Whenever I start to write about cybersecurity, something else comes up. I wanted to write about last week’s cybersecurity-focused Executive Orders ““ we’ll get to them shortly ““ and then I read that in an IRS hack last month, stolen social security numbers enabled attackers to get more than 100,000 E-file PINs. The IRS says, “No personal taxpayer data was compromised or disclosed by IRS systems,” and is notifying affected taxpayers. This follows a hack reported of employees at Justice and DHS, in which the attacker used social engineering, reportedly impersonating a government worker, to gain access to agency information.
These incidents just don’t stop, do they?
Which brings us to the two new Executive Orders. One establishes a Commission on Enhancing National Cybersecurity, the other a Federal Privacy Council. And they’ve been signed into existence during the same week that the White House submitted its budget proposal for federal FY 2017, including requests for $19 billion for cybersecurity as a whole, with $3.1 billion dedicated to getting rid of older, less secure systems. While agreement on and approval of budgets is, let’s face it, problematic in the current political climate, getting funding for cybersecurity is less problematic than for many other areas. Across the board and across the Executive branch and the Congress, leadership understands and generally supports cybersecurity initiatives, understanding the very real costs of inaction as shown by the two news items I mentioned.
The Commission on Enhancing National Cybersecurity’s mission is to “make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices.” There’s a lot in that mission statement that’s worth pointing out. The Commission’s scope covers both public and commercial sectors, specifically mentioning state and local government along with the feds. It’s about partnership and collaboration, and about protecting privacy as we improve cybersecurity. It’s specifically tasked with strengthening identity management, cloud computing, and laying a cybersecurity foundation for the Internet of Things. The Commission will reside in the Department of Commerce and be supported by NIST, and will have until December 1 of this year to complete its activities and report out to the President. That’s a lot to ask for in ten months of work; here’s hoping that the Commission employs some variant of Agile methodology ““ as the Federal CIO did quite successfully last July with the 30-day Cybersecurity Sprint ““ in order to accomplish its mission.
While the Commission is time-delimited, the newly-established Federal Privacy Council is not, and I think that’s a good thing. The point of the council is to serve as an interdepartmental support, coordination, and collaboration mechanism for privacy standards among Cabinet department and the larger federal agencies. It will be chaired by OMB’s Deputy Director for Management and largely comprised of Senior Agency Officials for Privacy. The Council, as described in the EO, seems to be about breaking down barriers when it comes to sharing best practices and lessons learned, and reducing duplication of privacy-related efforts across agencies.
More cybersecurity funding (hopefully), more collaboration across government and industry, more coordinated and focused efforts on privacy. All three of these items are needed and appropriate steps toward improving our cybersecurity.
SonicWall Security is here to help government and industry decrease their cybersecurity risk, update older infrastructure, and improve privacy protections. Follow the links to learn more about our SonicWall One Identity solutions for identity and access management and SonicWall network security solutions for greater performance and deeper network protection.