The federal government is stepping up its game this week on the cybersecurity front, with both proposed budget line items that would requisition nearly $11 billion for cyber, and the introduction of the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, which would require that devices purchased by the U.S. government meet certain minimum security requirements.
The White House’s budget proposal to Congress released this week earmarked funding for cyber-activities by both the Department of Defense and the Department of Homeland security.
And as for the IoT legislation, it addresses the fact that these connected devices are sometimes shipped with factory-set, hardcoded passwords and are often unable to be updated or patched; as such, they can represent a weak point in a network’s security. IoT devices have been used by bad actors to launch DDoS attacks, and they’ve been used as data-harvesting and espionage devices as well – neither of which are good scenarios for government agencies.
The White House budget proposal, released Monday, is asking for more than $9.6 billion for Defense Department cyber-operations, both for protection activities but also to conduct offensive operations via the U.S. Cyber Command. It also earmarks just over $1 billion for DHS, to protect federal networks and critical infrastructure, including elections equipment.
Details as to what the funds would go towards are limited in the high-level document, but individual agencies are expected to release more specifics next week. Overall, the money will go towards implementing previously stated goals laid out in the president’s cybersecurity policy, such as infrastructure modernization and addressing the workforce gap.
“The budget continues to place a high priority on cybersecurity and cyber-operations by requesting more than $9.6 billion in 2020 to advance DoD’s three primary cyber-missions: safeguarding DoD’s networks, information and systems; supporting military commander objectives; and defending the nation,” according to the budget request’s DoD section.
It added, “This investment provides the resources necessary to grow the capacity of U.S. military cyber forces (including the recently elevated United States Cyber Command), invest in the cyber-workforce, and continue to maintain the highest cybersecurity standards at DoD.”
Phil Neray, vice president of Industrial Cybersecurity at CyberX, told Threatpost that “digital transformation isn’t just about businesses — it’s also changing how we conduct geopolitics and warfare, so it makes a lot of sense to allocate more funds to strengthening our DoD cyber capabilities, both offensive and defensive.”
When it comes to DHS, the president’s National Cyber Strategy has in the past highlighted DHS’s role in securing and building cybersecurity resilience for the nation’s most critical infrastructure, including government networks
The budget resources would be designated for increasing the number of DHS-led network risk assessments from 473 to 684—including assessments of state and local electoral systems—as well as for additional tools and services, such as the EINSTEIN defense platform and continuous diagnostics and mitigation programs, “to reduce the cybersecurity risk to Federal information technology networks,” according to the budget.
The DHS funding would also be used to address the federal cybersecurity workforce shortage by establishing a unified cyber-workforce capability across the civilian enterprise, with the goal of hiring at least 150 new cybersecurity employees by the end of 2020, according to the proposal.
To attract talent, “the budget includes funding to support DHS’s Cyber Talent Management System, which reflects the exemption of DHS’s cyber workforce from many of the hiring and compensation requirements and restrictions in existing law under Title 5,” the proposal laid out. “Under this new initiative, In this way, DHS would be better positioned to compete with the private sector for cyber-talent.”
Ben Johnson, co-founder and CTO of Obsidian Security, told Threatpost that while the focus on cyber in the budget is a welcome development, the devil as always will be in the details.
“I’m excited that there’s a much larger national focus on the cybersecurity pandemic, but security only happens through continuous improvement, cultural awareness, strong operational posture and good strategy, and none of those are obtained simply by writing a large check,” he warned.
Neray meanwhile told Threatpost that when it comes to critical infrastructure, it’s important to remember that 85 percent of the nation’s critical infrastructure is owned by the private sector.
“The DoD and DHS/FBI have neither the resources nor the legal standing to defend civilian assets before they’re attacked,” he said. “So, we also need more incentives from the government, such as corporate tax breaks, to encourage critical infrastructure organizations to bolster their cyber-defenses with modern approaches such as continuous monitoring. It’s easy to see how nation-state or criminally-motivated cyberattacks could cripple our entire economy and cause public chaos by turning off the grid in key metropolitan areas — such as Wall Street or Washington D.C. — during peak times.”
The IoT bill meanwhile is bipartisan legislation introduced Monday in both the Senate and the House of Representatives.
The Act would require that devices purchased by the U.S. government meet certain minimum security requirements as defined by the National Institute of Standards and Technology (NIST), including requirements around secure development, identity management, patching and configuration management for IoT devices.
The Office of Management and Budget (OMB) would then be tasked with issuing guidelines for each agency that are consistent with the NIST recommendations, and it will review the policies at least every five years.
NIST would also provide guidance on coordinated vulnerability disclosure policies, and contractors and vendors providing IoT devices to the U.S. government will be required to adopt those.
“The internet of things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” said Sen. Cory Gardner (R-Co.), co-chair of the Senate Cybersecurity Caucus, in a statement. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts.”
Johnson told Threatpost that here, too, implementation will be key to success if the bill passes into law.
“With the abysmal state of IoT security, taking federal steps toward improving the scrutiny, requirements and implementations of new technology is a step forward,” he told Threatpost. “Any security practitioner will tell you, however, that it is the combination of people, processes and technology that works to mitigate risk and creates more robust environments. Any spending bills need to not only raise the bar for the security of our assets and applications, but also work to improve security culture, risk awareness and reporting, and the skills of those set to architect, defend and manage our systems going forward.”