Protecting U.S. Innovation From Cyberthreats by Barack Obama (current President of the United States).
From the statement:
More than any other nation, America is defined by the spirit of innovation, and our dominance in the digital world gives us a competitive advantage in the global economy. However, our advantage is threatened by foreign governments, criminals and lone actors who are targeting our computer networks, stealing trade secrets from American companies and violating the privacy of the American people.
Networks that control critical infrastructure, like power grids and financial systems, are being probed for vulnerabilities. The federal government has been repeatedly targeted by cyber criminals, including the intrusion last year into the Office of Personnel Management in which millions of federal employees’ personal information was stolen. Hackers in China and Russia are going after U.S. defense contractors. North Korea’s cyberattack on Sony in 2014 destroyed data and disabled thousands of computers. With more than 100 million Americans’ personal data compromised in recent years—including credit-card information and medical records—it isn’t surprising that nine out of 10 Americans say they feel like they’ve lost control of their personal information.
These cyberthreats are among the most urgent dangers to America’s economic and national security. That’s why, over the past seven years, we have boosted cybersecurity in government—including integrating and quickly sharing intelligence about cyberthreats—so we can act on threats even faster. We’re sharing more information to help companies defend themselves. We’ve worked to strengthen protections for consumers and students, guard the safety of children online, and uphold privacy and civil liberties. And thanks to bipartisan support in Congress, I signed landmark legislation in December that will help bolster cooperation between government and industry.
…
That’s why, today, I’m announcing our new Cybersecurity National Action Plan, backed by my proposal to increase federal cybersecurity funding by more than a third, to over $19 billion. This plan will address both short-term and long-term threats, with the goal of providing every American a basic level of online security.
First, I’m proposing a $3 billion fund to kick-start an overhaul of federal computer systems. It is no secret that too often government IT is like an Atari game in an Xbox world. The Social Security Administration uses systems and code from the 1960s. No successful business could operate this way. Going forward, we will require agencies to increase protections for their most valued information and make it easier for them to update their networks. And we’re creating a new federal position, Chief Information Security Officer—a position most major companies have already adopted—to drive these changes across government.
…
The Social Security Administration is no doubt running systems and code for the 1960s, which is no doubt why you so seldom hear its name in data breach stories.
Social Security Numbers, sure, those flooded from the Office of Personnel Management, but that wasn’t the fault of the Social Security Administration.
To be fair, the SSA has experienced data breaches, but self-inflicted ones like leaking information on 14,000 “live” people in a list of 90 million deceased Americans.
In case you are wondering, in round numbers that means SSA staff make an error in 00.015% of all the cases they handle.
I should be so careful! So should you! 😉
That’s a quite remarkably low error rate. Consider that a batter is “hot” if they hit more than 3 times out of 10.
Sorry, back to the main story.
President Obama’s “protection money” will delay the onset of incentives for producing secure code and systems.
Following the money, vendors/contractors will pursue strategies that layer more insecure code on top of already insecure code. After all, that’s what the President is paying for and that’s way he is going to get.
Pay close attention to any attempt to “upgrade” the information systems at the Social Security Administration. The net effect will be to bring the SSA to a modern level of insecurity.
The more code produced by the Cybersecurity National Action Plan, the more attack surfaces for hackers.
There is an upside to the President’s plan.
The surplus of hacking opportunities will doom some hackers to cycles of indecision and partial hacks. They will jump from one breach story to another.
How to calculate an ROI on surplus hacking opportunities isn’t clear. Suggestions?