After a string of high-profile cyberattacks on private-sector companies such as Sony and Target and the highest tiers of the U.S. government, President Obama, in the last year of his presidency, is making a bold statement about the escalation of cyber-threats: a $19 billion cybersecurity plan that includes the appointment of a federal chief information security officer.
Security experts are lauding the Cybersecurity National Action Plan (CNAP), the highlight of Obama's budget proposal for the 2017 fiscal year, as a step in the right direction.
"It demonstrates the urgent need for nationwide support and coordination at the highest levels on cybersecurity issues," Shuman Ghosemajumder, vice president of product at Shape Security, told me in a message.
In an op-ed for The Wall Street Journal, Obama outlined the proposal, which will increase federal cybersecurity funding by 35%. CNAP includes a $3.1 billion plan to overhaul the government's legacy servers and IT systems; R&D initiatives to help build more secure next-gen cybersecurity technologies; the installment of a federal chief information security officer; and the creation of a corps of cybersecurity professionals recruited from the private sector to promote best practices across federal agencies.
Cybersecurity skills gap widening
The section on workforce development, in particular, has drawn experts' attention and plaudits for bringing urgency and awareness to the very real issue of today's cybersecurity skills gap.
Amjed Saffarini, CEO of CyberVista, a cybersecurity and workforce development company, cited some unsettling statistics when I asked him about the cyber-workforce shortage: By 2019, there will be approximately 6 million cybersecurity jobs open but only 4.5 million people qualified to fill them.
"Too often, we hear only about the technology problems and solutions in cybersecurity without enough appreciation of the 'people problem' at the core of many damaging cyberattacks," Saffarini said. "It's more important than ever that America takes serious steps to train the next-generation cyber workforce."
Seth Northrop, a security and technology lawyer at Robins Kaplan LLP, agreed, saying that while the federal initiatives proposed by the White House are already being done in the private sector, the high-profile CNAP plan may drive more technology professionals into the information security field.
"Watch as sys admins migrate from struggling tech startups into InfoSec specializations, where jobs (including new government jobs) will exist," he told me on Twitter.
While the plan is a positive step toward improving cybersecurity, experts warned it's no cure-all for the cybersecurity skills shortage or mounting cyberthreats.
"Just throwing money at the problem will not solve it; in fact, it is likely to create additional bureaucracy," Khalid Kark, research leader for the CIO program at Deloitte, told me over email. "The amount of money spent on cybersecurity has very little bearing on the effectiveness of the initiatives."
While the cybersecurity plan outlines some high-level objectives, it lacks the clearly defined accountability structure and measures of success that are necessary to achieve them, Kark added.
Saffarini, too, brought up questions that the President's cybercorps program didn't address.
"Given the already crushing shortage of cybersecurity professionals, where will these cyber workers come from? How will these workers be trained? What incentive structure will be in place to ensure these workers stay in their positions?" he said.
Shape Security's Ghosemajumder told me that gaining ground against cybercriminals is a process that will take several years of technological innovation, legal evolution and societal change.
"The effect on the skills gap and on private industry will be felt over the course of those years," he added.
Kark concurred, saying that real impact will only come about by changing the culture and the leadership behind these federal programs.
Impact on private sector
Judging from the Obama administration's plans for overhauling federal agencies' legacy systems and security protections, Saffarini thinks it's unlikely that the executive branch and its regulatory agencies will give companies with antiquated security systems a free pass, Saffarini said.
"That will affect CIOs and IT executives' budget decisions next year in the critical infrastructure, education and healthcare industries using technologies developed two or three decades ago," he said.
Furthermore, the government ramping up its hiring of cybersecurity professionals could mean more competition for CIOs in the private sector who are hiring for their security and broader IT organizations, Safarini added.
As for CIOs and CISOs themselves, Ghosemajumder doesn't think their jobs will change much anytime soon, but "they may find more support outside their organizations -- hopefully even in just a few years' time," he said.
CIO news roundup for week of Feb. 8
More technology headlines from the week:
- Just because they live in the White House doesn't mean the Obamas are strangers to spotty Wi-Fi. Apparently, their Internet connection has "a lot of dead spots" and "can be a little sketchy," said President Obama and Michelle Obama in a pre-Super Bowl interview. But no worries; the president added that he's been working to improve the Wi-Fi for the next First Family.
- Twitter released its fourth-quarter earnings on Wednesday -- and they were just okay. While the social media company's revenue of $710 million is a 48% increase from last year, the user figures were not as promising: Twitter reported 320 million users at the end of the fourth quarter -- exactly the same figure it reported in the prior quarter. This announcement comes four months after Jack Dorsey, Twitter's co-founder, returned as CEO to get the company back on track.
- European Commission Věra Jourová announced in a tweet earlier this week that Privacy Shield, the new EU-U.S. data transfer and privacy agreement that would replace the now-invalid Safe Harbor, is being finalized and will be unveiled in the second half of February. According to a statement, the agreement would still need to be passed by the European Commission in the form of a decision.
- Intelligence agents could soon be spying on you via your smart fridge. U.S. intelligence chief James Clapper told the U.S. Senate Tuesday that in the future, spies could take advantage of Internet-connected home appliances "for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials."
Obama's cybersecurity budget faces Republican opposition
Expert Q&A: Building a next-generation security architecture
Human error is a constant among ever-evolving cyberthreats