Yesterday and in tandem with his request to the increase federal cybersecurity budget to over $19 billion, President Obama announced a new “Cybersecurity National Action Plan” (CNAP). He elaborated on both the plan and the spending uptick in a Feb. 9 Wall Street Journal editorial, “Protecting U.S. Innovation From Cyberthreats.” One section in particular stood out to us:
“We’re doing more to help empower Americans to protect themselves online. In partnership with industry, we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone.”
If you’re thinking “it sounds like he’s talking about multi- factor authentication!” you’re on the right track. Both the editorial and actual verbiage from CNAP verbiage address this topic. From CNAP:
Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security. By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure. This focus on multi-factor authentication will be central to a new National Cybersecurity Awareness Campaign launched by the National Cyber Security Alliance designed to arm consumers with simple and actionable information to protect themselves in an increasingly digital world.
Authentication by the Numbers
On its face, the White House is speaking our language! SecureAuth already provides two-factor and multi-factor authentication to critical federal government agencies. One might almost think a group of politicians eavesdropped on our last product roadmap meeting. Almost. But, we’ve learned by now that actions speak louder than words – and that both the federal government and the private sector have considerable ground to make up.
Federal CIO Tony Scott estimates over 80 percent of government employees currently use two factor authentication, and that the extra security layer will also be available to Americans using the government’s digital services. While 80 percent is encouraging, there’s no reason it shouldn’t sit at 100 percent. After all, the number of federal government employees is estimated around 2 million. Twenty percent of 2 million is 400,000. This means the credentials of 400,000 employees are potentially susceptible to theft – and this number doesn’t begin to take into account that these employees are potentially handling personal data associated with millions of Americans.
The government traffics in incredibly critical and sensitive data. With compromised credential use on the rise, how can you be sure that the person logging in to access resources and data is who they say they are based on only a username and password? The truth is, you can’t. In order to determine if the user logging in to your network is an approved individual, then you need to confirm their identity with two factor, or multi-factor authentication.
CNAP: Leave No…Business? Behind
In December, we released results from a survey polling over 200 IT security professionals in the U.S. on questions related to cybersecurity spend and attitudes towards both the traditional password and password alternatives. A shockingly high 59 percent of respondents said their company experienced a data breach in the last 12 months.
This tells us more work can and should be done to educate businesses about authentication. Companies wishing to improve their cybersecurity posture need to be both vigilant and proactive about protecting their employees’ identities. The first step in doing this is actually being aware…and we think the White House agrees. We say that because the CNAP also includes the following language:
Private companies, non-profits, and the Federal Government are working together to help more Americans stay safe online through a new public awareness campaign that focuses on broad adoption of multi-factor authentication.
Fortunately, our survey respondents seem pretty aware – as evidenced by the 97 percent of them who believe new authentication techniques are reliable (such as fingerprint scans or two factor authentication). In all fairness, though, a lack of awareness from this particular subset of individuals would not be good. After all, understanding technology is part of their job. The people needing education are those above them (C-level executives and board members) and below (the employee calling the help desk every other day because of a forgotten password). That’s why we’re on board with public awareness initiatives and why we’re cautiously optimistic they’ll help.
Now What?
Cyberattacks cost the private sector millions and millions of dollars a year, hurts brands and leads to long, drawn-out lawsuits. Just ask (for starters) FBI, US National Guard and IRS. It’s in everyone’s interest to make it more difficult for attackers to cause further damage to our economy. Business success is our success.
