Taking a CNAP: A Vision for a Cybersecurity Risk-Aware Populace

Is the President's Cybersecurity National Action Plan (CNAP) a path to a more risk-aware populace? MediaPro's Tom Pendergast weighs in.

Even the most cynical and jaded anti-government critic might find their stance softened a little with President Obama’s recent announcement of his Cybersecurity National Action Plan, or CNAP.
The goal of the plan is to align the interests of individuals, businesses, and the government as part of a “long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.”
The proposal was presented without any partisan finger pointing, and it seems to stand as good a chance as anything of attaining bipartisan support. Cybersecurity is that important!

National Cyberthreat Awareness

Amongst the details was a call for a “national awareness campaign to raise awareness of cyberthreats,” as President Obama discussed in a guest editorial in the Wall Street Journal. Cybersecurity awareness is an issue that is near and dear to our hearts, as anyone who has followed our blog posts and public writings will recognize.
We believe the only way to achieve truly secure homes, workplaces, and governments is to create a “risk-aware culture,” one in which everyone—and not just the lovable nerds in IT—gets a lot smarter about security and privacy. And that means:

  • Having regular conversations about the ways that hackers try to get at data
  • Regular communications about emerging threats
  • Regular reminders to do things like sign up for two-factor authentication, create complex passwords, etc.

It’s about weaving concern about security and privacy protections directly into the fabric of your work life, but also your personal life and your civic life (if you have one).
We’re big proponents of the approach being advocated in this proposal, for it extends the process of continuous improvement in cybersecurity beyond the workplace and into the culture at large. So President Obama—and whichever president takes office a year from now—please sign us up as supporters.

Risk-Aware from the Bottom Up

Not coincidentally, I attended a daylong workshop this week sponsored by the Federal Trade Commission (FTC), the tip of the spear for federal actions involving cybersecurity and privacy. This “Start with Security” workshop, co-sponsored by the University of Washington School of Law, was part of a series of events to help businesses learn how to integrate good security practices into their business growth model.
FTC Commissioner Julie Brill set the positive tone for her agency’s engagement with the business community when she encouraged the full house audience to recognize how good “starting with security” was for their businesses. When you start with security, she explained, you don’t just ensure that you are creating a business that consumers, business partners, and employees can trust. You are also positioning yourself to thrive during periods of rapid growth or to survive the due diligence of potential acquisition (the tone was clearly directed at fast moving tech startups, who were well represented in the audience).
Panelist after panelist—and these were all representatives from private enterprise, not the government—echoed the importance of embedding appropriate security practices throughout the fabric of your organizations. Such practices included everything from developing secure applications to encouraging good security behavior at home and online (I wrote about the importance of instilling a risk-aware corporate culture last month for IAPP).
I know there will be those who will see this cooperative, positive, supportive tone from the government as a smoke-screen behind which the government deploys Big Brother-like attempts to infiltrate networks and break into the personal information of regular Americans. Those who believe that the Snowden revelations reveal the malevolent intent of the feds will harbor deep suspicions about federal efforts, from CISA to CNAP to the FTC’s Start with Security campaign.
But that’s not how it seemed at the FTC event. Instead, it felt like a great example of a very American approach to security and privacy, in which the federal government aligns with, encourages, and cajoles private enterprise into protecting personal information while still encouraging the quintessential American spirit of dynamic innovation. I couldn’t help but be encouraged by the emerging tone of cooperation and shared purpose that exists between the government and the business community around the importance of cybersecurity.

Share this Post