Nextgov/FCW - Authors - Joseph Marks

Government layoffs are making us less safe in cyberspace, experts fear

Joseph Marks — Thu, 31 Jul 2025 13:00:00 -0400

When the Trump administration took office in January, it inherited a precarious cyber threat environment in which years of investments in defense had failed to curb the threat from Russia, China and other U.S. adversaries.

Six months later, challenges faced by federal agencies are far worse — the result of a wave of layoffs and voluntary separations instigated by the Department of Government Efficiency, or DOGE, which has dramatically impaired the government’s ability to defend itself in cyberspace, according to former officials and experts.

The exits mark the first time in the digital era that the government’s cyber defense has grown worse rather than better, they say, endangering not just federal agencies but a trove of critical industry sectors that rely on cyber assistance from the U.S. government.

The cuts also come at a time when the nation’s adversaries are eager to attack in cyberspace — both to take advantage of federal government mayhem and to settle scores over U.S. actions, such as harsh tariffs on Chinese goods and the bombing of Iranian nuclear facilities.

“We have measurably increased our cyber risk as a country,” said Michael Daniel, who served as White House cyber czar during the Obama administration and is now president of the Cyber Threat Alliance, a coalition of tech firms that share cyber threat information.

Mass exodus

About one-third of employees at the government’s top cyber agency, the Cybersecurity and Infrastructure Security Agency, or CISA, have left government since the start of the Trump administration, through a combination of buyouts, early retirements and layoffs. That’s roughly 1,000 cyber defenders off the job. Those that remain are facing a nearly insurmountable set of challenges, shouldering ever more responsibilities, working under the constant threat of additional downsizing and budget cuts and triaging a new set of threats created by the Trump administration’s insistence on speeding up the pace of government.

“A lot of good people have left. Those that [remain] have fewer resources to do things the right way. Fewer hands doing defense means we’re less safe,” said a former senior cyber official who exited government during the Trump administration and requested anonymity to speak candidly about the government’s cyber risks.

There have also been cyber exits at the FBI and other federal agencies, though precise numbers are less clear.

The FBI declined to disclose how many employees have exited its cyber division in response to a Nextgov/FCW query or to comment on the effects of the departures on its cyber mission.

In response to a Nextgov/FCW query about the effects of CISA’s employee exodus, Public Affairs Director Marci McCarthy said the agency “is laser-focused on securing America’s critical infrastructure and strengthening cyber resilience across the government and industry.”

“We are proud to be the nation's cyber defense agency and remain steadfast in our mission,” McCarthy said.

DOGE never specifically targeted cyber workers for layoffs. The CISA departures come primarily from voluntary buyouts and, to a lesser extent, the elimination of CISA offices dealing with election integrity and diversity. But the result is the same. The president’s proposed 2026 budget would cut CISA funding by nearly $500 million if adopted into law, making re-filling those positions highly unlikely.

“I’m hearing from folks that have remained that they’re down 30 to 40 percent in some mission critical areas. Those kinds of deficits in talent and expertise really do impact the mission,” a former Homeland Security Department cyber official who now advises federal agencies on cyber protections, said.

“If you’re a foreign adversary, you’re like, ‘This is a field day. We couldn’t hope for a better series of outcomes,’” said the former official who also requested anonymity to speak candidly.

Reversing course

The mass staff exodus and proposed budget cuts represent a massive course reversal for government cyber efforts. CISA was founded with about 1,000 employees in 2018. Within five years, that number had more than tripled to nearly 3,200 full-time employees. During roughly the same time period, the agency’s budget approximately doubled to nearly $3 billion.

That growth was commensurate with the broadening scope of the threat during a period that saw massive criminal and nation state-backed hacks targeting government agencies and critical infrastructure, such as pipelines, ports and hospitals.

The government also dramatically expanded its cyber support for critical infrastructure during this period, including a massive push to help secure election systems against hacking — assistance that’s now in jeopardy.

“Everyone I talk to [in industry] says it’s radio silence from CISA and there’s a sharp decrease [in communications] from the FBI,” Daniel said.

The backsliding with industry is particularly concerning for former officials because the government has spent years trying to convince companies that it’s in their best interest to cooperate with the federal government on cyber challenges, including by sharing threat information.

That has been an uphill battle for two big reasons. First, companies fear getting attacked by privacy advocates over concerns that they’re turning over customer data to the government. Second, they argue that government processes for declassifying cyber threat information are so onerous that information the government shares back often isn’t very actionable.

“Industry’s willingness to continue to be patient with government and share what it can is something that, I worry, is going to head in the wrong direction,” said Megan Stifel, chief strategy officer at the Institute for Security and Technology think tank and formerly a top National Security Council cyber official during the Obama administration.

Trump released an executive order in March suggesting that some cyber responsibilities now managed by the federal government, such as cooperating with industry, should devolve to the states. That proposal dangerously underestimates the severity and complexity of the cyber threat, which states, with their comparatively meager cyber and IT budgets, are ill-equipped to handle, experts say.

“States don’t have the capability to handle the risk coming at them,” said Tarah Wheeler, a longtime cyber professional who is now senior fellow for global cyber policy at the Council on Foreign Relations. “They don’t have the capability to handle North [expletive] Korea.”

Fewer people, more vulnerabilities and insider threats

Experts and former officials highlighted three major categories of cyber risk facing government in the wake of the DOGE cuts.

First, there’s the basic loss of manpower.

“If a system is designed to be operated with a certain number of people to ensure security, then, without that number of people, it’s either going to fail quietly or fail loudly,” Wheeler said. “We know what systems are failing loudly now. We don’t know which ones are failing quietly.”

Second, there’s the cyber risk created by DOGE’s efforts themselves, including a slapdash approach to handling sensitive government data and a history of skipping security protocols.

Many of those security vulnerabilities were discovered relatively quickly, such as a custom-built server installed at the Office of Personnel Management to send mass emails to federal employees that hadn’t undergone required privacy checks. But many other vulnerabilities may remain undiscovered.

DOGE’s staff has shrunk significantly since its leader, billionaire Elon Musk, left government in May, though several dozen DOGE staffers remain in government, mostly focused on technical modernization efforts rather than layoffs.

Finally, there’s the risk that disgruntled employees who remain in government will retaliate by mishandling classified information — perhaps by passing it to a foreign adversary or by swiping and potentially releasing information aimed at damaging the Trump administration. Disgruntled employees with high-level access to government computer systems could also sabotage those systems or destroy their data.

Such insider threats are a perennial concern for government and industry, spurred by high profile examples from the military and intelligence community such as Chelsea Manning, Edward Snowden and Reality Winner. But those concerns spike during periods of mass layoffs and other organizational stresses.

Organizations that study insider threats, including Carnegie Mellon University’s Software Engineering Institute, have routinely found a link between layoffs and increased insider threat risk in industry.

“Disgruntled employees are one of the biggest insider threat risks,” said Matthew Bunn, a Harvard professor focused on national security and co-editor of a book-length study on insider threats produced by Harvard’s Belfer Center for Science and International Affairs. “If you’re laying off thousands of people, you’re creating thousands of negative work events and lots of potentially disgruntled employees.”

DOGE’s callous approach to federal employees, including strong-arming top officials and erroneously firing and then rehiring employees at the National Nuclear Security Administration and other agencies, is likely to increase the insider threat risk, Bunn said.

“They’re not remotely following best practices,” Bunn said. “I’m not sure I have great advice for a situation where you’re wielding a pretty sharp axe and cutting a lot of people at once — some of whom may be the people you need for spotting insider threats and other threats to the organization. That’s going to be a risky situation no matter what.”

Former officials pointed to an additional insider threat risk within DOGE itself, which, during its heyday, was staffed primarily by government outsiders, some of whom had links to Musk’s private companies. DOGE staffers were given broad access to sensitive digital systems at the Social Security Administration, the Office of Personnel Management and other agencies, but it’s unclear what security and background checks they went through.

One risk is that a DOGE staffer who was insufficiently vetted might have released classified government data to an adversary. Another is that government employees who feared the damage the new efficiency teams could do to their careers could have been easily conned by hackers impersonating DOGE. In both cases, the results of those breaches could remain undetected for months or years.

“If an email arrives with a spoofed DOGE address with a request for records and it’s your job [on the line] if you don’t do it, that’s a heightened environment for spear phishing campaigns,” said Tarah Wheeler, a senior fellow for global cyber policy at the Council on Foreign Relations. Spear phishing is a form of digital attack in which hackers send a message specifically tailored to fool its target into releasing secret information or unknowingly downloading malicious software.

A recruiting nightmare

The effects of the government’s cyber purge will likely be even more damaging down the road.

The federal government has spent years trying to recruit cyber workers away from the private sector, where salaries are typically much higher. Those efforts included special rules that allow for higher pay for cyber workers and programs that encourage those in industry to take short-term government rotations. Agencies also touted the benefits of government work, including better job stability than the private sector.

After the past few months, however, government work is looking like a far riskier bet.

“People work for the government because of mission and, in some cases, because the government provides more stability. Both those reasons have been undercut. The federal government's commitment to the mission seems less, and the stability is gone,” Phil Reitinger, a former Homeland Security Department cyber official who now leads the Global Cyber Alliance, a nonprofit that provides free cybersecurity tools, said.

When the government’s current cyber staffing proves unsustainable and recruiting is difficult, the government is likely to turn to contractors to fill the gaps. That’s an option that will not only be costlier than retaining experienced government cyber defenders but is unlikely to replace the institutional knowledge lost during the past few months because contractors typically move in and out of positions more frequently, a former long-serving government cyber contractor said.

“As government employees take off, either through retirement or through layoffs, those doing the threat analysis are stretched thinner, with less mature guidance, and are left to FITFO,” said the former contractor, who requested anonymity, using an acronym for “figure it the [expletive] out.”

“The disruptions that have happened over the past six months are going to take years to address,” Daniel said. “We’re looking at an extended period of time when the U.S. government will have reduced cyber capabilities. That gives our adversaries an opportunity.”

]]>

Why Iowa’s 2020 caucus flop still haunts the civic tech world

Joseph Marks — Thu, 19 Sep 2024 13:34:27 -0400

For Iowa Democrats and for makers of campaign and voting technology, there was the world as it existed before the 2020 Iowa caucuses and then there was the world after.

In the before times, Iowa was a major player in Democratic politics. It was a mecca for presidential hopefuls who flocked to diners and county fairs to practice retail politics in advance of the first-in-the-nation caucuses. Politically active Iowans could expect to meet and question multiple candidates during a competitive nominating cycle.

For civic technologists, it was a fraught but exciting time. There were perils to designing tech for campaigns and elections, but also great opportunities. Technology was viewed as a vital component that could make democracy more accessible or give a campaign an edge.

Then, a massive technological meltdown delayed caucus results for days and humiliated Iowa on the national stage. The vote reporting failure eroded trust in democratic processes when they were already under assault by then-President Donald Trump who repeatedly claimed without evidence that the 2020 contest would be rigged against him.

The meltdown was a gut punch for election officials, who had struggled since the 2016 contest was marred by foreign interference to convince the public that elections could be run safely and securely. Trump triumphantly called the caucus “an unmitigated disaster.” For technologists who wanted to make the campaign and election process run more smoothly and efficiently, the lesson was clear: There’s no longer any room for error.

“When you take what is at stake in politics and you couple that with technology that’s inherently imperfect, you get a very volatile mix,” said Eddie Perez, a board member at the OSET Institute, which seeks to increase public confidence in elections.

“You can draw a trajectory from Iowa in 2020 to today. Now, any maker of government and civic technology that is participating in a very public, forward-facing way in political power competitions does so at their own peril,” said Perez, who previously worked for 15 years in product management for Hart InterCivic, one of the three largest election technology vendors.

For Iowa Democrats, the outcome was, if anything, even more consequential.

Four years after the caucus app debacle, Iowa is an afterthought for national Democrats, another heartland state where the party was once competitive but that has been almost entirely ceded to Republicans now. The first-in-the-nation caucus, which had launched both parties’ presidential nominating contests dating back to the 1970s, is effectively no more, replaced by a write-in presidential preference contest that ends on Super Tuesday along with more than a dozen other states.

“I had coffee with Obama. I had coffee with Hillary. I met with Joe Biden when he was a senator so many times that we were almost on a first name basis. That’s all changed,” Bret Nilles, chair of the Linn County Democrats, home to Iowa’s second largest city Cedar Rapids, said.

This is one of the rare instances in which a public sector tech foul up had dramatic real world consequences that will endure for a generation or longer.

Troy Price, former chairman of the Iowa Democratic Party, talks to reporters on Feb. 4, 2020 about the tech meltdown at the Iowa Caucus. Price resigned shortly after the caucus. (Scott Olson/Getty Images)

The app debacle is not the only reason that the national Democratic party bumped Iowa from its first-in-the-nation calendar spot. (The Republican nominating calendar still begins in Iowa). National Democrats had long viewed the caucus process as overly complex. The state, which is 85% white according to the 2020 Census, was viewed as insufficiently diverse. And President Joe Biden, who came in fourth in Iowa once all the votes were tallied, was a strong supporter of beginning the nominating calendar in South Carolina.

There also won’t be a truly competitive Democratic primary of any kind until at least 2028 and maybe not until 2032. Biden was not seriously challenged for the 2024 nomination and dropped out after winning a majority of delegates. If Vice President Kamala Harris, who replaced Biden on the ticket, wins in November and isn’t challenged for reelection, that will mean 12 years of incumbent Democratic candidates.

Yet, there’s a powerful sense in the state that the app debacle made it far easier for the national party to boot Iowa from the top calendar spot.

“Things were already moving in that direction, but the app failure was the straw that broke the camel’s back,” Bill Brauch, Democratic Party Chair for Polk County, which includes the state capital Des Moines, said.

Outsized impact

The app's failure didn't have to fundamentally alter the way national Democrats approached Iowa. But cascading tech problems collided with a growing public perception that election technology was vulnerable to outside forces.

First, the building process was rushed, hampered by external demands and it ignored many tech development best practices. Second, the meltdown happened in a political environment that was already bruised by unfounded claims of election chicanery by Trump and his allies.

Carl Voss, Des Moines City Councilman and a precinct chair, shows photographers the app that was used for caucus results reporting on his phone. (Alex Wong/Getty Images)

One main pitfall was a series of late requests from the Democratic National Committee for new features and security testing, according to an independent audit commissioned by the Iowa Democratic Party. By the time the app was released to caucus leaders, there were just two weeks to go before caucus day, leaving little time for the rigorous testing that is vital for any technical product, especially one that will be used just once in a high-stakes event.

When a similar app was used by both Democrats and Republicans in the 2016 caucuses, by contrast, it was released months in advance to allow for extensive testing.

“Typically software isn’t used for just one night. You have the ability to soft launch something and learn from your mistakes. So, the only option when you don’t have that ability is to test the heck out of the thing,” said Rodney Guzman, former chief technology officer of InterKnowlogy, the firm that built the 2016 app as part of a contract with Microsoft.

Once the 2020 app arrived, it was overly complicated and difficult to download. Significantly, there wasn’t time to get it added to the Apple and Android app stores, so caucus leaders were asked to download it using a different and complicated method. One caucus chair described the process to The Washington Post: "You had to fill out a survey, which then got you a link, and then you had to download a different app, and enter in a code from your email, and then you would get the real app.”

These problems were magnified by the fact that many of the app’s prospective users were elderly and living in rural areas, often with spotty cell service.

“The app in 2020 felt like an afterthought,” said John Deeth, a longtime caucus precinct captain in Johnson county, which includes Iowa City. Deeth is also an election technician at the Johnson County auditor’s office.

Caucus leaders also kept details of the app secret, including the name of the company that built it, fearing that transparency would make it easier for hackers and foreign adversaries to compromise the process. That tactic, dubbed “security through obscurity” is generally frowned on by security experts.

The app failure was the straw that broke the camel’s back.

Bill Brauch, Democratic Party Chair for Polk County

Finally, the backup phone-in option for delivering caucus site results to the Iowa Democratic party was being managed by a human call center with just about 50 volunteers rather than a digital service that had been used in previous years. The call center was quickly overwhelmed by calls from caucus sites that couldn’t use the app. Things got worse when the phone-in number was shared by Trump supporters online. One volunteer told the Washington Post at the time that about a quarter of the calls he took were from Trump supporters.

Ultimately, auditors found that the caucus reporting app worked correctly when caucus leaders were able to use it. But a separate tool designed to share data with the DNC produced irregular results, which led the DNC to prevent Iowa Democrats from releasing results from the app that they feared would be tainted. It took days to do a hand count of paper ballots to audit the test results, frustrating the public and media who were laser focused on the contest and expected quick results.

The CEO of Shadow Inc., the Democrat-aligned company that built the 2020 app, did not respond to several interview requests. The Iowa Democratic Party also did not respond to an interview request.

Caucuses, as traditionally practiced by Iowa Democrats, differ substantially from primary elections. Instead of simply voting for their chosen candidate, caucus goers at roughly 2,000 locations across the state essentially organize and reorganize themselves into groups in an effort to maximize the number of state-level delegates for a series of preferred candidates. That means that any technology they use usually must be custom-built. Primaries, by contrast, work essentially like general elections and typically rely on the same voting systems that counties use for general election voting.

The aftermath

In the aftermath of the caucus night meltdown, there was a general reconsidering of what technology can do in an election context and what it can’t.

“The caucus app failure illustrates the stupidity of using technology just because people want to be modern,” said Douglas Jones, a retired computer science professor and elections expert at the University of Iowa and a former Democratic caucus precinct leader. He suggested a well-staffed call center would have done the job of receiving caucus night reports far more effectively.

“The standards of the app marketplace don't really prepare people to build apps that must work at scale during a two-hour period with no full-scale test beforehand,” Jones said.

“People who build software for space missions and military weapons systems can meet that kind of ‘failure-is-not-an-option’ requirement, but the price NASA and the military pay for that kind of software is extraordinarily high,” Jones added. “There's no way to afford that kind of price for an app used once every four years and likely to be obsolete in eight years.”

That soul searching was, in some ways, salutary. The months after the caucus brought a host of new challenges for election officials and the technologists that support them, including the onset of the coronavirus pandemic, a significant increase in voting by mail, a host of foreign disinformation campaigns related to elections and Trump and his allies doubling down on false claims that the election was stolen from him.

By and large, election systems withstood those challenges. But the distrust in voting systems sparked by the caucus debacle, remains a challenge.

“When you’re dealing with really consequential decisions like what candidates are going to win in a volatile political environment, there’s no margin for error,” Perez, the OSET Institute board member, said. “There’s been a degradation of trust in the reliability and accuracy of technology in government settings and that’s something the whole sector has had to contend with.”

]]>

Defense, Homeland Security Secretaries Spearhead Cyber Cooperation Agreement

Joseph Marks — Wed, 21 Nov 2018 11:00:00 -0500

Homeland Security Secretary Kirstjen Nielsen and Defense Secretary Jim Mattis spearheaded an agreement signed last week about how their agencies will work together on future cybersecurity challenges, Homeland Security Undersecretary Chris Krebs said last week.

The pair is also urging more cyber cooperation between military and civilian government, Krebs said.

“It was the two secretaries coming together, saying let’s make sure we understand how to best support each other’s objectives and mission and make sure our teams also understand,” Krebs told reporters after a cybersecurity conference hosted by the U.S. Chamber of Commerce Friday. “This is a top-down strategic guidance.”

Officials from the Pentagon and Homeland Security’s cyber strategy and operations division met to hammer out high-level details of that cooperation and to sign the memorandum of understanding last week, Homeland Security Assistant Secretary Jeanette Manfra said.

The strategy and operations officials will also serve as a steering committee for future cyber cooperation efforts, Manfra said.

The agreement is not classified, Manfra said, but the departments have not yet released a public draft.

The cooperation agreement came after the departments worked together on a plan for U.S. Cyber Command to come to the aid of Homeland Security and state and local election officials if the 2018 midterms were disrupted by cyberattacks or influence operations launched from Russia or elsewhere.

That assistance turned out to be unnecessary because there were no significant disruptions. The Pentagon did, however, detail 11 cyber troops to Homeland Security’s cyber operations division in advance of the election as a sort of landing team that could smooth the path for additional troops if necessary.

There are no specific future events similar to the midterm elections that the two agencies are immediately planning to cooperate on, Manfra and Krebs said. They are, however, reviewing lessons from the election to guide future cooperation.

“If there’s an event this afternoon, if there’s one tomorrow, if there’s one next week, we can pull on those same agreements and we’ve actually tested what it looks like to call in those resources,” Krebs said.

Homeland Security is in the process of identifying the parts of U.S. critical infrastructure, such as airports, hospitals and energy plants, that are most vulnerable to cyberattacks. Once those “critical functions” are identified, the department will work with the Pentagon and other sector-specific agencies on plans to protect them, Manfra said.

Sector-specific agencies include the Energy Department for possible attacks against the U.S. electrical grid and the Treasury Department for attacks that target the financial sector.

Krebs is also confident U.S. Cyber Command will coordinate with Homeland Security before significant offensive cyber operations to ensure it isn’t putting the civilian government or critical infrastructure at unnecessary risk, he said.

]]>

IRS Failed to Track 11,000 Breached Social Security Numbers for Tax Fraud

Joseph Marks — Tue, 20 Nov 2018 15:28:42 -0500

The IRS failed to add more than 11,000 compromised Social Security numbers to a list it uses to help protect taxpayers from identity theft, according to an audit this month from the Treasury Department’s internal watchdog.

Fraudsters used 79 of those Social Security numbers to file phony tax returns in an effort to receive ill-gotten refunds during the 2016 and 2017 tax years, Treasury’s inspector general found.

The report focused primarily on an IRS program that collects information about third-party data breaches and tries to prevent the victims of those breaches from being victimized again when tax time rolls around.

The tax agency’s Return Integrity and Compliance Services division recorded 730 of those third-party breaches during 2017 but failed to record 89 of them or to monitor the breach victims for phony returns, auditors found.

In the case of 70 of those 89 breaches, the division was alerted about the breach but never asked the breached organization to provide victims’ Social Security numbers or other taxpayer ID numbers so IRS could monitor them.

For 15 other breaches, the breached organization passed along the ID numbers, but IRS never entered them into its Incident Management Tracker Matrix, the report states.

In four cases, the breached organization refused to share breached information, but when that happens, the Return Integrity division is supposed to try to compile that information on its own, the auditors said.

For example, if a tax preparer reports a breach of its client database, the division could create a list of likely victims by identifying tax filers who used that preparer in previous tax years, the audit states.

The Return Integrity division failed to record those breaches primarily because management hadn’t developed a process to monitor which breached organizations had provided victim ID lists and which ones hadn’t, the audit states.

Separately, the auditors found numerous cases in which the Return Integrity division received Social Security numbers and other ID numbers from a breached organization but seemingly didn’t review some of those IDs to determine whether they should be monitored for fraud.

Upon the auditors’ recommendation, the division reviewed all the taxpayer IDs it had received and found 15,143 that it hadn’t reviewed for fraud monitoring, the report states.

IRS reviewed those IDs and assigned them for fraud monitoring where appropriate, auditors said.

The auditors recommended that IRS updated its tracker to include information from the 89 breaches and the agency agreed.

IRS also agreed with the auditors’ recommendation to develop procedures to better ensure it doesn’t fail to record future data breaches.

The IRS considers data breach-related fraud one of the top five challenges facing tax administration, according to the report.

]]>

Congress Wants to Confront Facebook, Robocallers and Data-Throttlers

Joseph Marks and Jack Corrigan — Mon, 19 Nov 2018 05:00:00 -0500

Democratic lawmakers clashed with the tech industry last week while Republicans sought to expand cyber protections for small businesses.

Congress also finally delivered the Homeland Security Department its top legislative priority and pushed the Pentagon to chip in more cyber resources to defend civilian agencies.

Here’s a rundown.

Judging a (Face)book by Its Cover(up)

A group of lawmakers pressed the FBI to expand a federal investigation of Facebook to determine whether the social media company withheld information about malicious Russian activity or attacked critics looking to regulate the platform.

The push comes days after the New York Times published a sweeping investigation of the company’s actions in the aftermath of 2016 election. When it was revealed Russian actors used the platform to spread misinformation and influence voters, Facebook reportedly downplayed the extent of the influence campaign and recruited outside groups to smear competitors and critics, among other actions.

“Given the staggering amount of data that Facebook has collected on both its users … these allegations raise profound concerns about the company’s willingness to protect the public and our democracy,” Sens. Amy Klobuchar, D-Minn., Richard Blumenthal, D-Conn., Chris Coons, D-Del., and Mazie Hirono, D-Hawaii, said Thursday in the letter to Deputy Attorney General Rod Rosenstein.

Robo-caught

Lawmakers want to curtail robocalls by increasing the penalties for scammers and telemarketers who knowingly break the law.

The Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, introduced Friday by Sens. John Thune, R-S.D. and Ed Markey, D-Mass., would allow the Federal Communications Commission to fine scammers up to $10,000 per illegal call. The bill also extends the statute of limitations for prosecuting robocallers from one to three years and requires voice providers to use authentication technologies to weed out phony calls.

“As the scourge of spoofed calls and robocalls reaches epidemic levels, the bipartisan TRACED Act will provide every person with a phone much-needed relief,” Markey said in a statement.

Lightning in a Throttle

A trio of Democratic senators sounded off Thursday about a study that suggests mobile phone carriers may be throttling the speeds of video streaming services. The study, which used the service Wehe, found that Verizon, Sprint, AT&T and T-Mobile all slowed the speed of at least one video streaming service.

The study follows the repeal of Federal Communications Commission rules, commonly referred to as net neutrality, which barred throttling and other preferential or detrimental treatment of certain internet traffic.

The letter from Sens. Ron Wyden, D-Ore., Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., demands to know whether the services are throttling some traffic, how they determine which traffic to slow and if consumers are able to opt in or out of throttling.

“All online traffic should be treated equally, and internet service providers should not discriminate against particular content or applications for competitive advantage purposes or otherwise,” the senators wrote.

AI, We’re Halfway There

The House Armed Services Committee on Wednesday named two top tech industry executives to the National Security Commission on Artificial Intelligence.

The commission, created under the 2019 National Defense Authorization Act, will advise government leaders on the national security implications of artificial intelligence as the technology advances.

Chairman Mac Thornberry, R-Texas, appointed former Alphabet Executive Chairman Eric Schmidt, and Ranking Member Adam Smith, D-Wash., selected Microsoft Research Labs Director Eric Horvitz to join the group. Schmidt also currently chairs the Defense Innovation Board.

Senate Armed Services Chairman James Inhofe, R-Okla., and Ranking Member Jack Reed, D-R.I., will select the group’s final two commissioners. They have yet to announce their picks.

Spreading the Post-Equifax Goodies

Credit ratings agencies would be required to notify small businesses about a breach of their information within 30 days, under a bill introduced Thursday by Sens. Marco Rubio, R-Fla., and John Kennedy, R-La.

Congress extended similar protections to individuals after the breach at the credit ratings agency Equifax last year, which compromised information about roughly 45 percent of all Americans.

Rubio and Kennedy’s bill also bars ratings agencies from charging small businesses for credit checks for six months after a breach.

CISA Finally Here

This weeks’ big cyber news came late Tuesday when the House passed a long-sought bill to rename the Homeland Security Department’s cyber division from the National Protection and Programs Directorate to the Cybersecurity and Infrastructure Security Agency.

The Senate passed the bill in October and President Donald Trump signed it Friday.

The division’s leader Chris Krebs has joked that the current name, often acronymized to NPPD, sounds like a “Soviet-era intelligence agency.” The bill also authorizes the Homeland Security Secretary to move the Federal Protective Service, which manages security for federal buildings, out of the cyber division to another agency.

Two Cyber Missions Beat as One

Top lawmakers on the House Homeland Security and Armed Services Committees’ cyber panels want the Defense Department to do more to help out the civilian government and critical infrastructure during major cyber strikes.

During a joint hearing Wednesday, the chairs and ranking members of those committees praised Pentagon preparations to assist the Homeland Security Department in advance of this month’s midterm elections. The departments have also signed a memorandum that’s not yet public outlining future cooperation, Homeland Security Assistant Secretary Jeanette Manfra told the lawmakers.

Rep. Cedric Richmond, D-La., ranking Democrat on the Homeland Security panel, urged more funding for the civilian department’s cyber mission, noting that the Pentagon receives roughly eight times as much cyber funding. Assistant Defense Secretary Kenneth Rapuano noted that much of that funding goes to the Pentagon’s offensive cyber mission.

Coming Up

The House and Senate are both out next week for Thanksgiving, and you should probably take some time off as well.

]]>

DHS Aims to ID Critical Functions to Protect from Cyberattacks by Year’s End

Joseph Marks — Fri, 16 Nov 2018 17:44:26 -0500

The Homeland Security Department hopes to complete before the end of this year a list of the nation’s most vital functions that must be protected against cyberattacks, the department’s top cyber official said Friday.

Once those “critical functions” are identified, Homeland Security will work with federal research facilities and other organizations to map out which of those functions are most vital and how they rely on each other, said Chris Krebs, director of Homeland Security’s newly authorized Cybersecurity and Infrastructure Security Agency.

The broad goal for that mapping process is to identify which sectors rely most heavily on a critical function and what the chain reaction would be if a function was compromised by a cyberattack, said Bob Kolasky, a Homeland Security official who’s leading the identification and mapping process.

Kolasky cited the Global Positioning System as an example.

Some sectors could continue functioning if GPS was compromised for a short period of time or had limited accuracy, Kolasky said. Other sectors, such as the financial sector, which relies on GPS to pinpoint when securities trades happen, need 100 percent accuracy.

The mapping process will likely begin with the telecommunications, energy and finance sectors and other critical infrastructure sectors that are at greatest risks of enemy cyberattacks, Krebs said.

Krebs and Kolasky spoke with reporters on the sidelines of a cybersecurity summit at the U.S. Chamber of Commerce.

The identification and mapping of critical functions is a project of Homeland Security’s National Risk Management Center, which the department launched at a conference in New York in July with Kolasky as its leader.

The goal is for the center to tackle longer-range cyber problems that are out of scope for Homeland Security’s cyber operations division.

Homeland Security Secretary Kirstjen Nielsen and other officials described the Chamber of Commerce event Friday as a sort of three-month status check on the center’s work.

]]>

Government Contractors Face New Data Breach Disclosure and Investigation Requirements

Joseph Marks — Thu, 15 Nov 2018 15:28:32 -0500

The government’s lead contracting agency plans to formalize how and when contractors are required to disclose data breaches and to mandate better government visibility into how serious those breaches are.

The proposed rule will mandate that the General Services Administration and the agency that’s being served by the contract have access to breached contractor systems, according to a regulatory roadmap set to be published in Friday’s Federal Register.

Contractors will also be required to preserve images of the affected systems for the government to review, the roadmap states.

The proposed rule is scheduled to be published in February with a comment period that closes in April.

Contractors have frequently been a weak point for federal cybersecurity efforts.

In 2014, for example, two separate contractor breaches exposed background check information about 48,000 and 25,000 government employees respectively. Those breaches were soon overshadowed by the massive Office of Personnel Management breach of more background checks on more than 20 million current and former federal employees and their families in 2015.

In 2011, the contractor Science Applications International Corp. lost track of health records about 4.9 million military health care beneficiaries when the records were stolen from an employee’s car.

The cybersecurity firm BitSight found in a February report that over 8 percent of health-sector government contractors and 5.6 percent of aerospace and defense contractors had disclosed a data breach since January 2016.

Contractor cybersecurity was generally significantly lower than federal agency cybersecurity, the BitSight report said.

GSA’s proposed rule will also require contractors to disclose any data breach that compromises the “confidentiality, integrity, or availability” of data or information systems owned or managed on behalf of government agencies.

Those requirements already exist but have not gone through a formal rulemaking process and aren’t consistently adhered to, according to the notice.

The rule will also outline how the government will use and protect any proprietary information a contractor shares as part of a breach investigation, the notice states.

]]>

DHS and Pentagon Memo Details Future Cyber Cooperation

Joseph Marks — Thu, 15 Nov 2018 11:20:08 -0500

The Pentagon and Homeland Security Department have established a memorandum of understanding that details how the departments will work together on cybersecurity in the future, a Homeland Security official confirmed Wednesday.

That agreement “reflects the commitment of both departments in collaborating to improve the protection and defense of the U.S. homeland from strategic cyber threats,” according to written testimony from Homeland Security Assistant Secretary Jeanette Manfra.

It also “clarifies roles and responsibilities between DOD and DHS to enhance U.S. government readiness to respond to cyber threats and establish coordinated lines of efforts to secure, protect, and defend the homeland,” according to the statement delivered to a joint hearing of the cyber panels of the House Homeland Security and Armed Services committees.

A Homeland Security official confirmed the agreement is completed but did not provide additional details.

Rep. Cedric Richmond, D-La., described the agreement in broad terms during the hearing. Richmond, who is the ranking Democrat on the Homeland Security panel, said he has not read the memorandum yet.

The civilian-military agreement comes as the government is trying to ramp up civilian and military cooperation in cyberspace, especially when it comes to protecting election systems and other critical infrastructure such as banks, hospitals and airports.

In advance of last week’s midterm elections, 11 Pentagon cyber officials came over to Homeland Security’s cyber operations center as liaisons, Manfra told lawmakers during the hearing.

Those liaison officers were there to pave the way for their colleagues in case an election cyber threat popped up that state and local officials couldn’t handle on their own with Homeland Security’s support and the military needed to help out, Manfra said.

Though the departments were prepared, that threat didn’t materialize.

Rep. Jim Langevin, D-R.I., the ranking member on the Armed Services panel, praised the Pentagon and Homeland Security for removing legal and bureaucratic barriers to cooperation in advance of the election.

In the future, it will be critical for the two departments to work together on cyber threats, he said.

“While Congress has been abundantly clear about DHS’ primacy in defending civilian networks in the United States, coordination, collaboration and information sharing with the DOD will be critical to the defense of the homeland,” he said.

Congress officially authorized the Defense Department to send those detailees to Homeland Security in August in a pilot program included in the most recent version of the National Defense Authorization Act.

The mammoth policy bill also mandated other Defense Department efforts to help the civilian government and critical infrastructure providers, such as banks and hospitals, repel cyberattacks if called upon.

The bill also mandated a study on whether to create cyber components in the military reserves that could assist states during a cyber emergency.

Overall, in the months leading up to the election, Homeland Security, the Pentagon and FBI made more progress on sharing cyber threat information and developing a common cyber operations picture than in the previous decade, Manfra told lawmakers.

]]>

Congress Passes Long-Sought Bill to Rename DHS Cyber Agency

Joseph Marks — Wed, 14 Nov 2018 11:58:33 -0500

The Homeland Security Department’s long-sought plan to have a cyber division with the word “cybersecurity” in its name was nearly fulfilled Tuesday evening when the House passed a bill approving the re-naming.

The Senate passed the bill in October, so now it only awaits President Donald Trump’s signature. The House passed a Senate version of the bill by unanimous consent.

The bill would take the clunkily-titled National Protection and Programs Directorate, or NPPD, and dub it the Cybersecurity and Information Security Agency, or CISA.

Homeland Security is the lead cyber agency for the civilian government, but the department’s cyber officials have struggled under a name that doesn’t give a clear indication of what they do.

Chris Krebs, the undersecretary who leads NPPD, has frequently joked that the current name sounds like a “Soviet-era intelligence agency.”

Krebs also described a 2017 meeting with top Puerto Rican officials after the island was devastated by Hurricane Maria during which officials were confused about who he was or why he was there. They later struggled to explain who he was in a press conference following the meeting, he said.

By contrast, Homeland Security divisions such as the Transportation Security Administration and the Coast Guard, make clear in their names precisely what they do, he said.

“Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms,” Krebs said in a statement after Tuesday’s House vote.

Homeland Security Sec. Kisrtjen Nielsen also praised passage of the bill, saying “we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical.”

The renamed Cybersecurity and Infrastructure Security Agency will be responsible for overseeing the cybersecurity of federal computer systems and will be a government liaison on cybersecurity issues with critical infrastructure providers, such as banks, hospitals and airports

The bill that passed Tuesday also authorizes Homeland Security to transfer the Federal Protective Service, which is currently part of NPPD, to another location inside the department. The protective service is in charge of guarding federal facilities, devising security plans for those facilities and responding to threats or suspicious activities.

]]>

OPM is Still Far Behind on Data Protection Three Years After Devastating Breach

Joseph Marks — Tue, 13 Nov 2018 18:48:25 -0500

More than three years after suffering the most devastating cyber breach to date against civilian government networks, the Office of Personnel Management still hasn’t implemented about one-third of the recommendations from the government’s in-house auditor, a Tuesday report found.

Un-implemented recommendations include regularly updating software to the latest version, encrypting passwords and ensuring administrators aren’t sharing account logins, according to the Government Accountability Office report.

In some cases, OPM still hasn’t reset passwords that were used before the breach, the report found.

The OPM breach compromised sensitive security clearance information about more than 20 million current and former federal employees and their families plus a smaller amount of fingerprint data.

Overall, OPM has implemented 51 of the Accountability Office’s 80 recommendations, or about 64 percent. Some of those implemented recommendations include strengthening firewalls, enforcing password policies and updating contingency plans for the especially vital system, the report states.

Of the 29 remaining recommendations, OPM plans to implement 25 before the end of 2018 plus three more before October 2019, the agency’s chief information officer told the Accountability Office.

OPM does not plan to implement a final recommendation focused on putting security controls on contractors’ workstations, the report states. The office believes it has other security controls that compensate for that one, GAO said.

The GAO report comes just days after OPM’s own inspector general found “material weakness” in the agency’s information security program, citing a lack of information technology resources and “the agency’s culture of minimizing the role of the chief information officer.”

The inspector general also noted a “significant deficiency” in OPM’s IT security controls, noting that all the agency’s IT systems had valid security assessments and authorizations but some of those assessments and authorizations included low-quality work and questionable supporting documentation.

A federal appeals court is currently considering whether to reinstate a lawsuit brought by two federal employee unions over OPM’s data breach. That suit was scrapped at the federal district court level when a judge ruled the plaintiffs didn’t have standing to sue because they hadn’t suffered any clear harm.

Chinese government-linked hackers are widely believed responsible for the 2015 OPM breach but U.S. officials have never formally accused the Chinese government of being responsible for the breach. There’s no clear evidence that data stolen in the breach has ever been released on the dark web or used to conduct identity theft.

]]>

Pentagon Researchers Test 'Worst-Case Scenario' Attack on U.S. Power Grid

Joseph Marks — Tue, 13 Nov 2018 17:00:17 -0500

Plum Island, N.Y. – The team of grid operators had spent days restoring power when a digital strike took out one of two operational utility stations. The other utility was also under attack.

A month had passed since all power in the region was taken down by a devastating cyberattack. It had been a grueling six days restoring power across two electrical utilities and to the building deemed a critical national asset by the Secretary of Energy.

The cyber strike hadn’t forced the team back to zero, but it wasn’t far from it.

Just moments ago, the two electric utilities had been working in concert, delivering reliable and redundant power to the critical asset. Now one utility was down for the count and the other was under attack.

The grid operators’ only chance to restore power to the asset would be to route it, substation by substation, from the utility that was still operating. The team of cybersecurity researchers assisting the grid operators would have to use every piece of technology and know-how they had to ensure that utility stayed powered up, trustworthy and malware-free.

The Defense Advanced Research Projects Agency exercise, which took place from Nov. 1 to Nov. 7, was fictional, but it was designed to mimic all the hurdles and uncertainty of a real-world cyberattack that took out power across the nation for weeks on end–a scenario known as a “black start.”

To add realism, the exercise took place on Plum Island, a federal research facility off the north fork of Long Island, where DARPA researchers were able to segregate a portion of the island on its own electric grid.

Over the course of the seven-day exercise, more than 100 people gathered on the island, filling every necessary role to mimic an actual black start.

At the center of the exercise was a team of grid operators from electric utilities across the nation, which was in charge of restoring and sustaining power.

At its most basic level, their job involved creating initial power transmissions at both utilities using a diesel generator, then building cyber-secure “crank paths” through a series of electric substations that would increase the transmissions’ voltage until they were capable of powering the two utilities and delivering redundant power to the exercise’s critical asset.

Meanwhile, another team of DARPA-funded cyber researchers from seven different industry groups used custom built technology to keep the grid operators’ efforts protected from cyber adversaries.

A third DARPA-funded team took the role of the cyber adversaries, throwing a wrench into the good guys’ efforts every time they seemed to be getting ahead.

“We have a bunch of things that try to make this as painful as possible for everyone,” project leader Walter Weiss told reporters on a rainy Tuesday, the sixth day of the exercise. “How do you actually keep the smartest people in the world busy for a week? That takes effort.”

Try, Try Again

The Plum Island exercise is the fourth black start exercise led by DARPA’s Rapid Attack Detection, Isolation and Characterization Systems, or RADICS, program, which Weiss leads. The first two exercises were conducted in research labs. The third one took place on Plum Island but on a smaller scale and without public observers.

DARPA plans to continue the exercises every six months until the RADICS program expires in 2020, Weiss said. After that, hopefully, the project will continue under the Energy Department or another federal agency, he said.

The RADICS exercise doubled as the second phase of an Energy Department exercise called Liberty Eclipse. The first phase of that exercise, which took place in October, was a tabletop exercise during which government and industry officials game planned policy options after a massive cyberattack against the grid.

That exercise ended with the fictional president declaring a grid emergency and the energy secretary using a power first formalized earlier this year to issue emergency orders to get the grid back up and running.

One of those orders—to get redundant power to the critical asset on Plum Island—marked the beginning of the on-island exercise this month.

While Weiss and project organizers pushed for realism in the exercise, they kept some details vague. The utilities were dubbed simply Utility A and Utility B. The scenario doesn’t name the U.S. adversary that launched the grid-crippling cyberattack. Nor does it identify the “critical asset” that grid operators must keep running.

In a real-world attack, that critical asset might be a hospital, a military base or any other building that’s critical for the nation’s functioning during an emergency.

In the exercise, the asset was an aged brick building outfitted, on an upper level, with five multi-colored air dancers—the colorful, fan-powered, headbanging nylon tubes that often adorn car dealerships and cellphone stores.

Weiss described the air dancers as “high visibility power indicators.” When the asset was receiving power, the dancers would do their thing and the grid operators, observing from a distance, could breathe easy. If the dancers started slouching, they knew something was wrong.

A Very Particular Set of Tools

The cyber researchers, who hailed from the National Rural Electric Cooperative Association, BAE Systems, Perspecta Labs and elsewhere, brought three main types of technology to the DARPA exercise:

Tools that provide situational awareness about what portions of the grid cyberattackers had infected with malware and which parts remained secure.
Tools that isolated healthy parts of the grid so they couldn’t be infected.
Tools that assessed and diagnosed the nature of the cyberattack that brought the grid down.

The researchers' primary focus was testing, communicating about and bypassing infected parts of the power grid without creating any digital connections that could carry malware infections into the tools themselves or into post-attack portions of the grid.

Their situational awareness tools, for example, ignored digital signals from the grid and relied on basics physics tests that are impossible to hack. Their cellphones and other communications systems operated on local networks that were segregated from the internet and broader telecom networks.

The goal wasn’t for the tools to compete against each other, Weiss said, but to test how effectively researchers and grid operators could use the tools after a truly devastating cyberattack.

In some cases, the tools didn’t perform as planned. In other cases, they worked well, but didn’t provide information in a format that was most useful to grid operators, Weiss said. That’s feedback the teams can use to rejigger their tools for the next exercise in six months, he said.

In other cases, the tools worked but were stymied by other factors that might also affect a real-world grid attack.

Researchers readied a weather balloon, for example, that could fly 500 feet above the island and detect acoustic hum and other indicators of where electricity was and wasn’t flowing properly. When reporters visited on the sixth day of the exercise, however, the balloon was grounded by persistent rain.

Earlier in the exercise, researchers spent an entire day chasing what they believed was a red team cyberattack but was actually just an anomaly in grid operations, Weiss said.

“It was just a giant false positive for a day,” he said. “If you take a bunch of researchers and stick them on an island like this, they’re going to get pretty paranoid.”

Finally, many times the tools worked effectively but needed the researchers, who were based in nearby Orient Point, Long Island, to go out and tinker with them or to help the grid operators troubleshoot, Weiss said.

In the exercise, that meant a delay of an hour or two while researchers waited for the next ferry to the island and made their way to the utility or substation. In a real-world black start, however, that could mean a wait of days or more while a too-small cadre of harried cyber experts zipped from place to place.

Weiss’s challenge for the cyber researchers, he said, is that their tools should be so user-friendly by the final exercise in 2020 that grid operators—or anyone else without specialized cyber training—will be able to use them to re-establish power by simply reading a manual.

In a real-world grid attack, for example, National Guard units might be deployed to re-establish power to specific assets or to restart power in specific sectors, Weiss said.

And There Was Light

By the end of the seventh day, despite ongoing ransomware and other cyberattacks and the loss of power at Utility B, grid operators were able to re-establish power at the critical asset, Weiss told Nextgov in an email after the exercise.

DARPA’s main research focus for the exercise wasn’t the grid operators’ success or failure, however, but how well the tools withstood various impediments and assaults by the red team of cyberattackers, Weiss said.

If the grid operators and cyber researchers were over-performing, the red team would automatically throw something more difficult at them, Weiss said. That meant the grid operators were nearly foreordained to meet their goal by a whisker’s margin.

The red team socked away about 10 days of mischief for the seven-day exercise, Weiss said, so it could match the grid operators’ and researchers’ best work and still have something left over for the next exercise in six months.

“Our goal is to be dynamic,” he said. “We don’t want them to be perfect. We want to find the limits of the tools. We’re driving them to a point where we see how far they can get and then we beat them back down.”

That may sound sadistic, but it mirrors what grid operators and their cyber helpers are likely to face in a real-world massive attack by a U.S. adversary.

“If you look at advanced persistent threats, they get more tools, they don’t get less,” Weiss said, using a common phrase for highly skilled nation-state-backed hacking teams from Russia, China, Iran and elsewhere.

If the tools can withstand that sort of battering, Weiss said that means they can be useful in less extreme situations.

“We exercise with that absolute worst-case scenario where everything’s gone wrong, everything’s failed for a month and ask how are our tools still relevant,” Weiss said. “If we can prove a tool works when everything else is broken, that gives us more confidence.”

]]>

A New Congress Brings New Tech Priorities and Increased Oversight

Joseph Marks and Jack Corrigan — Mon, 12 Nov 2018 05:00:00 -0500

Democrats’ House takeover and shifts in the Senate landscape are bound to shift Congress’s tech and cyber policies. Here’s a rundown.

Pushing on Privacy

For starters, you can expect the debate over online privacy to grow louder in the coming months, according to Rep. Ro Khanna, D-Calif. Khanna listed personal privacy and data security among the party’s top tech priorities at a Washington Post event on Thursday. Rep. Frank Pallone, D-N.J., separately indicated privacy could become a key issue for the House Energy and Commerce Committee in the upcoming congressional term.

Democrats will also push to expand internet access to more Americans, retrain the workforce for the digital economy and reverse the Federal Communications Commission’s decision to repeal net neutrality regulations, Khanna said.

However, the White House doesn’t expect the Democratic House takeover to affect its tech agenda, Chris Liddell, White House deputy chief of staff for policy coordination, said. The administration plans to continue its efforts to modernize federal IT and drive innovation by keeping regulators away from the tech sector, Liddell said.

Don’t Overlook Oversight

It remains unclear exactly how Democrats’ agenda will play out on the House Oversight Committee, which monitors federal contracting and IT issues.

Rep. Elijah Cummings, D-Md., is widely expected to take over the investigative body, and Reps. Robin Kelly, D-Ill., and Gerry Connolly, D-Va., have been floated as potential chairs for the IT and Government Operations subcommittees. Kelly told Nextgov she hopes to focus on workforce retraining programs and accelerating government’s adoption of emerging technologies. Connolly said he expects the committee to increase pressure on agencies to comply with the Federal IT Acquisition Reform Act and to be an advocate for the federal workforce.

Elsewhere in Congress, lawmakers have pledged investigations into White House digital security vulnerabilities, including the president’s alleged use of an unsecured smartphone.

A Homeland Vacancy

Sen. Claire McCaskill, D-Mo., was among the red state Senate Democrats ousted in Tuesday’s elections, leaving a vacancy for ranking member on the Senate Homeland Security Committee.

McCaskill frequently pushed the committee on cybersecurity issues, including election security. She’s also the main sponsor of a bill that would give the Homeland Security Department increased authority to protect federal supply chains from cyber threats.

There’s no clear candidate to replace McCaskill as the committee’s top Democrat yet. Members Maggie Hassan, D-N.H., and Gary Peters, D-Mich., have also shown strong interest in cyber topics. Member Heidi Heitkamp, D-N.D., also lost her seat Tuesday.

Here’s a Big Idea

Here’s a big idea for House Democrats to consider as they take control of the people’s chamber: How about a congressional digital service that’s modeled after the General Services Administration’s internal tech startup 18F and that launches technical fixes that improve constituent services.

That’s one of several dozen recommendations in the Demand Progress think tank’s “Get the House in Order” report that went online recently.

Other recommendations include ramping up cybersecurity training for lawmakers and House staffers, appointing a chief transparency officer or ombudsman and developing digital tools to assist the amendment process.

First Principles

The U.S. needs to surge cyber cooperation between the public and private sectors and dramatically ramp up cyber education and training in order to prepare for an era of advanced cyber conflict, according to a trio of recommendations from Rep. Will Hurd, R-Texas, and a slate of advisers to the Aspen Institute’s Cyber Strategy Group, released Thursday.

The group’s most involved recommendation is a set of “first principles” for securing internet-connected devices. Those first principles include that security should be “baked in” to Internet of Things products, that consumers should be able to update devices’ software to install patches and that vendors should be transparent about connected devices’ security and privacy protections.

Hurd co-chairs the Aspen group with Lisa Monaco, who was homeland security adviser to President Obama. The group also includes House Intelligence Committee ranking member Adam Schiff, D-Calif., as well as former Intelligence Chairman Mike Rogers, a Michigan Republican, and former committee member Jane Harman, a California Democrat.

Coming Up:

Congress will be back in session this week with a couple of tech-and-cyber-focused hearings on the docket.

At 10 a.m. on Wednesday, the House Veterans Affairs Technology Modernization Subcommittee will check in on the Veterans Affairs Department’s electronic health records overhaul.

At 3 p.m., the House Homeland Security Subcommittee on Emerging Threats and Capabilities will discuss ways to coordinate the Defense and Homeland Security departments’ cyber efforts.

Also at 3 p.m., the Senate Armed Services Committee will ponder private sector cyber acquisition practices.

]]>

National Science Foundation Seeks Feedback on Major Cyber Research Priorities Update

Joseph Marks — Fri, 09 Nov 2018 13:44:44 -0500

The National Science Foundation and other science agencies are launching a major rewrite of the government’s cybersecurity research and development plan, according to a Federal Register notice that’s scheduled to be published on Tuesday.

In advance of the rewrite, which will be completed in 2019, the National Science Foundation is seeking public and industry feedback on new technologies that could improve the “security, reliability, resiliency, and trustworthiness of the digital infrastructure,” according to the notice

The foundation is also interested in changes the nation should make in cyber training, education and workforce development to prepare for the impact on cybersecurity of new technologies, such as quantum computing and artificial intelligence, the notice states.

The National Science Foundation is managing the rewrite on behalf of the National Science and Technology Council, which includes federal cabinet secretaries and agency leaders with significant science and technology responsibilities.

The document will be an update of a 2016 cybersecurity research and development strategic plan, which was mandated by 2014 legislation. That plan focused on near and medium-term efforts to improve U.S. cyber protections and to reduce adversaries’ asymmetric advantages in cyberspace.

The 2016 report included a long-term goal of efficiently deterring adversary cyber strikes and consistently attributing those attacks.

The report’s recommendations included incentivizing the private sector to cooperate with federal agencies on cyber research and speeding the process for private companies to commercialize cyber technology developed through federal grants and other funding.

The report also urged efforts to expand the federal workforce, including incentivizing more women and minorities to enter the field.

In the upcoming Federal Register notice, the Science Foundation also asks about progress since the 2016 plan, areas that should receive less focus in the rewrite and new priorities that have emerged since 2016.

The Science Foundation announcement comes less than two months after the Trump administration released its National Cyber Strategy, which calls for prioritizing cybersecurity research and development efforts.

It also comes as a Homeland Security Department advisory committee is finalizing its “moonshot” report, which calls for a “concerted national research and product development strategy” to advance artificial intelligence, quantum computing and other technologies that can help dramatically advance the nation’s cybersecurity.

The deadline for feedback is Jan. 15.

]]>

DHS Wants to Expand the Reach of Its Critical Infrastructure Cyber Training

Joseph Marks — Thu, 08 Nov 2018 11:07:19 -0500

The Homeland Security Department wants to surge its ability to train critical infrastructure owners and operators on cybersecurity, according to a contracting document released Wednesday.

The department is seeking a video conferencing service that it can use to provide cybersecurity webinars to 5,000 or more critical infrastructure operators simultaneously, according to the contracting document.

The term critical infrastructure refers to 16 sectors the government has determined are vital to the nation’s successful operation. They include hospitals, banks, energy plants, dams and transportation hubs such as airports and train stations.

The department officially designated election infrastructure, such as voting machines and voter rolls, critical infrastructure in January 2017, after Russian efforts to breach those systems during the 2016 elections.

Homeland Security already provides training webinars on a variety of cyber topics to critical infrastructure owners as well as to state and local governments using the Adobe Connect tool, but the current system can’t serve more than 500 simultaneous attendees, the contracting document states.

The document is a request for information, which means Homeland Security wants to know what companies have to offer but isn’t committed to purchasing anything yet.

The division managing the prospective contract, Homeland Security’s partnership and engagement branch, is also tasked with part of the department’s outreach to election operators.

Homeland Security did not spot any significant digital efforts to undermine midterm election votes Tuesday. The department’s top cybersecurity and infrastructure security official Chris Krebs has warned that Russia and other nations may be holding their best efforts until the 2020 presidential contest.

In addition to webinars and other training, Homeland Security offers election operators and other critical infrastructure providers numerous other cyber services. Those include penetration testing and security reviews and sensor networks that can spot nefarious efforts to access a computer system.

]]>

NIST Wants to Make PIV Cards Work for Smartphones in Two Years

Joseph Marks — Tue, 06 Nov 2018 10:48:25 -0500

The government’s cybersecurity standards agency will launch a process this year to make it easier to verify government employees’ identities when they access government data on mobile devices.

The updated standards for civilian government personal identity verification, or PIV, cards will focus on using the PIV card, as a launching point for verifying identity on smartphones and other devices that are far afield from the desktop computers PIV cards were first used for in the early 2000s, said Matthew Scholl, division chief of the computer security division at the Commerce Department’s National Institute of Standards and Technology.

For example, an employee might use a PIV card to access information on a government computer and then use a special credential from the PIV card to authorize access to that information on a mobile device, Scholl told reporters after a NIST advisory board meeting Friday.

“You can’t stick a PIV card into this thing,” Scholl said, gesturing to a smartphone’s power and headphone outlet. “So how do we get a similarly strong identity credential but on a form factor that’s not PIV-friendly?”

The project, which will launch this year, was sparked in part by a major White House directive in April that required federal agencies to update how they verify employees’ identities, Scholl said.

That order required agencies to update their identity verification practices to match the current cyber threat from nation-state and criminal hackers and to make identity verification programs more adaptable to new and improved consumer software.

The project could last two years or longer before NIST issues updated standards, Scholl said.

NIST is working closely with the Pentagon, which is in the process of updating its own version of PIV, the common access card, or CAC card, Scholl said.

The Defense Information Systems Agency is also on a two-year schedule and hopes to integrate CAC credentials directly into smartphones, a technical director Steve Wallace said in May.

DISA is considering looking at using characteristics that are unique to individuals to verify identity, such as the hand pressure and wrist tension when the person holds a smartphone and the person’s peculiar gait while walking, Wallace said.

]]>

NIST Teams Up with IBM’s Watson to Rate How Dangerous Computer Bugs Are

Joseph Marks — Fri, 02 Nov 2018 16:38:33 -0400

The government’s cyber standards agency wants to start using artificial intelligence to gauge just how dangerous publicly reported computer bugs are, a top official said Friday.

The AI system, which will replace the work of numerous human analysts, should be assigning risk scores to most publicly reported computer bugs by October 2019, Matthew Scholl, chief of the National Institute of Standards and Technology’s computer security division, said.

Right now, human analysts at NIST work laboriously through thousands of computer vulnerabilities each week and assign each one a severity score.

Vulnerabilities that hackers can exploit remotely, for example, will be scored higher than ones that require the hacker to have physical access to a laptop, phone or other internet-connected devices.

Companies use those scores, known as Common Vulnerability Scoring System scores, or CVSSes, to determine which bugs they should patch immediately and which ones can wait awhile.

NIST’s CVSS system worked well when companies and ethical hackers were only reporting a couple hundred vulnerabilities each week. The number of vulnerabilities reported to the Common Vulnerabilities and Exposures, or CVE, database has ballooned in recent years, however, to several thousand each week.

That’s putting an extra burden on NIST analysts who spend 5 to 10 minutes scoring simple vulnerabilities and far longer on complex or novel ones, Scholl told reporters after a NIST advisory board meeting.

The number of weekly vulnerabilities is likely to grow even larger in coming years as more devices, such as cars, radios, thermostats and even vacuums, connect to the internet.

Earlier this year, NIST launched a pilot program using IBM’s Watson artificial intelligence system to pore through hundreds of thousands of historical CVSS scores from the institute’s human analysts, Scholl said.

Watson then used that data to assign scores to new vulnerabilities.

“We started it just to get familiar with AI, so we could get our hands on it, learn about it, kind of put it in a lab and experiment,” Scholl said. “As we were doing it with this dataset we said: ‘Hey, this seems to be putting out results the same as our analysts are putting out.’”

That success comes with one caveat, Scholl said.

The Watson system is great at assigning scores for vulnerabilities where there’s a long paper trail of human-assigned scores for highly similar vulnerabilities. In those cases, the Watson score will be within the small range of variance between what two different human analysts would assign, say 7.2 versus 7.3 on a 10-point scale, Scholl said.

When the vulnerability is new and complex or highly novel, like the Specter vulnerability discovered in 2017, Watson fares far worse, Scholl said. In those cases, a human analyst will take over.

The Watson system releases a confidence percentage for each CVSS score and if that confidence percentage is beneath the high 90s, a human analyst will review and edit the results, Scholl said.

Right now, the Watson system is only being used as an in-house experiment. NIST’s goal is to use it for most public CVSS scores later this year.

Before the Watson scoring system goes live, the NIST chief information officer needs to ensure the program is securely integrated with other NIST systems and is able to consistently handle the workload, Scholl said.

Scholl’s division is also looking for other areas of NIST that might be interested in using Watson technology so the institute can save money on licenses, he said.

The U.S. government has funded the CVE database since its inception in 1999 and manages it through a master contract with the federally-funded research center MITRE. Numerous organizations, however, now have independent authority to list new vulnerabilities in the database.

House Energy and Commerce Committee leaders complained in a recent letter to Homeland Security Department officials that the CVE program is unwieldy, adequately funded and needs more oversight.

The letter came after reports that security researchers were waiting weeks or even months for vulnerabilities they found to be entered in the database, giving nefarious hackers more time to exploit those vulnerabilities to compromise computers and steal data.

]]>

New DHS Cyber Center Meets with Industry to ID Most Valuable Assets

Joseph Marks — Fri, 02 Nov 2018 09:00:00 -0400

Officials from the Homeland Security Department’s new long-range cyber planning division met Thursday with cyber leaders from three key industry sectors to learn how they go about identifying their digital crown jewels that require the highest levels of protection.

The meeting with officials from the communications, electricity and finance sectors will be followed by meetings with the other 13 critical infrastructure sectors in coming weeks, Mark Kneidinger, deputy director of Homeland Security’s National Risk Management Center told reporters after speaking before a Commerce Department advisory board.

Based on those meetings, risk management center officials will work with industry on future steps for how to both identify and protect the nation’s most vital digital assets, Kneidinger said.

The effort is part of a broader government effort to shift from protecting all digital systems equally to applying extra protections to systems that hold more important information or that are more likely to be targeted by cyber criminals or nation-state adversaries.

The high-value assets project is one of several “sprints” the risk management center has launched since it was announced by Homeland Security Secretary Kirstjen Nielsen during a cyber conference in July, Kneidinger said.

Other sprints focus on securing industry supply chains and securing oil and natural gas pipelines, among other topics, he said.

More details about the center’s work will be announced at a U.S. Chamber of Commerce cybersecurity conference Nov. 16, he said.

Homeland Security officials have described the risk management center as focused on longer-range cyber priorities and broader cyber strategy. That’s in contrast to the department’s operational cyber wing, the National Cybersecurity and Communications Integration Center, or NCCIC, which deals in fast-paced cyber operations, such as responding to cyber incidents, and is necessarily shorter term in its thinking.

The risk management center is currently staffed with about 115 employees from Homeland Security’s Office of Cyber and Infrastructure Analysis plus about 40 detailees from elsewhere in Homeland Security, Kneidinger said. The center may add additional staff based on expertise gaps that it identifies once more programs are up and running, he said.

]]>

Supply Chain Group Aims to Reduce Counterfeits in Federal Systems

Joseph Marks — Thu, 01 Nov 2018 17:42:06 -0400

A government and industry task force that will meet for the first time this month and is charged with improving U.S. information and communications technology supply chains will focus on three main workstreams, a Homeland Security Department cyber official said Thursday.

The first stream will focus on developing a recommended update to federal acquisition rules, said Emile Monette, who leads Homeland Security’s supply chain risk management efforts and is the task force’s government co-chair.

The new rule will likely require that components of certain sensitive technology systems are only supplied by the original manufacturer or by an approved reseller, Monette told a Commerce Department advisory board.

The broader goal is to ensure that counterfeit and gray market components that might carry shoddy or malicious software don’t make their way into federal networks, he said.

The two thorniest parts of the process will likely be defining which systems the new rules should apply to and defining what counts as an authorized reseller, he said.

In some cases, manufacturers do intensive vetting of their authorized resellers, but, in other cases, the process is more ad hoc, he said.

“Some of them are just: Did you sell 500 units last month? Now you’re a gold star reseller,” Monette said.

The second workstream will focus on developing criteria for how companies and other organizations can vet possible vulnerabilities in the software and hardware they’re buying, Monette said. The third one will focus on how federal agencies and companies can develop lists of approved products, he said.

The task force, which is being overseen by Homeland Security’s new National Risk Management Center, is part of a broader government supply chain cybersecurity effort.

The National Security Council is also examining the issue and the Homeland Security Department is partnering with the General Services Administration on an effort to include cybersecurity vetting earlier in the government buying process.

The task force will include 60 total members, Monette told reporters after his presentation, 20 each from the information technology sector, the communications sector and government.

The task force’s executive committee, which will meet before the full committee, will include about half as many members, Monette said.

The large size of the task force may become unwieldy, he said, but was necessitated by the breadth of stakeholders in the issue. Homeland Security intends for members to all do significant research and other work between meetings to advance task force goals, he said.

“The table stakes for being a member is you’re going to do work,” he said. “It’s not come here and just go to meetings.”

The ultimate goal, Monette said, is for government and other organizations to put more effort toward vetting what goes into their networks so they can spend less money protecting and defending those networks later on.

“The total cost of ownership will be reduced,” he said. “It’s one place where an ounce of prevention is worth a pound of cure.”

]]>

FDIC Still Isn’t Protecting Its Sensitive Information, Audit Finds

Joseph Marks — Wed, 31 Oct 2018 15:01:22 -0400

The agency responsible for insuring U.S. bank accounts still isn’t meeting federal information security requirements, according to the unclassified summary of an inspector generals’ report released Wednesday.

The Federal Deposit Insurance Corporation, or FDIC, failed to patch software vulnerabilities within its own timeframe and failed to fix known and longstanding weaknesses in its cybersecurity policies and procedures, the inspectors found.

Those weaknesses “limited the effectiveness of the FDIC’s information security program and practices and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk,” according to the report.

The inspectors gave FDIC an information security score of 3 points on a 5-point government scale. That means security controls are “consistently implemented” but not truly effective. Some portions of FDIC’s information security program earned only 1 or 2 points.

Most weaknesses uncovered in the inspector general’s audit are classified because an adversary might use them to compromise FDIC systems.

The unclassified summary describes instances in which contractors who were supposed to test that FDIC security controls worked effectively in the field instead merely relied on descriptions of those controls and FDIC managers’ assurances that they were in place.

The report also dinged FDIC for not effectively determining what are its highest value and highest risk digital systems and data. Without that determination,“FDIC cannot be sure that it is effectively prioritizing resources toward addressing risks with the most significant potential impact on achieving strategic objectives,” the report found.

A separate inspector general report and congressional letter in April found FDIC misled congressional overseers about eight separate information security lapses during 2015 and 2016.

Those lapses all resulted from FDIC employees who left the organization and took sensitive information with them about citizens or financial institutions. In total, the lapses affected more than 10,000 individuals or records, the report states.

A 2017 Government Accountability Office report found FDIC wasn’t sufficiently vetting that employees were who they said they were before allowing them to access sensitive files. The agency also wasn’t effectively encrypting user connections to certain sensitive systems, the auditor found.

]]>

After Midterm Elections, a Focus on Securing Campaigns

Joseph Marks — Tue, 30 Oct 2018 17:38:33 -0400

The Homeland Security Department and a cybersecurity non-profit plan to ramp up efforts to share cyber threat information and best practices with political campaigns after the midterm elections conclude next week.

The Center for Internet Security, or CIS, which manages a cyber threat information sharing program between the federal and state and local governments, hopes to begin offering similar services to political campaigns, the organization’s executive chairman John Gilligan told reporters Tuesday.

CIS reached out to campaigns about the idea in recent months but found they were too busy to launch a new program so late in the election cycle, Gilligan said after a panel discussion about election security hosted by the Center for Strategic and International Studies.

CIS hopes that the comparatively slower pace of 2019 will allow it to get the program off the ground, Gilligan said. He described the plan as “informal” at this point, but said he hopes it will be well established before the presidential and congressional elections in 2020.

Campaigns could significantly benefit from the program because they typically operate on shoestring budgets, especially early in a race, and aren’t able to hire cyber experts, Gilligan said. The long run up to 2020 will give CIS and the campaign organizations time to build trust, he said.

The goal would be to run the program at almost no cost by simply piggybacking off of state and local cyber threat information sharing that CIS is already doing. The program would only deal with unclassified threat information, Gilligan said.

The Homeland Security Department, which is leading election security work for the federal government, also hopes to establish better ties with campaigns between 2018 and 2020, said Bob Kolasky, who leads the department’s National Cyber Risk Management Center.

Homeland Security has vastly improved cyber information sharing and threat detection with state and local election administrators since Russian efforts to undermine the 2016 elections. That effort was spurred by a late Obama administration decision to define election systems as critical infrastructure, similar to airports, banks and hospitals.

The department has met with the Republican and Democratic national committees but is not broadly sharing threat data with House and Senate campaigns.

Hackers linked to the Russian government penetrated Democratic nominee Hillary Clinton’s campaign in 2016 and released the stolen data to WikiLeaks, according to indictments from Special Counsel Robert Mueller.

Chinese hackers also reportedly penetrated both the Obama and McCain campaigns in 2008.

Ultimately, Kolasky said, he hopes Democratic and Republican campaigns can cooperate on cybersecurity similar to how companies in critical infrastructure sectors do.

“How do we cordon off the security imperative from the political imperative?” he asked. “I’d like to get to a point where campaigns work together on security, work with the government and don’t compete on security.”

]]>

Cyber Supply Chain Task Force to Meet Soon

Joseph Marks — Tue, 30 Oct 2018 16:21:38 -0400

A task force focused on reducing cybersecurity risks in the nation’s technology and communications supply chain will meet for the first time in the next few weeks, the Homeland Security Department announced Tuesday.

Homeland Security Secretary Kirstjen Nielsen announced the task force’s creation during a cyber conference in New York in July during which she also announced the creation of a new Homeland Security division, the National Cyber Risk Management Center, focused on long-range cyber issues.

The task force will be chaired by private sector leaders but will be sponsored by the risk management center, according to a Homeland Security news release.

The task force will focus on government and industry supply chains and criminal and nation-state hacker efforts to compromise contractors and subcontractors deep within those supply chains, the department said.

This is the first major deliverable from the risk management center, which is focused on several efforts, including identifying the nation’s highest value digital assets so they can be better protected from cyberattacks and improving long-term election cybersecurity.

“The nature of supply chain threats, because they can encompass a product’s entire life cycle and often involve hardware, make them particularly challenging to defend against,” Homeland Security’s top cybersecurity and infrastructure security official Chris Krebs said in a statement.

The task force will focus on “holistic solutions across a broad set of stakeholders to develop near-and long-term strategies to address supply chain risks,” Krebs added.

The task force will be co-chaired by Robert Mayer, senior vice president for cybersecurity at the industry association US Telecom, which counts AT&T and Verizon among its members, and John Miller, vice president for policy and law at ITI, a tech industry association that represents Microsoft, Oracle and Twitter among others.

Homeland Security will release a full membership list and a roster of focus areas after the task force’s initial meeting.

An earlier information sheet said the task force will include industry and government members and will “develop consensus recommendations for action to address key strategic challenges to identifying and managing risk associated with the global [information and communications technology] supply chain and related third-party risk.”

Industry members will represent the energy, financial services and defense industrial base sectors among others, the fact sheet states.

Homeland Security is also working on a shorter-range effort to improve the government’s cybersecurity supply chain by addressing cybersecurity earlier in the contracting process.

Congress is mulling proposals that would expand Homeland Security’s ability to bar suppliers from civilian government contracts if they pose cybersecurity or national security risks. Congress earlier imposed governmentwide bans on the Russian anti-virus company Kaspersky Lab and the Chinese telecoms Huawei and ZTE, arguing their products could be used as spying tools by U.S. adversaries or infected to sabotage U.S. government operations.

]]>

Americans Trust Government More than Tech Companies to Combat Election Influence Ops

Joseph Marks — Mon, 29 Oct 2018 17:46:30 -0400

U.S. adults are skeptical that government is prepared to protect the 2018 midterm elections against foreign hackers, but they’re even less confident that technology companies will prevent their tools from being misused to influence the election, a survey found.

One-third of U.S. adults are very or somewhat confident that tech companies will protect their tools from being used in election influence operations, according to the Pew Research Center survey released Monday.

That’s compared with 55 percent of U.S. adults who are very or somewhat confident the government is making serious efforts to protect election systems from hacking and other digital threats.

About two-thirds of American adults think it’s likely Russia or another U.S. adversary will attempt to manipulate the 2018 midterm elections, but there’s a big partisan split over how concerned they are about that meddling, Pew found.

Within the subset of survey respondents who consider election interference likely, 83 percent of Democrats and those who lean Democratic consider it a “major issue” compared with only 47 percent of Republicans and those who lean Republican, the survey found.

Republicans in the survey also expressed more confidence than Democrats that U.S. election systems are secure against hackers, but the division wasn’t as pronounced.

Among Republicans and those who lean Republican, 59 percent were very or somewhat confident that U.S. election systems are secure compared with 34 percent of Democrats and those who lean Democratic.

There was also a partisan gap in respondents’ confidence that U.S. officials are making “serious efforts” to protect election systems from hacking and other digital threats. About 72 percent of Republicans and Republican leaners expressed confidence compared with 43 percent of Democrats.

Voters overall were more confident that election systems in their state were protected against hackers with 75 percent of Republicans and Republican leaners and 60 percent of Democrats and Democratic leaners expressing confidence.

Democrats living in states where Republicans control all elected branches of government expressed the lowest confidence in election security. Among that group, 55 percent said they were confident about election security but only 9 percent were very confident.

The survey was based on responses from 10,683 U.S. adults who are part of a pre-selected random sample that Pew calls the American Trends panel.

]]>

White House Sets Deadlines for Agencies to Protect Their Digital Crown Jewels

Joseph Marks — Fri, 26 Oct 2018 15:43:40 -0400

The Homeland Security Department has until April next year to develop a tool that maps lapses in federal agencies’ cybersecurity capabilities, and until October to help agencies assess their ability to protect their highest value digital assets, according to White House guidance released Thursday.

Homeland Security has until the end of 2019 to be up and running with a governmentwide cybersecurity program that allocates resources based on the risks facing particular systems and puts special emphasis on high-value assets, according to the guidance from the White House’s Office of Management and Budget.

The term ‘high-value assets’ generally refers to hardware and software systems that contain classified or sensitive information or citizens or employees’ personal information.

Homeland Security is trying to refocus its cyber operations from protecting all assets equally to putting special emphasis on protecting systems and information that would cause the most damage if they were compromised or present the greatest value to U.S. adversaries.

The Office of Management and Budget guidance follows a May report, which found that roughly three-quarters of federal agencies’ cybersecurity programs were “at risk” or “at high risk” of a breach. The report also found that many agencies didn’t know how hackers were targeting them and wouldn’t necessarily notice if hackers compromised large amounts of their data.

The report itself was called for in a 2017 executive order from President Donald Trump.

Thursday’s guidance includes additional deadlines for an action plan that was included in the May report.

The guidance requires agencies to submit a plan to mature their cybersecurity operations by April. That plan must include a timeline for how to achieve the mature state and the funding necessary to get there.

By September 2020, agencies must submit a plan for how to either mature and consolidate their security operations centers, known as SOCs, or to outsource those operations elsewhere, which the report calls SOC as a service.

The Office of Management and Budget guidance is issued each year and focuses broadly on agencies’ cybersecurity and privacy responsibilities under the Federal Information Security Management Act. Thursday’s guidance is six pages longer than the previous year’s report with those additional pages focused mainly on the new action items and deadlines.

The guidance also expresses White House approval for Homeland Security’s Continuous Diagnostics and Mitigation program, or CDM, which offers suites of pre-vetted cybersecurity tools to federal agencies.

In the future, agencies that want to buy continuous cyber monitoring tools that are not authorized parts of the CDM program must first send memos justifying their decisions to the Homeland Security office that manages CDM and to the federal chief information officer, the guidance states.

]]>

It’s Time to Organize Volunteer Hackers, Think Tank Says

Joseph Marks — Thu, 25 Oct 2018 15:51:40 -0400

The government should supplement its cadre of cyber professionals with a nationwide network of civilian volunteers who could help respond during digital attacks, according to a proposal released Wednesday.

During the massive ransomware attack that hit Atlanta earlier this year, for example, a pre-vetted group of civilian cyber volunteers could have taken care of the many low-sensitivity tasks necessary to get city services up and running again, freeing up city IT staff for higher value work, according to the proposal from Natasha Cohen and Peter Singer with the New America think tank.

The Civilian Cyber Corps could also help with education, training and penetration testing at rural school districts and hospitals and other places that might otherwise not receive those services, the proposal states.

The program that Cohen and Singer suggest would be modeled on the Civil Air Patrol, which patrolled for German submarines during World War II and now assists with search and rescue missions. Other models are volunteer firefighter organizations and the Michigan Cyber Civilian Corps, which has about 100 members but has not been fully activated.

Because the corps would be comprised of unpaid volunteers, Singer and Cohen estimate a congressional appropriation of just $50 million would be sufficient to build a 25,000-member corps spread across all 50 states. The Civil Air Patrol, the writers note, received just $43 million in federal funding during the most recent fiscal year.

The program would be managed by the Homeland Security Department, which is the lead agency for civilian government cybersecurity, but local divisions would also have relationships and written agreements with state governments.

That national system will make it easier to tackle some administrative issues, such as ensuring volunteers are legally protected during emergency response operations, as opposed to expecting each state to stand up its own civilian cyber corps, the authors write.

A national system would also make it easier to deliver federal funds to the program and save costs through economies of scale, the report states.

Local offices, however, would have to be designed around the unique needs of states and localities, the report states.

The authors also oppose models that place volunteer cyber teams under state defense organizations or National Guard units because that would give a military cast to cyber operations that are generally wholly civilian and might limit the applicant pool.

]]>

DHS Report Urges Research into Cyber Market Failures

Joseph Marks — Thu, 25 Oct 2018 12:17:22 -0400

Government and industry should focus their cyber research efforts on how to better hold component manufacturers responsible for cybersecurity lapses that could endanger vast amounts of data across entire supply chains, according to a research roadmap released Tuesday.

That research should focus on topics including how current product liability laws could be adjusted to make component manufacturers more responsible for security lapses and how key stakeholders in a product’s supply chain could be made to bear the cost of insecurity, according to the report from the Homeland Security Department’s Cyber Risk Economics program.

Researchers should also focus on ways to improve transparency about cybersecurity for consumers, the report states.

The report doesn’t describe current government research efforts but is essentially a research game plan for public and private organizations that want to reduce economic, legal and bureaucratic barriers to improving the nation’s cybersecurity.

Other main research topics include how legal regimes and regulations affect cybersecurity and barriers to creating broad cyber insurance markets, which many analysts believe will be crucial to imposing standard cyber requirements across industry.

Regulation-focused research topics include how government can write rules that are flexible enough to not become outdated as technology adapts and an analysis of when government’s better off facilitating industry-driven cyber standards rather than top-down regulation.

Researchers should also examine possible second and third order consequences of government regulation and other interventions in the market to help policymakers contemplate whether those interventions will be worthwhile in the long run, the report states.

The report recommends developing a cybersecurity equivalent to the “stress tests” that government performed on banks during the 2008 financial crisis to determine whether they were resilient enough to survive similar crises in the future.

]]>