for an actionable and sustainable cybersecurity strategy?
#1: While public-private partnerships have existed for decades in their current state, the new initiative concedes readily that the government does not have the best solutions to combat cyber terrorism. The Obama administration has opened the gates to Silicon Valley and its peers in order to leverage their ingenuity, creativity, and R&D. These types of red carpet alliances have powered, for example, the establishment of 18F, mimicking top tech startups with a team of topflight designers, developers, and product specialists that allow the government to quickly deploy cost effective network solutions.
#2: The plan recognizes the need to recruit and retain the best and brightest in cyber. As we surf towards the silver-tsunami, we look to millennials to fill the gap. Yet the public sector hasn’t been too successful in enticing this younger generation. So the plan’s acknowledgement of needing to recruit and retain better, more sophisticated technology experts is a major step in the right direction. But, the plan doesn’t provide enough substantive details on how the government will recruit and retain these highly coveted individuals. Still, the inclusion of a gifted workforce agenda certainly affords the Implementation Plan a measure of goodwill.
#3: The plan has a real timeline. While not unprecedented, it’s certainly uncommon for a government strategy to have, well, an actual strategy for accomplishing its goal. This plan does. It contains a chart of milestones with real dates (not just an approximate timeframe). For instance, NIST is expected to issue guidance to agencies on recovering from cyber events by June 30, 2016. It’s hard enough to develop a plan and meet its goals. It’s astronomically challenging if the plan doesn’t contain an actual timeline. Having deadlines is surely setting this initiative up for success.
The Federal Cybersecurity Strategy and Implementation Plan might not solve all cyber concerns, but in its inclusion of the private sector, its commitment to generating a commanding cyber force, and its resolution to completing the tasked steps, the Implementation Plan might just be a successful New Hope.
To learn more about CSIP from OMB’s Cyber and National Security Unit Chief Trevor Rudolph, sign up to attend the 2015 Cyber Playbook on December 15.