President Obama on Tuesday made what is likely his last major push to bolster the government’s digital defenses before leaving office.
As part of the annual White House budget proposal, the Obama administration rolled out a sweeping plan to inject billions of extra dollars into federal cybersecurity funding, establish a new senior federal cyber official and create a presidential commission on cyber that will establish a long-term road map.
"The fact is we still don’t have in place all the tools we need, including ones many businesses rely on every day," Obama wrote in a Wall Street Journal op-ed.
"We won’t resolve all these challenges over the coming year, but we’re laying a strong foundation for the future," he added.
The move is likely to complete Obama’s cyber legacy, which will include a historic attention to digital security, unprecedented executive orders on the topic and shepherding through Congress the largest-ever cyber bill — but also numerous bruising hacks at federal agencies and allegations that government networks were woefully outdated.
In a release, the White House called the plan “the capstone of more than seven years of determined effort.”
“[Obama] is the first president that is making a big cybersecurity push, and I think that’s tremendously important,” Rep. Ted Lieu (D-Calif.), one of Congress’s most prominent cyber voices, told The Hill.
The proposal aims to inject more than $5 billion in new funding across the government to strengthen network defenses that have been repeatedly infiltrated by suspected foreign government spies.
The ask is a 35-percent increase over last year’s allotment of $14 billion and would put overall federal cyber spending at over $19 billion.
Rep. Adam SchiffAdam Bennett SchiffSchiff: McCarthy 'will do whatever Trump tells him' if GOP wins back House Jan. 6 panel to pursue criminal contempt referral for Bannon Bannon's subpoena snub sets up big decision for Biden DOJ MORE (D-Calif.), the House Intelligence Committee's top Democrat, said the investment "is indicative of the seminal nature of this threat to our national defense."
The extra funding, Schiff added, "is essential to modernizing our government’s lagging cyber infrastructure and to investing in the next generation of cyber talent."
The budget request earmarks $3.1 billion for an “Information Technology Modernization Fund” that the White House described as a “down payment on the comprehensive overhaul” of federal IT systems.
Lieu said this fund could help solve one of the inherent budgeting problems when it comes to defending interconnected networks from hackers.
“What’s important about [the fund] is it can go across agencies and upgrade systems that touch more than one agency,” said Lieu, who sits on both the House Budget and Oversight committees.
Currently, each agency has its own individual cybersecurity budget that can be spent on its network but that cannot necessarily be expended on portions of the agency’s IT infrastructure at other agencies.
Hackers have exploited this balkanized budgeting process.
Over the summer, suspected Chinese cyber spies cracked into the Office of Personnel Management (OPM), pilfering over 22 million people’s personal information in two separate hacks. The initial intrusion — which exposed roughly 4.2 million federal workers’ personnel files — occurred at an OPM database that was housed at the Interior Department.
The OPM hacks also exposed the antiquated legacy systems the government relied on to run its networks.
Congress bashed OPM officials for not fully encrypting all their sensitive data. But the agency’s systems were simply too old to even accept modern encryption, they repeatedly explained.
The network also relied on the dated COBOL programming language, which initially became popular in the 1960s and is now eschewed by younger programmers.
A new federal official will oversee much of these update efforts.
As part of its proposal, the White House is establishing a federal chief information security officer, or CISO. The official will be housed within the Office of Management and Budget (OMB) and report to federal chief information officer, Tony Scott, who oversees government technology.
“This is the first time that there will be a dedicated senior official who is solely focused on developing, managing, and coordinating cybersecurity strategy, policy and operations across the entire federal domain,” the White House said.
"Most major companies have already adopted" a CISO, Obama pointed out.
Centralizing cybersecurity oversight is an attempt to help overcome the lack of agency-to-agency communication on the subject.
“For a while, I’ve seen the argument that there are too many lines of authority in the federal government on cybersecurity,” said Lieu. “Sometimes it’s not clear who is responsible for what.”
The CISO will also help monitor the government’s digital defense spending, which has been knocked as cost-ineffective.
Recently, a federal watchdog report concluded that the government's main cyber defense system, known as “Einstein,” was largely ineffectual at thwarting sophisticated hackers. The report echoed long-standing criticism from security experts who say the program is a much-delayed boondoggle that is already obsolete.
Federal officials insist the system is in its final phase of implementation and will soon serve as a platform on which to add leading cyber tools.
This budget infusion and new federal CISO will with these technology updates, the White House said.
The proposal also includes a robust research and public awareness component.
In a bid to build a bridge to the next administration, Obama is launching a “Commission on Enhancing National Cybersecurity.”
The administration is directing a bipartisan group of lawmakers to appoint top industry representatives and leading technologists to the commission. The group will be tasked with taking the long view.
“The commission will make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors while protecting privacy,” the White House said.
Security experts almost unanimously agree that one of these actions will be eliminating the traditional online password.
Since 2011, the White House has been trying to push people away from passwords. Tuesday’s plan includes a last bid to encourage people to adopt stronger login practices.
The proposal creates a new public awareness campaign that includes leading tech firms such as Google, Facebook and Microsoft.
“By judiciously combining a strong password with additional factors, such as a fingerprint or a single-use code delivered in a text message, Americans can make their accounts even more secure,” the White House said.
The proposal is likely Obama’s concluding statement on cybersecurity.
During his presidency, cybersecurity has gone from a fringe issue to one that most leaders acknowledge is vital to national and economic security. The topic received an increasing amount of attention in all but Obama’s final State of the Union address.
"These cyber threats are a national-security risk few of my predecessors faced, but they will be ones my successors, regardless of party, must address," Obama wrote in his op-ed.
In recent years, the U.S. has seen the dramatic rise of global cyber crime syndicates that have pillaged banks, department stores and hotels.
According to an October report from Hewlett-Packard and the Ponemon Institute, cyber crime costs the average American firm $15.4 million annually, up 82 percent over the last six years. By 2019, it’s believed the cost of data breaches will reach $2.1 trillion globally.
Digital adversaries such as China, Russia, Iran and North Korea have also swooped in unexpectedly, plundering health insurers, airlines, nuclear plants, government agencies and, most memorably, a major movie studio.
Even terrorist groups such as the Islamic State in Iraq and Syria are causing fears by hijacking high-profile twitter accounts and digitally defacing websites around the world.
"Gone are the days when we could simply call the IT folks when there was a problem," Schiff said. "Cybersecurity infuses almost everything we do."
These trends are bound to continue after Obama leaves the White House. The president acknowledged the country is "still in the early days of this challenge."
But this ultimate cyber thrust could help cement his reputation as the first president to actively address the digital security challenge.
“If we can get this through, the funding, I think that would be very positive for his legacy,” Lieu said. “This is not just a federal government problem, it’s endemic in the private sector.”
Updated 10:19 a.m.