WASHINGTON — The federal government is relying on archaic, leaky and broken computers systems to protect reams of critical data from cyberattacks, President Barack Obama warned Tuesday as he announced a new, centralized effort to boost cybersecurity.
Obama, asking Congress for more dollars for cybersecurity, said some software systems are downright ancient, with the Social Security Administration relying on systems from the 1960s. Though he conceded government doesn’t have all the answers, he said fixing the problem would require retiring outdated systems that are vulnerable to attacks.
“That’s going to have to change,” Obama said, flanked by top national security advisers in the Roosevelt Room. Thanks to the explosion of the Internet and widespread access to technology, he said, “We’re going to have to play some catch-up.”
The note of caution came as the White House announced it was creating a new high-level federal official to coordinate cybersecurity across civilian agencies and to work with military and intelligence counterparts, as part of its 2017 budget proposal unveiled Tuesday. Obama is asking Congress for a $19-billion boost in cybersecurity funding across all government agencies — an increase of more than from 35 percent from last year.
Dubbed the “Cybersecurity National Action Plan,” the effort is being touted by the White House as the “capstone” of seven years of often faltering attempts to build a cohesive, broad federal cybersecurity response. Obama said some problems could be fixed relatively quickly, but added he was directing his advisers to focus also on anticipating future threats so that cybersecurity protections can adapt.
“I’m going to be holding their feet to the fire to make sure they execute on this in a timely fashion,” Obama said.
Measures include more training for the private sector, emphasizing measures such as password and pin authentication to sign onto tax data and government benefits. The budget also proposes that the government reduce the use of Social Security numbers for identification.
The tasking of a single high-level official with tracking down cyber intruders in federal government networks establishes a position long in place at companies in the private sector. The lack of such a government role has been especially notable after hackers stole the personal information of 21 million Americans, whose information was housed at the Office of Personnel Management. The U.S. believes the hack was a Chinese espionage operation.
The announcement came as Director of National Intelligence James Clapper testified before lawmakers Tuesday, warning that U.S. information systems are vulnerable to cyberattacks by foreign powers — specifically calling out Russia, China, Iran and North Korea as the most potent threats — during his annual assessment of top dangers facing the country.
The chief information security officer position, which was posted Tuesday, is expected to be filled in 60 to 90 days, Scott said. The White House said that person will “drive cybersecurity policy, planning, and implementation for IT systems across” the federal government and set and monitor performance goals for agencies.
“The bottom line, it’s great to have more senior executive-level attention on the issue but the challenge is whether that person will almost certainly be vested with any actual authorities and so it always kind of boils down to that,” said Jacob Olcott, a former congressional legal adviser on cybersecurity.
The budget notes that U.S. Cyber Command is building a Cyber Mission Force of 133 teams assembled from 6,200 military, civilian and contractors from across military and defense agencies. The force will be fully operational in 2018 but has already been used for some cyber operations.
The president also proposed a $3.1 billion effort to modernize the often antiquated federal technical infrastructure and networks, replacing legacy systems that have frequently serve as critical gaps in cybersecurity. While many of the proposals such as the new cybersecurity official can be done through existing appropriations or executive authorities, the modernization effort will require congressional approval, said Michael Daniel, special assistant to the president and cybersecurity coordinator.
Obama said he expects broad support for what has not been a partisan issue. He said he’d already spoken to House Speaker Paul Ryan about ways Republicans and Democrats could work together.
The budget includes more cybersecurity advisers, a roughly fourfold increase in civilian cyber defense teams at the U.S. Department of Homeland Security, charged with security for the .gov domain, to 48.
The Department of Homeland Security plans to expand its EINSTEIN system, which was created to detect and block cyberattacks on federal agencies. The program received a scathing review last month by the Government Accountability Office, which said the system can only detect known threats but can’t deal with more complex threats such as previously unknown “zero-day exploits” or problematic system behavior that could signify an attack.
The president signed an executive order Tuesday creating a permanent Federal Privacy Council, which will bring together privacy officials from across government to help with implementing comprehensive federal privacy guidelines. Obama is also establishing a Commission on Enhancing National Cybersecurity that would involve congressional and private sector leaders who will be tasked with making recommendations in government cybersecurity for the next decade.
Associated Press writer Josh Lederman contributed to this report.