top of page

The White House’s Cybersecurity National Action Plan and What it Could Mean to the States

President Obama recently released the White House’s Cybersecurity National Action Plan (CNAP) last Tuesday.[1] After a hacker released a statement last Monday that he is planning to dump thousands of FBI and DHS employee details[2], the release of the CNAP comes none too soon. The President’s plan outlines the formation of a new commission, a three billion dollar modernization fund (much over needed), enhances student loans forgiveness for cybersecurity experts joining the federal work force, and the formation of the Federal Chief Information Officer.[3] The formation of the new Commission on Enhancing National Security would be the main body of information for the president.[4]

The commission would have twelve members, appointed by the President, with recommendations for one person a piece from the Speaker of the House, Minority Leader of the House, Majority Leader of the Senate, and Minority Leader of the Senate. [5] Advisory in nature, and non-renewable, unless extended by the President, the commission would research and produce recommendations to the President. [6] Recommendations and research are certainly needed in the realm of cybersecurity, but this commission has potential to be the key to consolidate cybersecurity efforts at the state level.

States governments are accomplishing achievements in strengthening online defenses.[7] Virginia created a Cybersecurity Commission in February 2014 and has since released their first annual report.[8] Virginia’s 2015 annual report stressed the need for education in cybersecurity and certified cybersecurity professionals. CNAP reiterates the sentiment of emphasizing education with a 62 million dollar budget.[9] The newly created commission seems to be paralleling the efforts at the state level.

While states such as Michigan and Virginia[10] are leading the charge in the realm of cybersecurity, more states must join in on the efforts. States carry out the key components in executive orders[11] and legislation regarding cybersecurity, so partnerships are key. [12] The federal government is taking the charge to lead states that may need to step up their cybersecurity game. It is essential that there is a consensus between the state governments and the federal governments to keep the country safe from cyber attack. The EU Commission provides a model for the United States to work towards a united security front.

The EU Commission’s proposed directive on network and information security (NIS)[13] seeks to increase cooperation between member states and requires each member state to select a national authority to set out a strategy to deal with cybersecurity.[14] The Council and Parliament will hopefully formally approve the NIS directive this spring[15], which would provide a more cohesive and coordinated framework for member states. With broad cybersecurity attacks impacting financial institutions situated in multiple countries, a solid, cooperative, framework is necessary. By following NIS’s strong framework, the federal government can increase cooperation through the states with CNAP.

While CNAP addresses much-needed funds and direction for government agencies, it is silent on what more can be done to persecute hackers. The overarching law under the Computer Fraud and Abuse Act (CFFA)[16] punishes “hackers” with much criticism. [17] The heaviest criticism is the result of the tragic suicide of Aaron Schwartz who took his own life after federal prosecutors filed thirteen felony counts for downloading academic papers.[18] Aaron violated a “terms of service” policy[19], which resulted in federal prosecutors applying the Computer Fraud and Abuse Act against him. The tragic story certainly seems unnecessary, as Aaron did not hack any federal information.[20] Aaron’s Law Act of 2013 amends some provisions of CFFA by replacing the phrase “exceeds authorized access” with “access without authorization” and defines the phrase.[21] CFFA would be significantly narrowed if the amendment was to pass, but the amendments sits in a house subcommittee instead.[22]

Steps are being taken at the executive level to enhance the nation’s cybersecurity defenses, so their resources do not need to be wasted by prosecuting men or women for downloading academic files. It seems a waste to flex the executive’s power of enforcing all federal laws in lieu of beefing up the security of the DHS, FBI, or CIA websites.

[1] Fact Sheet: Cybersecurity National Action Plan, (Feb. 9, 2016), https: / /www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.

[2] Joseph, Cox, Hacker Plans to Dump Alleged Details of 20,000 FBI, 9,000 DHS Employees, (Feb. 7, 2016), https://motherboard.vice.com/read/hacker-plans-to-dump-alleged-details-of-20000-fbi-9000-dhs-employees.

[3] Supra, Note 1.

[4] Id.

[5] Supra, Note 1.

[6] Id.

[7] Dan Lohrmann, Governors’ Briefing on Cybersecurity: People are Everything (Feb. 23, 2015), http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Governors-Briefing-on-Cybersecurity-People-are-everything.html.

[8] Cyber Virginia and the VA Cyber Security Commission, https://cyberva.virginia.gov/.

[9] Supra, Note 1.

[10] Resource Center for State Cybersecurity, http://www.nga.org/cms/statecyber.

[11] All those chip cards you are getting in the mail? It is the states that have to continue what the president started by enforcing the installation of chip-enabled machines in stores, Jeffrey Zients, The President’s BuySecure Initiative: Protecting Americans from Credit Card Fraud and Identity Theft (Oct. 22, 2014), https://www.whitehouse.gov/blog/2014/10/17/president-s-buysecure-initiative-protecting-americans-credit-card-fraud-and-identity.

[12] Supra, Note 7.

[13] European Comm’n, EU Cybersecurity plan to protect open internet and online freedom and opportunity 2 (2013), https://ec.europa.eu/digital-agenda/en/news/network-and-information-security-nis-directive.

[14]Council of the European Union, EU steps up cybersecurity: member states approve agreement 12 (2015), https://www.consilium.europa.eu/press-releases-pdf/2015/12/40802207449_en_635860546800000000.pdf.

[15] Id.

[16] 18 U.S.C. § 1030 (2012).

[17] Sangkyo Oh and Kyungho Lee, The Scientific World Journal, The Need For Specific Penalties for Hacking in Criminal Law (2014), http://www.hindawi.com/journals/tswj/2014/736738/#B2.

[18] Doc Searls, How ‘Aaron’s Law’ is Good for Business (Feb. 5, 2013), https://hbr.org/2013/02/how-aarons-law-is-good-for-bus/.

[19] Id.

[20] Such as the FBI and DHS employee identification hack mentioned earlier.

[21] “Obtaining information on a protected computer that the accesser lacks authorization to obtain by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information,” H.R. 2454 – Aaron’s Law Act of 2013, https://www.congress.gov/bill/113th-congress/house-bill/2454.

[22] Id.

Comments


bottom of page