5 principles to ensure CNAP success
- By Chase Cunningham
- Feb 12, 2016
On Feb. 9, President Barack Obama announced the Cybersecurity National Action Plan (CNAP), which calls for an increase in federal funding to more than $19 billion and a litany of policy changes, agency tasks, budget allocations and information-sharing initiatives.
The proposal comes in response to the overdue need to properly defend our nation’s critical infrastructure, government organizations and corporate data.
The White House’s CNAP is a much-needed top-down commitment to enact change. And though money alone will not win the cyber war, it certainly helps remove any barriers -- technical or otherwise -- for developing and implementing a sound cybersecurity strategy. There are, however, some important considerations to make as we move forward.
1. Technology moves faster than policy
Technology evolves exponentially. Moore’s Law, which was first articulated in 1965 by Gordon E. Moore, rings true some five decades later. Moore found that for every one discovery we make in technology, it accelerates our collective discovery by a factor of two.
Today, the human race has access to more knowledge and data than at any time in history. With this understanding, coupled with Moore’s Law, we’re witnessing discoveries unfolding with exponential velocity. Acknowledging the speed of innovation is critical for the public and private sectors as they collaborate to defend the country against foreign and domestic cyber threats.
No matter how well intended, policies will never mature fast enough to manage or corral innovation or the potential for threats that accompany new systems. Only technology, combined with innovation, can keep pace with, well, technology.
2. In with the new
One of the major components of the CNAP is the allocation of $3.1 billion for the Information Technology Modernization Fund, which will be leveraged to retire the legacy technology that is rife with security vulnerabilities and too expensive to operate securely in today’s threat landscape.
This is a smart, arduous, expensive and time-consuming step, and it needs to be executed with patience and diligence. Before the old tech is retired, the new infrastructure, applications and systems must be tested, integrated, secured, measured and deployed. Simply tossing fixes together in a bolted-on, haphazard manner will not work. We’ve been down that path. We can’t repeat our mistakes.
Strong multifactor authentication will likely be the first step in this modernization process. Already used to protect many banking platforms, this approach requires a combination of biometrics, secure protocols and cloud technology. Using a weak second factor -- such as a four-digit PIN or an out-of-band SMS text -- will result in failure.
From there, natural-language processing and machine-learning techniques, combined with targeted innovation around data classification, should be adopted. These concepts are being engineered and tested in numerous think tanks and universities around the world.
3. Biometrics, not numbers
The White House was smart to advocate phasing out the use of Social Security numbers for identifying or authenticating citizens. This archaic identification system too easily links to personally identifiable information that is highly valuable to threat actors.
With a few exceptions, all people possesses a variety of biometrics assets (e.g., fingerprints, retinas) that are better identifiers of who they are than a number ever could be. A change to biometric identifiers would help solve a variety of social and criminal issues -- from fraud to illegal immigration -- and the technology already exists and is proven.
4. No new agencies
Although the CNAP asked for the establishment of additional agencies and commissions (e.g., Commission on Enhancing National Cyber Security, Cyber Mission Force under the U.S. Cyber Command), there’s little need to spend another billion dollars setting up a handful of new organizations “tasked” with overseeing cybersecurity; the National Security Agency and National Institute of Standards and Technology already do that.
A more effective and efficient approach would require the federal government to collaborate with NSA and NIST to formalize reviews of new, deployable technologies that address the technical issues that are hindering our collective cyber posture. More agencies, departments and commissions will only dramatically slow what should be -- in an ideal scenario -- an agile and active cyber defense system.
5. Less money, more thinking
As mentioned above, the government can’t throw money at this issue and make it go away. In fact, cyber defense doesn’t need to be a money pit. There are thousands of talented cybersecurity professionals, researchers and innovators in the public and private sectors who love difficult challenges. Many would jump at the chance to truly have an impact on a national level.
How do we encourage this mass-scale commitment? By properly enabling the exchange of ideas and funding the results. For example, the basis for the new Commission on Enhancing National Cyber Security is logical, but the paradigm hasn’t changed. Major contracts will likely still be awarded to the same monolithic government contractors and subcontractors. What have we solved?
To be effective, top officials must make it worthwhile for small tech companies and expert security teams to innovate. We can pair this program with a new reward system to benefit those who dive in. The tech visionaries can stop hunting for funding from venture capitalists and instead gain investments from the government to design and build security solutions that will benefit the greater good.
Make innovation worth their while. Appeal to their need for challenge. Then watch our collective success.
Chase Cunningham is director of cyber threat research at Armor.