A new campaign that empowers Americans to better secure their online lives
Since the beginning of his Administration, the President has made it clear that cybersecurity is one of the most important challenges we face as a Nation. In February of this year, the President issued his Cybersecurity National Action Plan (CNAP). The CNAP directed the Federal Government to take new action now while fostering the conditions required for long-term improvements in our approach to cybersecurity across the Federal Government, the private sector, and our personal lives.
One critical component of the CNAP is the goal of empowering Americans to better secure their online accounts by moving beyond just usernames and passwords and adding an extra layer of security. To accomplish this goal, the National Cyber Security Alliance (NCSA), together with non-profit membership organizations and private sector companies, today launched the “Lock Down Your Login” campaign.
The NCSA’s “Lock Down Your Login” is a public-private campaign designed to enable every American to better secure their online accounts through the use of strong authentication. Strong authentication, such as the use of a fingerprint or the confirmation of a one-time code, for your online accounts could have prevented as many as 62 percent of successful data breaches last year.
Many Americans are concerned about online security. But we all have work to do to improve the security of our online accounts. 72 percent of Americans believe their accounts are secure with only a username and password. Unfortunately, this simple method for protecting ourselves online is not as effective as it once was. But there is some good news. A confluence of emerging technologies, under the banner of strong authentication, is making it easier for everyone to better secure their online accounts.
“Lock Down Your Login” aims to close this gap by focusing on simple and widely available solutions that can and should be adopted by every American online. That’s why industry, government, and like-minded organizations that understand the importance of cybersecurity awareness and education are coming together through this harmonized campaign to make the case to consumers directly.
“Lock Down Your Login” builds upon years of the STOP. THINK. CONNECT.TM campaign’s public-private partnerships to help more Americans stay safe online through public awareness. This new campaign is timed with the launch of National Cyber Security Awareness Month in October. During October, the National Cyber Security Alliance and the U.S. Department of Homeland Security, co-founders and co-leaders of the month, call on all Americans and businesses to share the responsibility and take steps to be safer and more secure online.
“Lock Down Your Login” Partners
In order to launch this public-private partnership, the NCSA has engaged a broad range of “Lock Down Your Login” partners, including technology companies, banks, non-profits, and civil society. “Lock Down Your Login” partners will support the campaign in a number a ways including but not limited to:
Collaborating closely with the National Cyber Security Alliance to promote the “Lock Down Your Login” messaging and content by using the brand and logo with their own. This includes utilizing media space online and on television as well as other platforms to spread the word about “Lock Down Your Login.”
Encouraging customers to use strong authentication technology. By making new technologies available and generating awareness of those currently offered, partners will empower their customers to better secure their accounts.
Creating original content for their audience and promoting it through their own platforms and spokespeople. “Lock Down Your Login” encourages campaign partners generate awareness and inspire action by creating their own content designed to reach their specific target audience.
Examples of commitments announced by companies today in support of the “Lock Down Your Login” campaign include:
Facebook is conducting a broadcast and radio media tour to share security tools and advice to keep accounts safe, including strong authentication and password advice. People using Facebook will see promotional videos for tools like Security Checkup, which encourages unique passwords and the use of login alerts to receive a notification when a new computer or phone attempts to access your account. A blog post series on Facebooks’ Security Page will highlight the “Lock Down Your Login” campaign and share other security features, including login approvals, which is Facebook’s two-factor authentication feature involving a code generated from the Facebook app or sent via text message.
The FIDO Alliance, the Electronic Transactions Association (ETA) and the National Cyber Security Alliance (NCSA) will jointly host a “Future of Authentication Policy Day” to highlight the importance of strong authentication, explore the evolution of the authentication market, and discuss its impact on the policy and regulatory landscape. This event will take place on October 27th, in recognition of National Cyber Security Awareness Month.
Google will help promote the goals of the “Lock Down Your Login” campaign through a blog post, social media, and a home page promotion in October that will urge users to take an account “Security Checkup” which includes managing any two-step verification protections users have set up. This is in addition to Google’s existing security investments, including ongoing Safe Browsing protection, which shields desktops and Android users from malware, phishing, and unwanted software on the web.
Intel is committed to working with the National Cyber Security Alliance and its partners to bring easy and actionable digital security education to consumers through engaging content. Intel will support the call for stronger authentication by reaching users on social media and motivating them to take action by making digital security understandable and user-friendly. In product offerings that support this initiative, True Key™ by Intel Security is a multifactor password manager. It secures passwords, ensures only users can access them with unique factors like their face and fingerprint, and logs users in across the web.
Mastercard continues to be committed to developing consumer solutions that eliminate static passwords, utilize biometrics and make payments both safe and simple. As part of its efforts, Mastercard, with its partner BMO-Harris Bank in the United States, will announce the upcoming commercial launch of the Mastercard Identity Check Mobile solution for BMO Harris Bank’s commercial cards. Mastercard Identity Check Mobile allows a user to authenticate a digital payment transaction with his or her fingerprint or selfie.
SANS Institute is offering organizations access to an interactive National Cybersecurity Awareness Month Planning Kit, which will include everything organizations need to promote cybersecurity during the month of October. The kit includes resources, materials and templates for every day of the month, including an entire day dedicated just to the Lock Down Your Login campaign.
Square will continue to implement simple and easy-to-use multi-factor authentication (MFA) tools for all of the businesses that they serve. For user log-in, they have provided customers with the option to enable an MFA feature that sends a text with a verification code. Square will encourage users to enable this tool through a variety of channels with clear instructions on how to do so. Their MFA solution also enables the business to require a second layer of verification for sensitive account actions like changing a linked bank account or password.
USAA is committing to make it easier for its members to secure their accounts using multi-factor authentication. They support a variety of authentication methods including touch, voice, face, text and token. White these methods have been available to all members since 2011, USAA will now automatically enroll new members in multi-factor authentication. This is part of a multi-year commitment to strengthen account security.
NSCA’s full list of partners on the “Lock Down Your Login” partners are: CompTIA, Consumer Action, Consumer Federation of America, Council of Better Business Bureaus, Decoded, ESET North America, Facebook, Family Online Safety Institute (FOSI), FIDO Alliance, Financial Services Roundtable, Google, Intercede, Intel Corp., Javelin Strategy & Research, Logical Operations – Get IT Certified, MasterCard, mcgarrybowen, Mozilla, Multi-State Information Sharing Analysis Center (MS-ISAC), National Strategy for Trusted Identities in Cyberspace (NSTIC) National Program Office (NPO), NXP Semiconductor, PayPal, Salesforce, SANS Institute, Square, TeleSign, TrueKeyTM by Intel Security, Twitter Inc., Visa Inc., Wells Fargo & Company, and Yubico.
Campaign Development
Led by the NSCA and in coordination with the Administration, the campaign was developed through an active collaboration of partners and consumer research to identify a message that would resonate with Americans and encourage them to take actions to secure their accounts.
Working together since this past spring, partners have provided input and guidance about the best ways to communicate the value of adding stronger authentication to online accounts. Several messages and logos were tested through surveys. Americans responded the most positively to the “Lock Down Your Login” messaging as it is easy to understand, encourages adoption of stronger account security and motivates internet users to take action to prevent identity theft and secure their digital lives.
Taking bold actions to protect Americans in today’s digital world
The next War to End All Wars will likely be fought in cyberspace, rather than by invading armies. Cybersecurity is critical line of defense, but also raises issues of privacy – from government as well as criminals. The Obama Administration has just issued a Cybersecurity National Action Plan which, among other things, creates a Commission on Enhancing National Cybersecurity as well as a permanent Federal Privacy Council. It includes expanding upon the President’s 2014 BuySecure Initiative to strengthen the security of consumer data. Here is a fact sheet from the White House detailing the Cybersecurity National Action Plan:
From the beginning of his Administration, the President has made it clear that cybersecurity is one of the most important challenges we face as a Nation, and for more than seven years he has acted comprehensively to confront that challenge. Working together with Congress, we took another step forward in this effort in December with the passage of the Cybersecurity Act of 2015, which provides important tools necessary to strengthen the Nation’s cybersecurity, particularly by making it easier for private companies to share cyber threat information with each other and the Government.
But the President believes that more must be done – so that citizens have the tools they need to protect themselves, companies can defend their operations and information, and the Government does its part to protect the American people and the information they entrust to us. That is why, today, the President is directing his Administration to implement a Cybersecurity National Action Plan (CNAP) that takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.
The Challenge
From buying products to running businesses to finding directions to communicating with the people we love, an online world has fundamentally reshaped our daily lives. But just as the continually evolving digital age presents boundless opportunities for our economy, our businesses, and our people, it also presents a new generation of threats that we must adapt to meet. Criminals, terrorists, and countries who wish to do us harm have all realized that attacking us online is often easier than attacking us in person. As more and more sensitive data is stored online, the consequences of those attacks grow more significant each year. Identity theft is now the fastest growing crime in America. Our innovators and entrepreneurs have reinforced our global leadership and grown our economy, but with each new story of a high-profile company hacked or a neighbor defrauded, more Americans are left to wonder whether technology’s benefits could risk being outpaced by its costs.
The President believes that meeting these new threats is necessary and within our grasp. But it requires a bold reassessment of the way we approach security in the digital age. If we’re going to be connected, we need to be protected. We need to join together—Government, businesses, and individuals—to sustain the spirit that has always made America great.
Our Approach
That is why, today, the Administration is announcing a series of near-term actions to enhance cybersecurity capabilities within the Federal Government and across the country. But given the complexity and seriousness of the issue, the President is also asking some of our Nation’s top strategic, business, and technical thinkers from outside of government to study and report on what more we can do to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security. Bold action is required to secure our digital society and keep America competitive in the global digital economy.
The President’s Cybersecurity National Action Plan (CNAP) is the capstone of more than seven years of determined effort by this Administration, building upon lessons learned from cybersecurity trends, threats, and intrusions. This plan directs the Federal Government to take new action now and fosters the conditions required for long-term improvements in our approach to cybersecurity across the Federal Government, the private sector, and our personal lives. Highlights of the CNAP include actions to:
Establish the “Commission on Enhancing National Cybersecurity.” This Commission will be comprised of top strategic, business, and technical thinkers from outside of Government – including members to be designated by the bi-partisan Congressional leadership. The Commission will make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors while protecting privacy; maintaining public safety and economic and national security; fostering discovery and development of new technical solutions; and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion and use of cybersecurity technologies, policies, and best practices.
Modernize Government IT and transform how the Government manages cybersecurity through the proposal of a $3.1 billion Information Technology Modernization Fund, which will enable the retirement, replacement, and modernization of legacy IT that is difficult to secure and expensive to maintain, as well as the formation of a new position – the Federal Chief Information Security Officer – to drive these changes across the Government.
Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security. By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure. This focus on multi-factor authentication will be central to a newNational Cybersecurity Awareness Campaign launched by theNational Cyber Security Alliance designed to arm consumers with simple and actionable information to protect themselves in an increasingly digital world. The National Cyber Security Alliance will partner with leading technology firms like Google, Facebook, DropBox, and Microsoft to make it easier for millions of users to secure their online accounts, and financial services companies such as MasterCard,Visa, PayPal, and Venmo thatare making transactions more secure. In addition, the Federal Government will take steps to safeguard personal data in online transactions between citizens and the government, including through a new action plan to drive the Federal Government’s adoption and use of effective identity proofing and strong multi-factor authentication methods and a systematic review of where the Federal Government can reduce reliance on Social Security Numbers as an identifier of citizens.
Invest over$19 billion for cybersecurity as part of the President’s Fiscal Year (FY) 2017 Budget. This represents a more than 35 percent increase from FY 2016 in overall Federal resources for cybersecurity, a necessary investment to secure our Nation in the future.
Through these actions, additional new steps outlined below, and other policy efforts spread across the Federal Government, the Administration has charted a course to enhance our long-term security and reinforce American leadership in developing the technologies that power the digital world.
Commission on Enhancing National Cybersecurity
For over four decades, computer technology and the Internet have provided a strategic advantage to the United States, its citizens, and its allies. But if fundamental cybersecurity and identity issues are not addressed, America’s reliance on digital infrastructure risks becoming a source of strategic liability. To address these issues, we must diagnose and address the causes of cyber-vulnerabilities, and not just treat the symptoms. Meeting this challenge will require a long-term, national commitment.
To conduct this review, the President is establishing the Commission on Enhancing National Cybersecurity, comprised of top strategic, business, and technical thinkers from outside of Government – including members to be designated by the bi-partisan Congressional leadership.The Commission is tasked with making detailed recommendations on actions that can be taken over the next decade to enhance cybersecurity awareness and protections throughout the private sector and at all levels of Government, to protect privacy, to maintain public safety and economic and national security, and to empower Americans to take better control of their digital security. The National Institute of Standards and Technology will provide the Commission with support to allow it to carry out its mission. The Commission will report to the President with its specific findings and recommendations before the end of 2016, providing the country a roadmap for future actions that will build on the CNAP and protect our long-term security online.
Raise the Level of Cybersecurity across the Country
While the Commission conducts this forward looking review, we will continue to raise the level of cybersecurity across the Nation.
Strengthen Federal Cybersecurity
The Federal Government has made significant progress in improving its cybersecurity capabilities, but more work remains. To expand on that progress and address the longstanding, systemic challenges in Federal cybersecurity, we must re-examine our Government’s legacy approach to cybersecurity and information technology, which requires each agency to build and defend its own networks. These actions build upon the foundation laid by the Cybersecurity Cross-Agency Priority Goalsand the 2015 Cybersecurity Strategy and Implementation Plan.
Ø The President’s 2017 Budget proposes a $3.1 billionInformation Technology Modernization Fund, as a down payment on the comprehensive overhaul that must be undertaken in the coming years. This revolving fund will enable agencies to invest money up front and realize the return over time by retiring, replacing, or modernizing antiquated IT infrastructure, networks, and systems that are expensive to maintain, provide poor functionality, and are difficult to secure.
Ø The Administration has created the position of Federal Chief Information Security Officer to drive cybersecurity policy, planning, and implementation across the Federal Government. This is the first time that there will be a dedicated senior official who is solely focused on developing, managing, and coordinating cybersecurity strategy, policy, and operations across the entire Federal domain.
Ø The Administration is requiring agencies to identify and prioritize their highest value and most at-risk IT assets and then take additional concrete steps to improve their security.
Ø The Department of Homeland Security, the General Services Administration, and other Federal agencies will increase the availability of government-wide shared services for IT and cybersecurity, with the goal of taking each individual agency out of the business of building, owning, and operating their own IT when more efficient, effective, and secure options are available, as well as ensuring that individual agencies are not left on their own to defend themselves against the most sophisticated threats.
Ø The Department of Homeland Security is enhancing Federal cybersecurity by expanding the EINSTEIN and Continuous Diagnostics and Mitigation programs. The President’s 2017 Budget supports all Federal civilian agencies adopting these capabilities.
Ø The Department of Homeland Security is dramatically increasing the number ofFederal civilian cyber defense teams to a total of 48, by recruiting the best cybersecurity talent from across the Federal Government and private sector. These standing teams will protect networks, systems, and data across the entire Federal Civilian Government by conducting penetration testing and proactively hunting for intruders, as well as providing incident response and security engineering expertise.
Ø The Federal Government, through efforts such as the National Initiative for Cybersecurity Education, will enhance cybersecurity education and training nationwide and hire more cybersecurity experts to secure Federal agencies. As part of the CNAP, the President’s Budget invests $62 million in cybersecurity personnel to:
o Expand the Scholarship for Service programby establishing a CyberCorps Reserve program, which will offer scholarships for Americans who wish to obtain cybersecurity education and serve their country in the civilian Federal government;
o Develop a Cybersecurity Core Curriculum that will ensure cybersecurity graduates who wish to join the Federal Government have the requisite knowledge and skills; and,
o Strengthen the National Centers for Academic Excellence in Cybersecurity Program to increase the number of participating academic institutions and students, better support those institutions currently participating, increase the number of students studying cybersecurity at those institutions, and enhance student knowledge through program and curriculum evolution.
Ø The President’s Budget takes additional steps to expand the cybersecurity workforce by:
o Enhancing student loan forgiveness programs for cybersecurity experts joining the Federal workforce;
The privacy and security of all Americans online in their daily lives is increasingly integral to our national security and our economy. The following new actions build on the President’s 2014 BuySecure Initiative to strengthen the security of consumer data.
Ø The President is calling on Americans to move beyond just the password to leverage multiple factors of authentication when logging-in to online accounts. Private companies, non-profits, and the Federal Government are working together to help more Americans stay safe online through a new public awareness campaign that focuses on broad adoption of multi-factor authentication. Building off the Stop.Think.Connect. campaign and efforts stemming from the National Strategy for Trusted Identities in Cyberspace, the National Cyber Security Alliance will partner with leading technology companies and civil society to promote this effort and make it easier for millions of users to secure their accounts online. This will support a broader effort to increase public awareness of the individual’s role in cybersecurity.
Ø The Federal Government is accelerating adoption of strong multi-factor authentication and identity proofing for citizen-facing Federal Government digital services. The General Services Administration will establish a new program that will better protect and secure the data and personal information of Americans as they interact with Federal Government services, including tax data and benefit information.
Ø The Administration is conducting a systematic review of where the Federal Government can reduce its use of Social Security Numbers as an identifier of citizens.
Ø The Federal Trade Commission recently relaunchedIdentityTheft.Gov, to serve as a one-stop resource for victims to report identity theft, create a personal recovery plan, and print pre-filled letters and forms to send to credit bureaus, businesses, and debt collectors.
Ø The Small Business Administration (SBA), partnering with the Federal Trade Commission, the National Institute of Standards and Technology (NIST), and the Department of Energy, will offercybersecurity training to reach over 1.4 million small businesses and small business stakeholders through 68 SBA District Offices, 9 NIST Manufacturing Extension Partnership Centers, and other regional networks across the country.
Ø The Administration is announcing new milestones in the President’s BuySecure Initiative to secure financial transactions. As of today the Federal Government has supplied over 2.5 million more secure Chip-and-PIN payment cards, and transitioned to this new technology the entire fleet of card readers managed by the Department of the Treasury. Through government and private-sector leadership, more secure chip cards have been issued in the United States than any other country in the world.
Enhance Critical Infrastructure Security and Resilience
The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure. A continued partnership with the owners and operators of critical infrastructure will improve cybersecurity and enhance the Nation’s resiliency. This work builds off the President’s previous cybersecurity focused Executive Orders on Critical Infrastructure (2013) and Information Sharing (2015).
Ø The Department of Homeland Security, the Department of Commerce, and the Department of Energy are contributing resources and capabilities to establish a National Center for Cybersecurity Resilience where companies and sector-wide organizations can test the security of systems in a contained environment, such as by subjecting a replica electric grid to cyber-attack.
Ø The Department of Homeland Security will double the number of cybersecurity advisors available to assist private sector organizations with in-person, customized cybersecurity assessments and implementation of best practices.
Ø The Department of Homeland Security is collaborating with UL and other industry partners to develop a Cybersecurity Assurance Program to test and certify networked devices within the “Internet of Things,” whether they be refrigerators or medical infusion pumps, so that when you buy a new product, you can be sure that it has been certified to meet security standards.
Ø The National Institute of Standards and Technology is soliciting feedback in order to inform further development of itsCybersecurity Framework for improving critical infrastructure cybersecurity. This follows two years of adoption by organizations across the country and around the world.
Ø Commerce Secretary Pritzker cut the ribbon on the new National Cybersecurity Center of Excellence, a public-private research and development partnership that will allow industry and government to work together to develop and deploy technical solutions for high-priority cybersecurity challenges and share those findings for the benefit of the broader community.
Ø The Administration is calling on major health insurers and healthcare stakeholders to help them take new and significant steps to enhance their data stewardship practices and ensure that consumers can trust that their sensitive health data will be safe, secure, and available to guide clinical decision-making.
Secure Technology
Even as we work to improve our defenses today, we know the Nation must aggressively invest in the science, technology, tools, and infrastructure of the future to ensure that they are engineered with sustainable security in mind.
Ø Today the Administration is releasing its 2016Federal Cybersecurity Research and Development Strategic Plan. This plan, which was called for in the 2014 Cybersecurity Enhancement Act, lays out strategic research and development goals for the Nation to advance cybersecurity technologies driven by the scientific evidence of efficacy and efficiency.
Ø In addition, the Government will work with organizations such as the Linux Foundation’s Core Infrastructure Initiative to fund and secure commonly used internet “utilities” such as open-source software, protocols, and standards. Just as our roads and bridges need regular repair and upkeep, so do the technical linkages that allow the information superhighway to flow.
Deter, Discourage, and Disrupt Malicious Activity in Cyberspace
Better securing our own digital infrastructure is only part of the solution. We must lead the international effort in adopting principles of responsible state behavior, even while we take steps to deter and disrupt malicious activity. We cannot pursue these goals alone – we must pursue them in concert with our allies and partners around the world.
Ø In 2015, members of the G20 joined with the United States in affirming important norms, including the applicability of international law to cyberspace, the idea that states should not conduct the cyber-enabled theft of intellectual property for commercial gain, and in welcoming the report of a United Nations Group of Governmental Experts, which included a number of additional norms to promote international cooperation, prevent attacks on civilian critical infrastructure, and support computer emergency response teams providing reconstitution and mitigation services. The Administration intends to institutionalize and implement these norms through further bilateral and multilateral commitments and confidence building measures.
Ø The Department of Justice, including the Federal Bureau of Investigation, is increasing funding for cybersecurity-related activities by more than 23 percent to improve their capabilities to identify, disrupt, and apprehend malicious cyber actors.
Ø U.S. Cyber Command is building a Cyber Mission Force of 133 teams assembled from 6,200 military, civilian, and contractor support personnel from across the military departments and defense components. The Cyber Mission Force, which will be fully operational in 2018, is already employing capabilities in support of U.S. Government objectives across the spectrum of cyber operations.
Improve Cyber Incident Response
Even as we focus on preventing and deterring malicious cyber activity, we must also maintain resilience as events occur. Over the past year, the country faced a wide array of intrusions, ranging from criminal activity to cyber espionage. By applying lessons learned from past incidents we can improve management of future cyber incidents and enhance the country’s cyber-resilience.
Ø By this spring, the Administration will publically release a policy for national cyber incident coordination and an accompanyingseverity methodology for evaluating cyber incidents so that government agencies and the private sector can communicate effectively and provide an appropriate and consistent level of response.
Protect the Privacy of Individuals
In coordination with the information technology and cybersecurity efforts above, the Administration has launched a groundbreaking effort to enhance how agencies across the Federal Government protect the privacy of individuals and their information. Privacy has been core to our Nation from its inception, and in today’s digital age safeguarding privacy is more critical than ever.
Ø Today, the President signed an Executive Order that created a permanent Federal Privacy Council, which will bring together the privacy officials from across the Government to help ensure the implementation of more strategic and comprehensive Federal privacy guidelines. Like cyber security, privacy must be effectively and continuously addressed as our nation embraces new technologies, promotes innovation, reaps the benefits of big data and defends against evolving threats.
Fund Cybersecurity
In order to implement these sweeping changes, the Federal Government will need to invest additional resources in its cybersecurity. That is why the 2017 Budget allocates more than $19 billion for cybersecurity – a more than 35 percent increase over the 2016 enacted level. These resources will enable agencies to raise their level of cybersecurity, help private sector organizations and individuals better protect themselves, disrupt and deter adversary activity, and respond more effectively to incidents.
