{"498021":{"#nid":"498021","#data":{"type":"news","title":"Statement re: White House Cybersecurity National Action Plan","body":[{"value":"\u003Cp\u003EPresident Barack Obama\u2019s budget proposal for fiscal 2017, unveiled yesterday, brings a welcome \u003Ca href=\u0022http:\/\/www.reuters.com\/article\/us-obama-budget-cyber-idUSKCN0VI0R1\u0022 target=\u0022_blank\u0022\u003E35 percent increase for cybersecurity\u003C\/a\u003E. As part of \u003Ca href=\u0022https:\/\/www.whitehouse.gov\/the-press-office\/2016\/02\/09\/fact-sheet-cybersecurity-national-action-plan\u0022 target=\u0022_blank\u0022\u003Ethe plan\u003C\/a\u003E, the creation of a federal Chief Information Security Officer (CISO) also was announced to parallel what most major organizations already do to coordinate information security and risk. Yet the devil will be in the details for this new spending and new position.\u003C\/p\u003E\u003Cp\u003EWill the United States\u0027 CISO have any real authority? Will the new hardware and software bought with these funds be as insecurely configured or poorly implemented as the current systems? Two weeks ago\u0026nbsp;Rob Joyce, chief of the NSA\u0027s Tailored Access Operations (TAO), publicly reminded defenders that attackers know what actually is on a target network, whereas agency leaders often only think they know their own information environment. What should be and what is are often different, and this delta is usually the most fertile area of the attack surface.\u003C\/p\u003E\u003Cp\u003EThis additional funding should be applied in two ways, first addressing the present and second looking to the future:\u003C\/p\u003E\u003Cp\u003E1)\u0026nbsp;\u0026nbsp;\u0026nbsp; Compel federal government agencies to prove they are doing the basics:\u003C\/p\u003E\u003Cul\u003E\u003Cli\u003Einventory authorized and unauthorized devices (know what you\u2019ve got)\u003C\/li\u003E\u003Cli\u003Einventory authorized and unauthorized software (know what it\u2019s running)\u003C\/li\u003E\u003Cli\u003Ereduce and control use of admin privileges\u003C\/li\u003E\u003Cli\u003Eread your logs (yes, really read them!)\u003C\/li\u003E\u003Cli\u003Eestablish secure configs for all apps and devices, roll this out, don\u2019t deviate, and patch it aggressively.\u003C\/li\u003E\u003C\/ul\u003E\u003Cp\u003ENone of this is new, but actually doing it consistently would be novel for much of the U.S. government.\u0026nbsp; The new CISO and cognizant officials can\u2019t keep admiring the problem, but actually must measure progress and hold poor performance accountable.\u003C\/p\u003E\u003Cp\u003E2)\u0026nbsp;\u0026nbsp;\u0026nbsp; Fund research and development for cybersecurity across disciplinary lines \u2013 computer science, engineering, policy, etc:\u003C\/p\u003E\u003Cul\u003E\u003Cli\u003EAttribution of cyberthreats\u003C\/li\u003E\u003Cli\u003EConsumer-facing privacy\u003C\/li\u003E\u003Cli\u003ECyber-physical systems\u003C\/li\u003E\u003C\/ul\u003E\u003Cp\u003EReward those working on hard problems and seek revolutionary gains.\u0026nbsp; Don\u2019t be afraid to fail.\u0026nbsp; Create the next!\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u003Cem\u003EMichael Farrell is chief scientist for the Cyber Technology \u0026amp; Information Security Lab (CTISL) and associate director of attribution for the Institute for Information Security \u0026amp; Privacy (IISP) at Georgia Tech.\u003C\/em\u003E\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EPresident Barack Obama\u2019s budget proposal for fiscal 2017 includes a \u003Ca href=\u0022http:\/\/www.reuters.com\/article\/us-obama-budget-cyber-idUSKCN0VI0R1\u0022 target=\u0022_blank\u0022\u003E35 percent increase for cybersecurity\u003C\/a\u003E, creating a new \u0022Cybersecurity National Action Plan.\u0022 Georgia Tech\u0027s Michael Farrell, associate director of attribution for the Institute for Information Security \u0026amp; Privacy, explains what that should mean and provide.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"Associate Director Michael Farrell provides a public statement on behalf of the Institute for Information Security \u0026 Privacy."}],"uid":"27490","created_gmt":"2016-02-10 11:40:33","changed_gmt":"2016-10-08 03:20:38","author":"Tara La Bouff","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2016-02-10T00:00:00-05:00","iso_date":"2016-02-10T00:00:00-05:00","tz":"America\/New_York"},"extras":[],"hg_media":{"492491":{"id":"492491","type":"image","title":"IISP - required security poster","body":null,"created":"1454090400","gmt_created":"2016-01-29 18:00:00","changed":"1475895248","gmt_changed":"2016-10-08 02:54:08","alt":"IISP - required security poster","file":{"fid":"205850","name":"required_security.jpg","image_path":"\/sites\/default\/files\/images\/required_security.jpg","image_full_path":"http:\/\/tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/required_security.jpg","mime":"image\/jpeg","size":174490,"path_740":"http:\/\/tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/required_security.jpg?itok=XkOTjjaW"}}},"media_ids":["492491"],"groups":[{"id":"430601","name":"Institute for Information Security and Privacy"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"}],"keywords":[{"id":"6467","name":"Barack Obama"},{"id":"1404","name":"Cybersecurity"},{"id":"90001","name":"federal budget"},{"id":"146931","name":"The White House"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[],"email":[],"slides":[],"orientation":[],"userdata":""}}}