For one thing, it appears that his administration has taken some of the key recommendations from a bipartisan commission of computer security experts set up last year, charged with putting their heads together in hopes of envisioning some cyber-wonkery to help get us from where we are (in a sorry state) to where we need to be (let's call it "better").
Some of the main objectives noted are ones you typically see in any sort of initiative - like strong leadership. Have you ever seen a mission launched with weak leadership? Of course you have - we all have. It's not pretty. Whether the cyber security leadership starts strong and stays strong remains to be seen, but it's nice of them to articulate this point up front. The two areas that I find most promising, if executed correctly, are these:
- Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure
- Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches
From a cyber infrastructure perspective, this means products and services hardened out of the box instead of having this continued need to layer security on top of the hardware and software components that come gift-wrapped insecurely with a nice ribbon on top.
Investing in the R&D needed to build secure computing and networking components is a great start, and having a sensible plan for implementing these hardened modules, beginning with our critical cyber infrastructure, is a great way to demonstrate that "strong leadership" that I snarked about earlier.
Securing personal data is the second objective that gives me a warm, fuzzy feeling. I'm especially fond of establishing a common standard across industries for securing personal data, which should level the playing field and help those of us who live this stuff day to day work with a known set of boundaries, instead of the mish-mash of federal and state mandates coupled with the rulesets thrown in by various regulators, associations, and other assorted groups.
This will also help in guiding organizations in areas like breach and incident response, for many of the same reasons. Rather than having assorted notification timelines, thresholds, and requirements from state to state, a single framework that is applicable nationally will allow for better resource allocation, process development and improvement, and incident metrics that can be applied across the board, since everyone is operating under the same framework. It will be much easier to demonstrate which organizations are compliant, and which are not.
There are other sections dedicated to cyber crime, cyber espionage (isn't espionage still a crime?), and understanding the economic value of protecting our computing infrastructure. I'm hoping that includes revisiting SCADA and similar control systems, since huge segments of our utility and telecommunication networks are sitting ducks due to how brittle SCADA tends to be.
Given the enormous financial pressures that currently exist, it will be interesting to witness how these efforts will be funded and what the timelines will be for implementation. In any event, I'm impressed that the approach was ready on Day 1.