President Barack Obama said Tuesday he is asking Congress for $3.1 billion to update the government's archaic computer systems to protect them from cyberattacks as part of a new, centralized effort to boost cybersecurity.
Obama said he will hire a new chief information security officer—but whose salary would be paltry compared to those paid by big businesses—and expand the government's troubled "Einstein" intrusion-prevention technology. Obama said some infrastructure is downright ancient, with the Social Security Administration relying on systems from the 1960s that are vulnerable.
"That's going to have to change," Obama said, flanked by top national security advisers in the Roosevelt Room. "We're going to have to play some catch-up."
Across town, the U.S. director of national intelligence, James Clapper, warned Congress that Russia, China, Iran and North Korea are the most serious threats to U.S. information systems. Clapper also said increasingly connected devices and appliances make the U.S. vulnerable in new ways.
Obama's comments came after the release of his 2017 budget proposal. Obama is asking Congress for $19 billion more in cybersecurity funding across all government agencies—an increase of more than from 35 percent from last year.
Dubbed the "Cybersecurity National Action Plan," the White House touted the plan as the "capstone" of seven years of work to build a cohesive federal cybersecurity response—an effort that has often faltered in the past.
Obama said some problems could be fixed relatively quickly, but added he was directing his advisers to focus also on anticipating future threats so that cybersecurity protections can adapt.
"I'm going to be holding their feet to the fire to make sure they execute on this in a timely fashion," Obama said.
Other plans would make it less convenient—but ostensibly more secure—for citizens to access their personal records by increasing use of passwords and pin authentication. The budget also proposes that the government reduce the use of Social Security numbers for identification. None of the suggestions appeared groundbreaking or entirely novel. Many were previously suggested in government and industry reports, and some appeared to replicate previous efforts.
"A lot of this stuff is not new," said Randy Sabett, a former National Security Agency crypto-engineer. Sabett worked on a cybersecurity commission report that advised Obama on the subject in 2008. Success would depend on administration leadership, he said, adding: "The window dressing is there; now what's behind the curtains."
The hiring of a single high-level official to deal with cyber intruders in federal government networks establishes a position long in place at companies in the private sector. The job posting Tuesday indicated it will pay between $123,000 and $185,000—although the largest companies pay far more for the same job.
The lack of such a government role has been especially notable after hackers stole the personal files of 21 million Americans from the Office of Personnel Management. The U.S. believes the hack was a Chinese espionage operation.
The new security job is expected to be filled in 60 to 90 days, said Tony Scott, the U.S. chief information officer. The White House said that person will report to Scott and set and monitor performance goals for agencies. Scott said the person would make sure strategies are consistently applied across agencies.
It remains to be seen whether the person will have enough authority, said Jacob Olcott, a former congressional legal adviser on cybersecurity.
The budget said U.S. Cyber Command is building a cyber mission force of 133 teams assembled from 6,200 military, civilian and contractors from across military and defense agencies. The force will be fully operational in 2018 but has already been used for some cyber operations.
Many of the proposals such as the new cybersecurity official can be done through existing appropriations or executive authorities, the White House said.
Obama said he expects broad support for what has not been a partisan issue. He said he'd already spoken to House Speaker Paul Ryan about ways Republicans and Democrats could work together.
The plan also calls for expansion of the Homeland Security Department's "Einstein" system, which was created to detect and block cyberattacks on federal agencies. The program received a scathing review last month by the Government Accountability Office, which said it can't deal with complex threats such as previously unknown "zero-day" exploits or problematic system behavior that could signify an attack.
The president also established through executive order a permanent Federal Privacy Council. It will bring together government privacy officials. Obama was also establishing a Commission on Enhancing National Cybersecurity to make recommendations on government cybersecurity for the next decade.
Explore further: Obama administration plans new high-level cyber official